This repository was archived by the owner on Feb 15, 2026. It is now read-only.
This repository was archived by the owner on Feb 15, 2026. It is now read-only.
Support environment variables for notification agent credentials (SMTP password, API keys) #4323
Description
Description
Notification agent credentials (such as SMTP passwords, webhook URLs, and API keys) are currently stored in plaintext in settings.json. This creates security concerns for users who:
- Store their configuration in version control (credentials get committed)
- Run security audits on their infrastructure
- Follow secrets management best practices (12-factor app methodology)
- Use container orchestration platforms with built-in secrets management (Kubernetes, Docker Swarm)
While the LinuxServer.io Docker image supports the FILE__ prefix for Docker secrets, this only works for environment variables that Overseerr actually reads—and notification credentials aren't among them.
Desired Behavior
Add support for environment variables to configure sensitive notification agent settings, with settings.json values as fallback. For example:
OVERSEERR_EMAIL_SMTP_PASS=<password>
OVERSEERR_EMAIL_AUTH_USER=<user>
OVERSEERR_DISCORD_WEBHOOK_URL=<url>
OVERSEERR_TELEGRAM_BOT_TOKEN=<token>
# etc.
This would allow users to:
- Keep secrets out of
settings.jsonentirely - Use Docker secrets via
FILE__OVERSEERR_EMAIL_SMTP_PASS - Integrate with external secrets managers (Vault, AWS Secrets Manager, etc.)
The UI could show these fields as "Set via environment variable" when configured externally, similar to how other applications handle this pattern.
Code of Conduct
- I agree to follow Overseerr's Code of Conduct