> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blnkfinance.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Server and Security Configuration

> Configure server runtime, secure mode, request size limits, tokenization, and rate limiting in Blnk.

export const CtaCallout = props => {
  const {title, buttonLabel, href, trackingEvent, buttonTarget, rel = "noopener noreferrer", children} = props;
  const handleCtaClick = () => {
    if (typeof window === "undefined" || !trackingEvent) {
      return;
    }
    try {
      window.dispatchEvent(new CustomEvent("blnk:docs-cta", {
        detail: {
          name: trackingEvent,
          href
        }
      }));
    } catch {}
    try {
      window.posthog?.capture?.(trackingEvent, {
        href
      });
    } catch {}
    const gaPayload = {
      cta_href: href
    };
    try {
      window.gtag?.("event", trackingEvent, gaPayload);
    } catch {}
    try {
      window.dataLayer = window.dataLayer || [];
      window.dataLayer.push({
        event: trackingEvent,
        ...gaPayload
      });
    } catch {}
  };
  const isExternal = typeof href === "string" && (/^https?:\/\//i).test(href);
  const target = buttonTarget ?? (isExternal ? "_blank" : undefined);
  const linkRel = isExternal ? rel : undefined;
  return <section className="cta-callout not-prose relative my-8 w-full min-w-0 overflow-hidden rounded-xl border border-zinc-200 p-5 dark:border-white/10">
      <div className="cta-callout-noise" aria-hidden="true" />
      <div className="cta-callout-layout">
        {title ? <div className="cta-callout-title-row">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 28 28" width="14" height="14" className="cta-callout-icon shrink-0 text-zinc-800 dark:text-zinc-200" aria-hidden="true">
              <g fill="none" fillRule="nonzero">
                <path d="M28 0v28H0V0h28ZM14.691833333333335 27.134333333333334l-0.012833333333333334 0.0023333333333333335 -0.08283333333333333 0.04083333333333334 -0.023333333333333334 0.004666666666666667 -0.016333333333333335 -0.004666666666666667 -0.08283333333333333 -0.04083333333333334c-0.011666666666666667 -0.004666666666666667 -0.022166666666666668 -0.0011666666666666668 -0.028000000000000004 0.005833333333333334l-0.004666666666666667 0.011666666666666667 -0.019833333333333335 0.49933333333333335 0.005833333333333334 0.023333333333333334 0.011666666666666667 0.015166666666666667 0.12133333333333333 0.08633333333333333 0.0175 0.004666666666666667 0.014000000000000002 -0.004666666666666667 0.12133333333333333 -0.08633333333333333 0.014000000000000002 -0.018666666666666668 0.004666666666666667 -0.019833333333333335 -0.019833333333333335 -0.4981666666666667c-0.0023333333333333335 -0.011666666666666667 -0.0105 -0.019833333333333335 -0.019833333333333335 -0.021Zm0.3091666666666667 -0.13183333333333336 -0.015166666666666667 0.0023333333333333335 -0.21583333333333335 0.1085 -0.011666666666666667 0.011666666666666667 -0.0035000000000000005 0.012833333333333334 0.021 0.5016666666666667 0.005833333333333334 0.014000000000000002 0.009333333333333334 0.008166666666666668 0.23450000000000004 0.1085c0.014000000000000002 0.004666666666666667 0.026833333333333334 0 0.03383333333333334 -0.009333333333333334l0.004666666666666667 -0.016333333333333335 -0.03966666666666667 -0.7163333333333334c-0.0035000000000000005 -0.014000000000000002 -0.011666666666666667 -0.023333333333333334 -0.023333333333333334 -0.025666666666666667Zm-0.8341666666666667 0.0023333333333333335a0.026833333333333334 0.026833333333334334 0 0 0 -0.0315 0.007000000000000001l-0.007000000000000001 0.016333333333333335 -0.03966666666666667 0.7163333333333334c0 0.014000000000000002 0.008166666666666668 0.023333333333333334 0.019833333333333335 0.028000000000000004l0.0175 -0.0023333333333333335 0.23450000000000004 -0.1085 0.011666666666666667 -0.009333333333333334 0.004666666666666667 -0.012833333333333334 0.019833333333333335 -0.5016666666666667 -0.0035000000000000005 -0.014000000000000002 -0.011666666666666667 -0.011666666666666667 -0.21466666666666667 -0.10733333333333334Z" strokeWidth="1.1667" />
                <path fill="currentColor" d="M14 2.916666666666667A1.75 1.75 0 0 1 15.750000000000002 4.666666666666667v6.302333333333334L21.207666666666668 7.816666666666667a1.75 1.75 0 0 1 1.75 3.031L17.5 14l5.457666666666667 3.151166666666667a1.75 1.75 0 0 1 -1.75 3.031l-5.457666666666667 -3.1500000000000004V23.333333333333336a1.75 1.75 0 0 1 -3.5 0v-6.302333333333334L6.792333333333334 20.183333333333337a1.75 1.75 0 1 1 -1.75 -3.031L10.5 14 5.042333333333334 10.848833333333333a1.75 1.75 0 0 1 1.75 -3.031l5.457666666666667 3.1500000000000004V4.666666666666667A1.75 1.75 0 0 1 14 2.916666666666667Z" strokeWidth="1.1667" />
              </g>
            </svg>
            <p className="cta-callout-title min-w-0 font-semibold text-zinc-800 dark:text-zinc-200">
              {title}
            </p>
          </div> : null}
        <div className={`cta-callout-body text-sm leading-normal text-zinc-800 dark:text-zinc-200${title ? " cta-callout-body--indented" : ""}`}>
          {children}
        </div>
        <a href={href} target={target} rel={linkRel} onClick={handleCtaClick} data-docs-cta={trackingEvent || undefined} className="cta-callout-button inline-flex items-center justify-center gap-1 rounded-full bg-white px-3 py-1.5 text-sm font-semibold transition hover:bg-zinc-100 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-white/50 dark:bg-white dark:hover:bg-zinc-200">
          {buttonLabel}
          <span className="cta-callout-button-arrow" aria-hidden="true">
            →
          </span>
        </a>
      </div>
    </section>;
};

This page covers the configuration used to control how the Blnk server listens for requests, protects access to the API, and enables tokenization for sensitive identity fields.

***

## Server settings

Use the server settings below to configure how Blnk exposes its API and enforces authentication.

<CodeGroup>
  ```bash blnk.env theme={"system"}
  BLNK_SERVER_SECURE=false
  BLNK_SERVER_SECRET_KEY=
  BLNK_SERVER_PORT=5001
  BLNK_METRICS_BEARER_TOKEN=
  ```

  ```json blnk.json theme={"system"}
  {
    "server": {
      "secure": false,
      "secret_key": "",
      "port": "5001",
      "metrics_bearer_token": ""
    }
  }
  ```
</CodeGroup>

|                             | Description                                                                                     | Default |
| :-------------------------- | :---------------------------------------------------------------------------------------------- | :------ |
| `BLNK_SERVER_SECURE`        | Enables additional secure-mode protections for the server.                                      | `false` |
| `BLNK_SERVER_SECRET_KEY`    | Secret used for signing and other cryptographic operations.                                     | None    |
| `BLNK_SERVER_PORT`          | The port Blnk listens on for incoming HTTP requests.                                            | `5001`  |
| `BLNK_METRICS_BEARER_TOKEN` | Bearer token required to access `/metrics` when set. See [Metrics endpoint](#metrics-endpoint). | None    |

### `BLNK_SERVER_SECURE`

This controls whether API authentication is enforced when you make requests to the server. When set to `false`, Blnk skips authentication checks.

When set to `true`, requests must authenticate via `X-Blnk-Key` header using one of the following:

* the master key, `BLNK_SERVER_SECRET_KEY`
* a stored API key

  <Card title="API keys" icon="key" href="/api-keys/overview">
    Scoped keys for day-to-day API access.
  </Card>

### `BLNK_SERVER_SECRET_KEY`

This is required for any secure Blnk deployment. It is used in two places in Blnk:

1. As the master API key for authenticated requests to the server
2. As the HMAC signing secret for outgoing webhooks and hook callbacks.

   <Card title="Webhook security" icon="shield" href="/webhooks/overview#webhook-security-signature-verification">
     Signature verification for webhook consumers.
   </Card>

This means the same secret affects both request authentication and webhook signature validation on systems receiving Blnk webhooks.

<Warning>
  Make sure to keep `BLNK_SERVER_SECRET_KEY` out of version control. Store it in a secret manager or inject it through environment variables in production.
</Warning>

### Best practices

1. Set `BLNK_SERVER_SECURE=true` in any real deployment.
2. Use a strong secret for `BLNK_SERVER_SECRET_KEY`, and make sure to store secrets outside version control.
3. Keep the server secret stable within an environment unless you are prepared to update any systems that verify webhook signatures.

### Metrics endpoint

When [monitoring export](/advanced/monitoring) is enabled, Blnk serves Prometheus metrics at `GET /metrics` on the API port and on the [worker monitoring port](/advanced/monitoring-port). Set `metrics_bearer_token` to require `Authorization: Bearer <token>` on scrape requests.

| `server.secure` | Token set | `/metrics` access |
| :-------------- | :-------- | :---------------- |
| `false`         | no        | Open              |
| `false`         | yes       | Bearer required   |
| `true`          | yes       | Bearer required   |
| `true`          | no        | Blocked           |

The same rules apply on the worker monitoring port. Auth failures return structured JSON - see [API error codes](/advanced/error-codes).

***

## Tokenization settings

Use tokenization settings to enable encryption and token generation when using the [PII Tokenization](/identities/pii-tokenization) feature.

<CodeGroup>
  ```bash blnk.env theme={"system"}
  BLNK_TOKENIZATION_SECRET="blnk-pii-secret"
  ```

  ```json blnk.json theme={"system"}
  {
    "tokenization_secret": "blnk-pii-secret"
  }
  ```
</CodeGroup>

|                            | Description                                                                                                                                      | Default             |
| :------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------- | :------------------ |
| `BLNK_TOKENIZATION_SECRET` | Enables tokenization for sensitive identity fields. Must be exactly 32 bytes long. Used as the cryptographic secret for tokenization operations. | Disabled when unset |

### Tokenization behaviour

Tokenization is only enabled when `BLNK_TOKENIZATION_SECRET` is set and is exactly 32 bytes long. If the secret is missing, tokenization is disabled. If the secret is set but not 32 bytes long, Blnk does not fail startup, but tokenization operations may fail when called.

When enabled, Blnk uses this secret for AES-GCM encryption in standard tokenization and HMAC-based seeding for format-preserving tokenization.

<Note>
  **Note:** Store this secret securely and keep it stable for each environment. If you change it after data has already been tokenized, previously tokenized values may no longer detokenize correctly.
</Note>

***

## Request and payload limits

Use these settings to limit request body size and upload size.

<CodeGroup>
  ```bash blnk.env theme={"system"}
  BLNK_SERVER_MAX_REQUEST_BODY_SIZE_MB=5
  BLNK_SERVER_MAX_UPLOAD_SIZE_MB=256
  ```

  ```json blnk.json theme={"system"}
  {
    "server": {
      "max_request_body_size_mb": 5,
      "max_upload_size_mb": 256
    }
  }
  ```
</CodeGroup>

|                                        | Description                                                                                       | Default |
| :------------------------------------- | :------------------------------------------------------------------------------------------------ | :------ |
| `BLNK_SERVER_MAX_REQUEST_BODY_SIZE_MB` | Max size in MB for JSON request bodies.                                                           | `5`     |
| `BLNK_SERVER_MAX_UPLOAD_SIZE_MB`       | Max size in MB for multipart uploads. Applies to [reconciliation upload](/reference/upload-data). | `256`   |

## How limits are applied

| Request type      | Config key                             | When exceeded                                                                                |
| :---------------- | :------------------------------------- | :------------------------------------------------------------------------------------------- |
| JSON API requests | `BLNK_SERVER_MAX_REQUEST_BODY_SIZE_MB` | `400 Bad Request` with `GEN_MALFORMED_REQUEST` and message `"http: request body too large"`. |
| Multipart uploads | `BLNK_SERVER_MAX_UPLOAD_SIZE_MB`       | Upload rejected.                                                                             |

<Note>
  These size limits are separate from per-endpoint item limits. A request can be within the item-count limit and still exceed the body-size limit.

  For example, a bulk transaction request with the accepted count may exceed 5 MB if each transaction contains large metadata or long field values.
</Note>

***

## Rate limiting

Use rate limiting settings to protect the API from abuse and to control traffic spikes more predictably.

<CodeGroup>
  ```bash blnk.env theme={"system"}
  BLNK_RATE_LIMIT_RPS=5000000
  BLNK_RATE_LIMIT_BURST=10000000
  BLNK_RATE_LIMIT_CLEANUP_INTERVAL_SEC=10800
  ```

  ```json blnk.json theme={"system"}
  {
    "rate_limit": {
      "requests_per_second": 5000000,
      "burst": 10000000,
      "cleanup_interval_sec": 10800
    }
  }
  ```
</CodeGroup>

|                                        | Description                                               | Default    |
| :------------------------------------- | :-------------------------------------------------------- | :--------- |
| `BLNK_RATE_LIMIT_RPS`                  | Maximum requests allowed per second per client.           | `5000000`  |
| `BLNK_RATE_LIMIT_BURST`                | Maximum short burst allowed above the RPS limit.          | `10000000` |
| `BLNK_RATE_LIMIT_CLEANUP_INTERVAL_SEC` | Cleanup interval for expired rate-limit data, in seconds. | `10800`    |

### Rate limiting behaviour

If both `BLNK_RATE_LIMIT_RPS` and `BLNK_RATE_LIMIT_BURST` are unset, Blnk applies its built-in defaults.

If you set only one of those two values, Blnk derives the other automatically:

* if only `BLNK_RATE_LIMIT_RPS` is set, `burst` defaults to `2 * RPS`
* if only `BLNK_RATE_LIMIT_BURST` is set, `requests_per_second` defaults to `burst / 2`

<Tip>
  **Tip:** Start with the defaults unless you have a clear traffic policy or abuse-prevention requirement.
</Tip>

***

## Need help?

We are very happy to help you make the most of Blnk, regardless of whether it is your first time or you are switching from another tool.

To ask questions or discuss issues, please [contact us](mailto:support@blnkfinance.com) or [join our Discord community](https://discord.gg/7WNv94zPpx).

<CtaCallout title="Connect your ledger to Blnk Cloud" href="https://cloud.blnkfinance.com/auth/sign-up?utm_source=blnk_docs&utm_medium=documentation&utm_campaign=need-help" buttonLabel="Open Blnk Cloud" trackingEvent="clicked_cloud_signup">
  Sign up and manage your ledger with our back-office dashboard. You can invite teammates to collaborate and manage your ledger operations directly from the dashboard.
</CtaCallout>
