Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/rommapp/romm/llms.txt

Use this file to discover all available pages before exploring further.

RomM is configured entirely through environment variables, which you can set directly in your docker-compose.yml file under the environment: key or in a separate .env file referenced by Docker Compose. The env.template file in the RomM repository documents every available variable with inline comments and is the canonical reference for default values.

Core Application

ROMM_BASE_PATH
string
default:"/romm"
Base folder path for the library, resources, and assets. All sub-paths (library, resources, assets) are derived from this value.
ROMM_TMP_PATH
string
Custom temporary directory path. Defaults to the system temp directory when left unset.
ROMM_BASE_URL
string
default:"http://0.0.0.0"
Public-facing URL of this RomM instance. Used when generating absolute links (e.g., OIDC redirects).
ROMM_PORT
integer
default:"8080"
Port on which the application listens inside the container.
KIOSK_MODE
boolean
default:"false"
Enables read-only mode. Intended for public displays or kiosks where users should not modify the library.

Database

DB_HOST, DB_USER, and DB_PASSWD are required. RomM will not start without a reachable database.
DB_HOST
string
required
Hostname of the database instance (e.g., mariadb when using the bundled Docker Compose stack).
DB_PORT
integer
default:"3306"
Port number of the database instance.
DB_NAME
string
default:"romm"
Database name. Should match the MYSQL_DATABASE (or MARIADB_DATABASE) value used when creating the database container.
DB_USER
string
required
Database username. Should match the MARIADB_USER value in the MariaDB/MySQL container.
DB_PASSWD
string
required
Database password. Should match the MARIADB_PASSWORD value in the MariaDB/MySQL container.
DB_ROOT_PASSWD
string
Root user password for the database. Only consumed by the bundled MariaDB container — not used by RomM itself.
ROMM_DB_DRIVER
string
default:"mariadb"
Database driver. Accepted values: mariadb, mysql, postgresql.
DB_QUERY_JSON
string
Extra query parameters for the database connection URL, expressed as a JSON object (e.g., {"charset": "utf8mb4"}).

Redis / Valkey

REDIS_HOST
string
default:"127.0.0.1"
Hostname of the Redis or Valkey instance used for caching and task queuing.
REDIS_PORT
integer
default:"6379"
Port number of the Redis/Valkey instance.
REDIS_USERNAME
string
Username for Redis/Valkey authentication (ACL-based auth). Leave empty for password-only auth.
REDIS_PASSWORD
string
Password for the Redis/Valkey instance.
REDIS_DB
integer
default:"0"
Redis/Valkey logical database index.
REDIS_SSL
boolean
default:"false"
Enable TLS (rediss://) for the Redis/Valkey connection.

Authentication

ROMM_AUTH_SECRET_KEY is required. Generate a strong value with openssl rand -hex 32 and keep it secret — rotating this key will invalidate all active sessions.
ROMM_AUTH_SECRET_KEY
string
required
Application secret used to sign tokens and sessions. Generate with openssl rand -hex 32.
OAUTH_ACCESS_TOKEN_EXPIRE_SECONDS
integer
default:"1800"
OAuth2 access token lifetime in seconds (default: 30 minutes).
OAUTH_REFRESH_TOKEN_EXPIRE_SECONDS
integer
default:"604800"
OAuth2 refresh token lifetime in seconds (default: 7 days).
SESSION_MAX_AGE_SECONDS
integer
default:"1209600"
Maximum age of a browser session in seconds (default: 14 days).
INVITE_TOKEN_EXPIRY_SECONDS
integer
default:"600"
Lifetime of user invite tokens in seconds (default: 10 minutes).
DISABLE_DOWNLOAD_ENDPOINT_AUTH
boolean
default:"false"
Disable authentication on the download endpoint. Required for certain integrations such as WebRcade and Tinfoil that cannot pass credentials.
DISABLE_CSRF_PROTECTION
boolean
default:"false"
Disable CSRF protection. Not recommended unless you understand the security implications.
DISABLE_USERPASS_LOGIN
boolean
default:"false"
Hide the username/password login form. Use when relying exclusively on OIDC so local login cannot be used as a fallback.
DISABLE_SETUP_WIZARD
boolean
default:"false"
Skip the first-boot setup wizard. Useful when deploying RomM non-interactively with a pre-configured environment.
DISABLE_LOGS_VIEWER
boolean
default:"false"
Disable the backend log viewer in the RomM UI.

OpenID Connect (OIDC)

OIDC support lets you delegate authentication to an external identity provider (e.g., Authentik, Keycloak, Authelia). At minimum you need OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, and OIDC_SERVER_METADATA_URL.
OIDC_ENABLED
boolean
default:"false"
Enable OpenID Connect authentication.
OIDC_AUTOLOGIN
boolean
default:"false"
Skip the OIDC button on the login page and automatically redirect users to the identity provider.
OIDC_ALLOW_REGISTRATION
boolean
default:"true"
Automatically create a new RomM account for users on their first successful OIDC login.
OIDC_PROVIDER
string
Display name of the OIDC provider shown on the login page (e.g., Authentik).
OIDC_CLIENT_ID
string
Client ID issued by the OIDC provider.
OIDC_CLIENT_SECRET
string
Client secret issued by the OIDC provider.
OIDC_REDIRECT_URI
string
Absolute redirect URI registered with the OIDC provider (e.g., https://romm.example.com/api/oauth/openid).
OIDC_SERVER_APPLICATION_URL
string
Absolute URL of the OIDC server application. Used to construct provider URLs when OIDC_SERVER_METADATA_URL is not set.
OIDC_SERVER_METADATA_URL
string
URL to the OIDC provider’s discovery / metadata endpoint (e.g., https://auth.example.com/application/o/romm/.well-known/openid-configuration).
OIDC_CLAIM_ROLES
string
Name of the OIDC claim that carries role information (e.g., groups).
OIDC_ROLE_VIEWER
string
Role value in the OIDC claim that maps to the viewer permission level.
OIDC_ROLE_EDITOR
string
Role value in the OIDC claim that maps to the editor permission level.
OIDC_ROLE_ADMIN
string
Role value in the OIDC claim that maps to the admin permission level.
OIDC_TLS_CACERTFILE
string
Path to a PEM file containing trusted CA certificates, for when your OIDC provider uses a private or self-signed TLS certificate.
OIDC_USERNAME_ATTRIBUTE
string
default:"preferred_username"
The attribute from the OIDC user-info response used as the RomM username.
OIDC_RP_INITIATED_LOGOUT
boolean
default:"false"
Enable the RP-initiated logout flow so that logging out of RomM also ends the session at the identity provider.
OIDC_END_SESSION_ENDPOINT
string
Override URL for the OIDC end-session endpoint (used by RP-initiated logout when the provider does not advertise it in metadata).

Metadata Providers

IGDB_CLIENT_ID
string
Client ID for the IGDB API. Obtain from the Twitch developer console.
IGDB_CLIENT_SECRET
string
Client secret for the IGDB API (paired with IGDB_CLIENT_ID).
MOBYGAMES_API_KEY
string
Secret API key for the MobyGames API. Generate one at mobygames.com.
SCREENSCRAPER_USER
string
Screenscraper username. Register at screenscraper.fr.
SCREENSCRAPER_PASSWORD
string
Screenscraper password (paired with SCREENSCRAPER_USER).
STEAMGRIDDB_API_KEY
string
Secret API key for SteamGridDB. Generate one in your SteamGridDB account preferences.
RETROACHIEVEMENTS_API_KEY
string
Secret API key for RetroAchievements. Generate one at retroachievements.org/settings.
REFRESH_RETROACHIEVEMENTS_CACHE_DAYS
integer
default:"30"
How often (in days) to refresh the cached RetroAchievements metadata for each ROM.
PLAYMATCH_API_ENABLED
boolean
default:"false"
Enable the PlayMatch API integration for ROM identification.
LAUNCHBOX_API_ENABLED
boolean
default:"false"
Enable the LaunchBox metadata integration. When enabled, RomM downloads and updates the LaunchBox database on a scheduled basis.
HASHEOUS_API_ENABLED
boolean
default:"false"
Enable the Hasheous API for hash-based ROM identification. No API key required.
FLASHPOINT_API_ENABLED
boolean
default:"false"
Enable the Flashpoint Project API for web-game metadata.
HLTB_API_ENABLED
boolean
default:"false"
Enable the HowLongToBeat API for game completion-time data.
TGDB_API_ENABLED
boolean
default:"false"
Enable the TheGamesDB API integration.

Scans & Tasks

SCAN_TIMEOUT
integer
default:"14400"
Timeout for background scan/rescan tasks in seconds (default: 4 hours).
SCAN_WORKERS
integer
default:"1"
Number of worker processes dedicated to scanning tasks.
TASK_TIMEOUT
integer
default:"300"
Timeout for non-scan background tasks in seconds (default: 5 minutes).
TASK_RESULT_TTL
integer
default:"86400"
How long to retain task results in Valkey/Redis in seconds (default: 24 hours).
SEVEN_ZIP_TIMEOUT
integer
default:"60"
Timeout for individual 7-Zip operations in seconds.
ENABLE_RESCAN_ON_FILESYSTEM_CHANGE
boolean
default:"false"
Automatically trigger a library rescan when the filesystem detects changes inside the ROMs folder.
RESCAN_ON_FILESYSTEM_CHANGE_DELAY
integer
default:"5"
Delay in minutes to wait after a filesystem change before starting the rescan (debounce).
ENABLE_SCHEDULED_RESCAN
boolean
default:"false"
Enable a cron-based scheduled library rescan.
SCHEDULED_RESCAN_CRON
string
default:"0 3 * * *"
Cron expression controlling when scheduled rescans run (default: 3:00 AM daily).
ENABLE_SCHEDULED_UPDATE_SWITCH_TITLEDB
boolean
default:"false"
Enable a scheduled task to update the Nintendo Switch TitleDB index used for ROM matching.
SCHEDULED_UPDATE_SWITCH_TITLEDB_CRON
string
default:"0 4 * * *"
Cron expression for scheduled Switch TitleDB updates (default: 4:00 AM daily).
ENABLE_SCHEDULED_UPDATE_LAUNCHBOX_METADATA
boolean
default:"false"
Enable a scheduled task to download and update the LaunchBox metadata database.
SCHEDULED_UPDATE_LAUNCHBOX_METADATA_CRON
string
default:"0 4 * * *"
Cron expression for scheduled LaunchBox metadata updates (default: 4:00 AM daily).
ENABLE_SCHEDULED_CONVERT_IMAGES_TO_WEBP
boolean
default:"false"
Enable a scheduled task to convert all cached artwork to WebP format to reduce disk usage.
SCHEDULED_CONVERT_IMAGES_TO_WEBP_CRON
string
default:"0 4 * * *"
Cron expression for scheduled WebP image conversion (default: 4:00 AM daily).
ENABLE_SCHEDULED_RETROACHIEVEMENTS_PROGRESS_SYNC
boolean
default:"false"
Enable scheduled syncing of user RetroAchievements progress.
SCHEDULED_RETROACHIEVEMENTS_PROGRESS_SYNC_CRON
string
default:"0 4 * * *"
Cron expression for scheduled RetroAchievements progress sync (default: 4:00 AM daily).

Sync

ENABLE_SYNC_FOLDER_WATCHER
boolean
default:"false"
Watch the sync folder and trigger a scan automatically when changes are detected.
SYNC_FOLDER_SCAN_DELAY
integer
default:"2"
Delay in minutes before scanning after a sync folder change (debounce).
ENABLE_SYNC_PUSH_PULL
boolean
default:"false"
Enable scheduled sync push/pull operations.
SYNC_PUSH_PULL_CRON
string
default:"*/30 * * * *"
Cron expression for scheduled sync push/pull (default: every 30 minutes).
SYNC_SSH_KEYS_PATH
string
default:"$ROMM_BASE_PATH/sync/keys"
Path to SSH keys used for sync remotes.
SYNC_SSH_KNOWN_HOSTS_PATH
string
default:"$ROMM_BASE_PATH/sync/known_hosts"
Path to the SSH known_hosts file for sync remotes.

Emulation

DISABLE_EMULATOR_JS
boolean
default:"false"
Disable in-browser ROM playback via EmulatorJS.
DISABLE_RUFFLE_RS
boolean
default:"false"
Disable in-browser Flash playback via RuffleRS.

Integrations

YOUTUBE_BASE_URL
string
default:"https://www.youtube.com"
Base URL for YouTube video links. Override with an alternate frontend such as Piped or Invidious (e.g., https://piped.video).
TINFOIL_WELCOME_MESSAGE
string
default:"RomM Switch Library"
Welcome message displayed in Tinfoil Nintendo Switch clients when browsing the RomM library.

Web Server

WEB_SERVER_CONCURRENCY
integer
default:"1"
Number of Gunicorn worker processes. The recommended formula is 2 × CPU cores + 1.
WEB_SERVER_TIMEOUT
integer
default:"300"
Request timeout for the web server in seconds.
WEB_SERVER_KEEPALIVE
integer
default:"2"
Keep-Alive connection wait time in seconds.
WEB_SERVER_MAX_REQUESTS
integer
default:"1000"
Maximum number of requests a worker processes before it is automatically restarted (helps prevent memory leaks).
WEB_SERVER_MAX_REQUESTS_JITTER
integer
default:"100"
Random jitter added to WEB_SERVER_MAX_REQUESTS to stagger worker restarts and avoid all workers cycling simultaneously.
WEB_SERVER_WORKER_CONNECTIONS
integer
default:"1000"
Maximum number of simultaneous clients per worker process.
WEB_SERVER_GUNICORN_WAIT_SECONDS
integer
default:"30"
Seconds to wait for Gunicorn to start before giving up and failing the health check.
IPV4_ONLY
boolean
default:"false"
Bind the web server to IPv4 addresses only (disables IPv6 socket binding).

Proxy

HTTP_PROXY
string
HTTP proxy URL for outbound requests made by RomM (e.g., http://proxy.example.com:3128).
HTTPS_PROXY
string
HTTPS proxy URL for outbound requests (e.g., http://proxy.example.com:3128).
NO_PROXY
string
Comma-separated list of hostnames or IP addresses that should bypass the configured proxy.

Logging

LOGLEVEL
string
default:"INFO"
Application log level. Accepted values: DEBUG, INFO, WARNING, ERROR, CRITICAL.
FORCE_COLOR
boolean
default:"false"
Force ANSI color codes in log output even when the terminal does not advertise color support.
NO_COLOR
boolean
default:"false"
Disable ANSI color codes in log output entirely.

Observability

SENTRY_DSN
string
DSN (Data Source Name) for Sentry error tracking. When set, unhandled exceptions and performance traces are sent to your Sentry project. Leave empty to disable Sentry entirely.

Development

These variables are intended for contributors running RomM outside of Docker (e.g., with Uvicorn or the Vite dev server). They are not needed in production deployments.
DEV_MODE
boolean
default:"false"
Enable development mode, which activates hot-reloading and verbose debug output.
DEV_HOST
string
default:"127.0.0.1"
Host address for the development server.
DEV_PORT
integer
default:"5000"
Port for the development server.
DEV_HTTPS
boolean
default:"false"
Enable HTTPS in the development server.
DEV_SQL_ECHO
boolean
default:"false"
Log all SQL queries to stdout in development mode. Useful for diagnosing database behaviour.
POSTGRES_DB
string
default:"authentik"
Postgres database name for the bundled Authentik development stack. Not used by RomM itself.
POSTGRES_USER
string
default:"authentik"
Postgres username for the bundled Authentik development stack.
POSTGRES_PASSWORD
string
default:"authentik"
Postgres password for the bundled Authentik development stack.
AUTHENTIK_SECRET_KEY
string
Secret key for the Authentik identity provider in the development stack.
AUTHENTIK_BOOTSTRAP_PASSWORD
string
Initial admin password for the Authentik identity provider in the development stack.

Build docs developers (and LLMs) love