Skip to main content
This page covers the configuration used to control how the Blnk server listens for requests, protects access to the API, and enables tokenization for sensitive identity fields.

Server settings

Use the server settings below to configure how Blnk exposes its API and enforces authentication. 
BLNK_SERVER_SECURE=false
BLNK_SERVER_SECRET_KEY=
BLNK_SERVER_PORT=5001
DescriptionDefault
BLNK_SERVER_SECUREEnables additional secure-mode protections for the server.false
BLNK_SERVER_SECRET_KEYSecret used for signing and other cryptographic operations.None
BLNK_SERVER_PORTThe port Blnk listens on for incoming HTTP requests.5001

BLNK_SERVER_SECURE

This controls whether API authentication is enforced when you make requests to the server. When set to false, Blnk skips authentication checks. When set to true, requests must authenticate via X-Blnk-Key header using one of the following:
  • the master key, BLNK_SERVER_SECRET_KEY
  • a stored API key

    API keys

    Learn how to create and manage API keys with custom permissions for secure requests.

BLNK_SERVER_SECRET_KEY

This is required for any secure Blnk deployment. It is used in two places in Blnk:
  1. As the master API key for authenticated requests to the server
  2. As the HMAC signing secret for outgoing webhooks and hook callbacks.

    Webhook security

    Learn how to verify webhook signatures and protect webhook consumers.
This means the same secret affects both request authentication and webhook signature validation on systems receiving Blnk webhooks.
Make sure to keep BLNK_SERVER_SECRET_KEY out of version control. Store it in a secret manager or inject it through environment variables in production.

Best practices

  1. Set BLNK_SERVER_SECURE=true in any real deployment.
  2. Use a strong secret for BLNK_SERVER_SECRET_KEY, and make sure to store secrets outside version control.
  3. Keep the server secret stable within an environment unless you are prepared to update any systems that verify webhook signatures.

Tokenization settings

Use tokenization settings to enable encryption and token generation when using the PII Tokenization feature. 
BLNK_TOKENIZATION_SECRET="blnk-pii-secret"
DescriptionDefault
BLNK_TOKENIZATION_SECRETEnables tokenization for sensitive identity fields. Must be exactly 32 bytes long. Used as the cryptographic secret for tokenization operations.Disabled when unset

Tokenization behaviour

Tokenization is only enabled when BLNK_TOKENIZATION_SECRET is set and is exactly 32 bytes long. If the secret is missing, tokenization is disabled. If the secret is set but not 32 bytes long, Blnk does not fail startup, but tokenization operations may fail when called. When enabled, Blnk uses this secret for AES-GCM encryption in standard tokenization and HMAC-based seeding for format-preserving tokenization.
Note: Store this secret securely and keep it stable for each environment. If you change it after data has already been tokenized, previously tokenized values may no longer detokenize correctly.

Rate limiting

Use rate limiting settings to protect the API from abuse and to control traffic spikes more predictably. 
BLNK_RATE_LIMIT_RPS=5000000
BLNK_RATE_LIMIT_BURST=10000000
BLNK_RATE_LIMIT_CLEANUP_INTERVAL_SEC=10800
DescriptionDefault
BLNK_RATE_LIMIT_RPSMaximum requests allowed per second per client.5000000
BLNK_RATE_LIMIT_BURSTMaximum short burst allowed above the RPS limit.10000000
BLNK_RATE_LIMIT_CLEANUP_INTERVAL_SECCleanup interval for expired rate-limit data, in seconds.10800

Rate limiting behaviour

If both BLNK_RATE_LIMIT_RPS and BLNK_RATE_LIMIT_BURST are unset, Blnk applies its built-in defaults. If you set only one of those two values, Blnk derives the other automatically:
  • if only BLNK_RATE_LIMIT_RPS is set, burst defaults to 2 * RPS
  • if only BLNK_RATE_LIMIT_BURST is set, requests_per_second defaults to burst / 2
Tip: Start with the defaults unless you have a clear traffic policy or abuse-prevention requirement.

Need help?

We are very happy to help you make the most of Blnk, regardless of whether it is your first time or you are switching from another tool. To ask questions or discuss issues, please contact us or join our Discord community.
Tip: Connect to Blnk Cloud to see your Core data.You can view your transactions, manage identities, create custom reports, invite other team members to collaborate, and perform operations on your Core — all in one dashboard.Check out Blnk Cloud →