🎚 Configuration

TINO allows configuration via environment variables.

Note

  • Settings marked with 🔴 are explicitly required.

  • Settings marked with ⭕ are implicitly required, but have an overridable default.

tino.config.TINO_ACCENT_COLOUR = 'orange'

⭕ The CI accent colour family used across the UI.

Hint

Must match a family from the confirm design colours.

tino.config.TINO_ADMIN_GROUPS: set[str] = {'admins'}

⭕ Comma-separated list of OIDC groups whose members are TINO administrators.

tino.config.TINO_AUTH_DISABLED = False

When set to true, authentication is completely disabled. All requests are treated as an admin user without requiring OIDC. Intended for local development and demo environments only.

tino.config.TINO_BUCKET_DIR = PosixPath('/home/runner/work/tino/tino/data/buckets')

⭕ The directory where bucket git repos are stored.

Hint

By default this is a sub directory of the TINO_DATA_DIR. In case you change it to be outside of the TINO_DATA_DIR, make sure you’ve a volume or a bind mount mounted on the path.

tino.config.TINO_DATA_DIR = PosixPath('/home/runner/work/tino/tino/data')

⭕ The root directory where all the user data is stored.

Important

To persist the TINO data, either use a volume or a bind mount mounted on the path.

tino.config.TINO_DEFAULT_ROLE = 'none'

⭕ The default role for authenticated users on buckets without an access list. Must be one of viewer, editor, committer, or none. When set to none, only global admins can access buckets without an ACL.

tino.config.TINO_FONT_DIR = PosixPath('/home/runner/work/tino/tino/data/fonts')

Optional directory for custom fonts.

Note

The font dir is passed as --font-path to the typst CLI.

Hint

By default this is a sub directory of the TINO_DATA_DIR. In case you change it to be outside of the TINO_DATA_DIR, make sure you’ve a volume or a bind mount mounted on the path.

tino.config.TINO_LOG_LEVEL = 'INFO'

⭕ The log level (must match one of the Python logging levels).

tino.config.TINO_OIDC_CLIENT_ID = 'tino'

⭕ The OIDC client ID.

tino.config.TINO_OIDC_CLIENT_SECRET = None

🔴 The OIDC client secret.

tino.config.TINO_OIDC_DISCOVERY_URL = None

🔴 The OIDC discovery URL (e.g. https://sso.example.com/.well-known/openid-configuration).

tino.config.TINO_OIDC_GROUPS_CLAIM = 'groups'

⭕ The OIDC token claim that contains the user’s group memberships.

tino.config.TINO_PACKAGE_DIR = PosixPath('/home/runner/work/tino/tino/data/buckets/packages')

Optional directory for local Typst packages (@local/name:version).

Note

The package dir is passed as --package-path to the typst CLI.

Hint

When this directory is set to a sub-directory of the TINO_BUCKET_DIR, the package directory can act like a bucket, and it can be edited in the TINO web UI directly.

If not set the a sub-directory of the TINO_BUCKET_DIR, packages must be provided to the Docker container via one of the following Docker options:

tino.config.TINO_ROOM_TTL = 300

⭕ Seconds to keep a collaboration room alive after the last client disconnects. Allows reconnecting clients (e.g. page refresh) to reuse the room.

tino.config.TINO_SAVE_DEBOUNCE_MS = 250

⭕ Delay in milliseconds before auto-saving after the user stops typing.

Hint

Set to 0 to disable auto-save.

Important

The document is rendered from the (saved) file on disk, thus auto saving is recommended.

tino.config.TINO_SECRET_KEY = '5b607af28b61a632d66b077c0bf967da89cc8aea5d12a614449e298cb77f4dd3'

⭕ Secret key for signing session cookies.

Hint

If not set explicitly, a random token is generated on every startup. This is secure, but it will invalidate all existing sessions and forces users to log in again after a container restart.

tino.config.TINO_TRUSTED_PROXIES: list[str] = []

Comma-separated list of trusted proxy IP addresses (e.g. 127.0.0.1,10.0.0.0/8). When set, X-Forwarded-For and X-Forwarded-Proto headers from these proxies are respected. Use * to trust all sources. Leave empty when TINO is not behind a reverse proxy.