Appearance
Apache Fineract Environment Variables Reference
Apache Fineract is configured entirely through environment variables that map to Spring Boot's application.properties. This page covers every supported variable, its default value, and what it does — sourced directly from the Fineract codebase.
This is the configuration surface you interact with whether you are running Fineract via Docker, Kubernetes, or a plain JAR. Understanding these variables is essential for any non-trivial deployment.
Running on Finecko?
Finecko manages all of this configuration for you. Database connection, SSL, tenant setup, and mode settings are pre-configured and maintained. You can skip the operational sections and focus on the tenant and feature flag variables that control business behaviour.
How variable resolution works
Each entry in application.properties follows the pattern:
spring.some.property=${ENV_VAR_NAME:default_value}If ENV_VAR_NAME is set in the environment, that value is used. If not, the value after the colon is the default. Setting an env var to an empty string (ENV_VAR=) overrides the default with an empty value.
Database connection pool (FINERACT_HIKARI_*)
These variables configure the HikariCP connection pool that connects to the tenant store database (fineract_tenants). This is not the tenant data database - it is the metadata database that holds tenant registry entries.
| Variable | Default | Description |
|---|---|---|
FINERACT_HIKARI_DRIVER_SOURCE_CLASS_NAME | org.mariadb.jdbc.Driver | JDBC driver class. Use org.postgresql.Driver for PostgreSQL. |
FINERACT_HIKARI_JDBC_URL | jdbc:mariadb://localhost:3306/fineract_tenants | JDBC URL for the tenant store. Change host, port, and DB name to match your setup. |
FINERACT_HIKARI_USERNAME | root | Database username. |
FINERACT_HIKARI_PASSWORD | mysql | Database password. Always override this in production. |
FINERACT_HIKARI_MINIMUM_IDLE | 3 | Minimum number of idle connections maintained in the pool. |
FINERACT_HIKARI_MAXIMUM_POOL_SIZE | 10 | Maximum total connections in the pool. Increase for high-concurrency deployments. |
FINERACT_HIKARI_IDLE_TIMEOUT | 60000 | Time (ms) a connection can sit idle before being evicted. |
FINERACT_HIKARI_CONNECTION_TIMEOUT | 20000 | Time (ms) to wait for a connection from the pool before throwing an exception. |
FINERACT_HIKARI_TEST_QUERY | SELECT 1 | Query used to validate connections. |
FINERACT_HIKARI_AUTO_COMMIT | true | Whether connections auto-commit transactions. |
FINERACT_HIKARI_TRANSACTION_ISOLATION | TRANSACTION_REPEATABLE_READ | Transaction isolation level. |
HikariCP data source properties (FINERACT_HIKARI_DS_PROPERTIES_*)
These are passed directly to the underlying JDBC driver. Most are MySQL/MariaDB-specific performance optimisations that have no effect on PostgreSQL.
| Variable | Default | Description |
|---|---|---|
FINERACT_HIKARI_DS_PROPERTIES_CACHE_PREP_STMTS | true | Cache prepared statements on the client side. |
FINERACT_HIKARI_DS_PROPERTIES_PREP_STMT_CACHE_SIZE | 250 | Number of prepared statements cached per connection. |
FINERACT_HIKARI_DS_PROPERTIES_PREP_STMT_CACHE_SQL_LIMIT | 2048 | Maximum length (chars) of a SQL statement eligible for caching. |
FINERACT_HIKARI_DS_PROPERTIES_USE_SERVER_PREP_STMTS | true | Use server-side prepared statements (MySQL/MariaDB). |
FINERACT_HIKARI_DS_PROPERTIES_USE_LOCAL_SESSION_STATE | true | Track session state locally to avoid redundant round trips. |
FINERACT_HIKARI_DS_PROPERTIES_REWRITE_BATCHED_STATEMENTS | true | Rewrite multi-row INSERT/UPDATE into a single statement for performance. |
FINERACT_HIKARI_DS_PROPERTIES_CACHE_RESULT_SET_METADATA | true | Cache result set metadata. |
FINERACT_HIKARI_DS_PROPERTIES_CACHE_SERVER_CONFIGURATION | true | Cache server configuration after the first connection. |
FINERACT_HIKARI_DS_PROPERTIES_ELIDE_SET_AUTO_COMMITS | true | Skip redundant SET autocommit calls. |
FINERACT_HIKARI_DS_PROPERTIES_MAINTAIN_TIME_STATS | false | Track timing statistics (minor overhead if enabled). |
FINERACT_HIKARI_DS_PROPERTIES_LOG_SLOW_QUERIES | true | Log queries that exceed the slow query threshold. |
FINERACT_HIKARI_DS_PROPERTIES_DUMP_QUERIES_IN_EXCEPTION | true | Include the offending SQL in exception messages. |
PostgreSQL note
The FINERACT_HIKARI_DS_PROPERTIES_* defaults are optimised for MySQL/MariaDB. When using PostgreSQL, set FINERACT_HIKARI_DRIVER_SOURCE_CLASS_NAME=org.postgresql.Driver and update the JDBC URL. Most DS_PROPERTIES_* vars will be silently ignored by the PostgreSQL driver.
PostgreSQL example:
bash
FINERACT_HIKARI_DRIVER_SOURCE_CLASS_NAME=org.postgresql.Driver
FINERACT_HIKARI_JDBC_URL=jdbc:postgresql://db:5432/fineract_tenants
FINERACT_HIKARI_USERNAME=postgres
FINERACT_HIKARI_PASSWORD=yourpasswordMariaDB example:
bash
FINERACT_HIKARI_DRIVER_SOURCE_CLASS_NAME=org.mariadb.jdbc.Driver
FINERACT_HIKARI_JDBC_URL=jdbc:mariadb://db:3306/fineract_tenants
FINERACT_HIKARI_USERNAME=root
FINERACT_HIKARI_PASSWORD=yourpasswordDefault tenant database (FINERACT_DEFAULT_TENANTDB_*)
These variables define the default tenant that Fineract creates on first startup. The tenant store (fineract_tenants) holds a registry of all tenants; these variables populate the first row in that registry and point to the actual tenant data database.
| Variable | Default | Description |
|---|---|---|
FINERACT_DEFAULT_TENANTDB_HOSTNAME | localhost | Hostname of the server hosting the tenant data database. |
FINERACT_DEFAULT_TENANTDB_PORT | 3306 | Port of the tenant data database server. Use 5432 for PostgreSQL. |
FINERACT_DEFAULT_TENANTDB_UID | root | Username for the tenant data database. |
FINERACT_DEFAULT_TENANTDB_PWD | mysql | Password for the tenant data database. Always override in production. |
FINERACT_DEFAULT_TENANTDB_NAME | fineract_default | Name of the tenant data database. |
FINERACT_DEFAULT_TENANTDB_IDENTIFIER | default | Unique string identifier for this tenant. Used in the Fineract-Platform-TenantId header. |
FINERACT_DEFAULT_TENANTDB_DESCRIPTION | Default Demo Tenant | Human-readable description stored in the tenant registry. |
FINERACT_DEFAULT_TENANTDB_TIMEZONE | Asia/Kolkata | Business timezone for this tenant. Affects loan schedule dates and interest posting. |
FINERACT_DEFAULT_TENANTDB_CONN_PARAMS | (empty) | Additional JDBC connection parameters appended to the tenant DB connection string. |
FINERACT_DEFAULT_TENANTDB_MASTER_PASSWORD | fineract | Master password used for encrypting tenant credentials at rest. Change this before any data is written. |
Read replica (optional)
Fineract supports pointing read operations at a separate read replica. All variables are empty by default (replica disabled).
| Variable | Default | Description |
|---|---|---|
FINERACT_DEFAULT_TENANTDB_RO_HOSTNAME | (empty) | Read replica hostname. Leave empty to disable. |
FINERACT_DEFAULT_TENANTDB_RO_PORT | (empty) | Read replica port. |
FINERACT_DEFAULT_TENANTDB_RO_UID | (empty) | Read replica username. |
FINERACT_DEFAULT_TENANTDB_RO_PWD | (empty) | Read replica password. |
FINERACT_DEFAULT_TENANTDB_RO_NAME | (empty) | Read replica database name. |
FINERACT_DEFAULT_TENANTDB_RO_CONN_PARAMS | (empty) | Additional connection parameters for the read replica. |
Timezone default is Asia/Kolkata
FINERACT_DEFAULT_TENANTDB_TIMEZONE defaults to Asia/Kolkata because that is where the MifOS project originated. If you are deploying in any other region, set this explicitly or loan schedule dates and interest posting times will be incorrect.
Tenant connection pool sizing
| Variable | Default | Description |
|---|---|---|
FINERACT_CONFIG_MIN_POOL_SIZE | -1 | Minimum connection pool size per tenant. -1 means use HikariCP's default. |
FINERACT_CONFIG_MAX_POOL_SIZE | -1 | Maximum connection pool size per tenant. -1 means use HikariCP's default. |
Server configuration
| Variable | Default | Description |
|---|---|---|
FINERACT_SERVER_PORT | 8443 | Port Fineract listens on. HTTPS by default. |
FINERACT_SERVER_SERVLET_CONTEXT_PATH | /fineract-provider | URL prefix for all API endpoints. |
FINERACT_SERVER_SSL_ENABLED | true | Enable/disable HTTPS. Set to false only in local development behind a TLS-terminating proxy. |
FINERACT_SERVER_SSL_KEY_STORE | classpath:keystore.jks | Path to the Java KeyStore file. Override with an absolute path for a production certificate. |
FINERACT_SERVER_SSL_KEY_STORE_PASSWORD | openmf | Password for the KeyStore. Always override in production. |
FINERACT_SERVER_COMPRESSION_ENABLED | true | Enable HTTP response compression. |
FINERACT_TIMEOUT_PER_SHUTDOWN | 30s | Grace period for in-flight requests during shutdown. |
Tomcat thread pool
| Variable | Default | Description |
|---|---|---|
FINERACT_SERVER_TOMCAT_THREADS_MAX | 200 | Maximum Tomcat worker threads. |
FINERACT_SERVER_TOMCAT_THREADS_MIN_SPARE | 10 | Minimum idle threads kept alive. |
FINERACT_SERVER_TOMCAT_MAX_CONNECTIONS | 8192 | Maximum concurrent connections Tomcat will accept. |
FINERACT_SERVER_TOMCAT_ACCEPT_COUNT | 100 | Queue length for incoming connections when all threads are busy. |
FINERACT_SERVER_TOMCAT_MAX_HTTP_FORM_POST_SIZE | 2MB | Maximum size for form POST requests. |
FINERACT_SERVER_TOMCAT_MAX_KEEP_ALIVE_REQUESTS | 100 | Maximum keep-alive requests per connection. |
FINERACT_SERVER_TOMCAT_ACCESSLOG_ENABLED | false | Enable Tomcat access logging. |
FINERACT_SERVER_TOMCAT_MBEANREGISTRY_ENABLED | false | Enable Tomcat MBean registry (needed for JMX monitoring). |
Node and operation mode
| Variable | Default | Description |
|---|---|---|
FINERACT_NODE_ID | 1 | Integer identifier for this node. Must be unique across all instances in a multi-node deployment. |
FINERACT_MODE_READ_ENABLED | true | Allow this node to handle read (GET) API requests. |
FINERACT_MODE_WRITE_ENABLED | true | Allow this node to handle write (POST/PUT/DELETE) API requests. Also controls whether Liquibase migrations run on startup. |
FINERACT_MODE_BATCH_WORKER_ENABLED | true | Allow this node to execute batch job work (e.g. Loan COB). |
FINERACT_MODE_BATCH_MANAGER_ENABLED | true | Allow this node to schedule and partition batch jobs. |
FINERACT_LIQUIBASE_ENABLED | true | Run Liquibase migrations on startup. Set to false on worker nodes to skip migration checks. |
Single-node default: all four modes are enabled on the same instance.
Multi-node pattern: run one manager node (BATCH_MANAGER=true, BATCH_WORKER=false) and one or more worker nodes (BATCH_MANAGER=false, BATCH_WORKER=true, LIQUIBASE_ENABLED=false). The manager node handles job scheduling; workers execute the partitions.
bash
# Manager node
FINERACT_NODE_ID=1
FINERACT_MODE_BATCH_MANAGER_ENABLED=true
FINERACT_MODE_BATCH_WORKER_ENABLED=false
# Worker node
FINERACT_NODE_ID=2
FINERACT_MODE_BATCH_MANAGER_ENABLED=false
FINERACT_MODE_BATCH_WORKER_ENABLED=true
FINERACT_LIQUIBASE_ENABLED=falseSecurity
Basic auth and general security
| Variable | Default | Description |
|---|---|---|
FINERACT_SECURITY_BASICAUTH_ENABLED | true | Enable HTTP Basic Authentication. |
FINERACT_SECURITY_OAUTH_ENABLED | false | Enable OAuth2 authentication (mutual exclusive with basic auth in practice). |
FINERACT_SECURITY_2FA_ENABLED | false | Enable two-factor authentication. |
FINERACT_SECURITY_HSTS_ENABLED | false | Add HTTP Strict Transport Security headers. Enable when serving over public HTTPS. |
CORS
| Variable | Default | Description |
|---|---|---|
FINERACT_SECURITY_CORS_ENABLED | true | Enable CORS support. |
FINERACT_SECURITY_CORS_ALLOWED_ORIGIN_PATTERNS | * | Allowed origin patterns. Restrict to your frontend domain in production. |
FINERACT_SECURITY_CORS_ALLOWED_METHODS | * | Allowed HTTP methods. |
FINERACT_SECURITY_CORS_ALLOWED_HEADERS | * | Allowed request headers. |
FINERACT_SECURITY_CORS_EXPOSED_HEADERS | * | Response headers exposed to the browser. |
FINERACT_SECURITY_CORS_ALLOW_CREDENTIALS | true | Allow cookies/auth headers in cross-origin requests. |
Batch jobs (Loan COB)
| Variable | Default | Description |
|---|---|---|
FINERACT_JOB_LOAN_COB_ENABLED | true | Enable the Loan Close of Business batch job. Disable only if you are managing COB externally. |
LOAN_COB_CHUNK_SIZE | 10 | Number of loans processed per chunk within a batch step. |
LOAN_COB_PARTITION_SIZE | 10 | Number of loans per partition when distributing COB work across worker nodes. |
LOAN_COB_POLL_INTERVAL | 1000 | Milliseconds between polling for new partitions on worker nodes. |
FINERACT_JOB_STUCK_RETRY_THRESHOLD | 5 | Number of times a stuck job is retried before being marked as failed. |
Remote job messaging
Fineract uses a message bus to dispatch batch jobs between the manager and worker nodes. Three transports are available: Spring Events (in-process, single JVM), JMS/ActiveMQ, and Kafka.
| Variable | Default | Description |
|---|---|---|
FINERACT_REMOTE_JOB_MESSAGE_HANDLER_SPRING_EVENTS_ENABLED | true | Use in-process Spring events for job dispatch. Works for single-node deployments only. |
FINERACT_REMOTE_JOB_MESSAGE_HANDLER_JMS_ENABLED | false | Use JMS (ActiveMQ) for job dispatch. |
FINERACT_REMOTE_JOB_MESSAGE_HANDLER_JMS_BROKER_URL | tcp://127.0.0.1:61616 | ActiveMQ broker URL. |
FINERACT_REMOTE_JOB_MESSAGE_HANDLER_JMS_QUEUE_NAME | JMS-request-queue | JMS queue name for job messages. |
FINERACT_REMOTE_JOB_MESSAGE_HANDLER_JMS_BROKER_USERNAME | (empty) | ActiveMQ username. |
FINERACT_REMOTE_JOB_MESSAGE_HANDLER_JMS_BROKER_PASSWORD | (empty) | ActiveMQ password. |
FINERACT_REMOTE_JOB_MESSAGE_HANDLER_KAFKA_ENABLED | false | Use Kafka for job dispatch. |
FINERACT_REMOTE_JOB_MESSAGE_HANDLER_KAFKA_BOOTSTRAP_SERVERS | localhost:9092 | Kafka bootstrap server addresses. |
FINERACT_REMOTE_JOB_MESSAGE_HANDLER_KAFKA_TOPIC_NAME | job-topic | Kafka topic for job messages. |
FINERACT_REMOTE_JOB_MESSAGE_HANDLER_KAFKA_TOPIC_PARTITIONS | 10 | Number of partitions for the job topic. |
FINERACT_REMOTE_JOB_MESSAGE_HANDLER_KAFKA_TOPIC_REPLICAS | 1 | Replication factor for the job topic. |
FINERACT_REMOTE_JOB_MESSAGE_HANDLER_KAFKA_TOPIC_AUTO_CREATE | true | Auto-create the Kafka topic if it does not exist. |
FINERACT_REMOTE_JOB_MESSAGE_HANDLER_KAFKA_CONSUMER_GROUPID | fineract-consumer-group-id | Kafka consumer group ID for job workers. |
Only one transport at a time
Enable exactly one of SPRING_EVENTS_ENABLED, JMS_ENABLED, or KAFKA_ENABLED. Enabling more than one will result in duplicate job execution.
External business events
Business events (e.g. LoanApprovedBusinessEvent, LoanDisbursalBusinessEvent) can be published to an external message broker for downstream integrations. Disabled by default.
| Variable | Default | Description |
|---|---|---|
FINERACT_EXTERNAL_EVENTS_ENABLED | false | Enable publishing of business events. |
FINERACT_EXTERNAL_EVENTS_PARTITION_SIZE | 5000 | Batch size for event publishing. |
FINERACT_EXTERNAL_EVENTS_PRODUCER_JMS_ENABLED | false | Publish events to a JMS topic/queue. |
FINERACT_EXTERNAL_EVENTS_PRODUCER_JMS_BROKER_URL | tcp://127.0.0.1:61616 | ActiveMQ broker URL for event publishing. |
FINERACT_EXTERNAL_EVENTS_PRODUCER_JMS_TOPIC_NAME | (empty) | JMS topic name. Set this or QUEUE_NAME. |
FINERACT_EXTERNAL_EVENTS_PRODUCER_JMS_QUEUE_NAME | (empty) | JMS queue name. |
FINERACT_EXTERNAL_EVENTS_KAFKA_ENABLED | false | Publish events to Kafka. |
FINERACT_EXTERNAL_EVENTS_KAFKA_BOOTSTRAP_SERVERS | localhost:9092 | Kafka bootstrap servers for event publishing. |
FINERACT_EXTERNAL_EVENTS_KAFKA_TOPIC_NAME | external-events | Kafka topic for business events. |
FINERACT_EXTERNAL_EVENTS_KAFKA_TOPIC_PARTITIONS | 10 | Number of partitions for the events topic. |
FINERACT_EXTERNAL_EVENTS_KAFKA_TOPIC_REPLICAS | 1 | Replication factor for the events topic. |
FINERACT_EXTERNAL_EVENTS_KAFKA_TOPIC_AUTO_CREATE | true | Auto-create the events topic if it does not exist. |
FINERACT_EXTERNAL_EVENTS_KAFKA_TIMEOUT_IN_SECONDS | 10 | Timeout for Kafka produce calls. |
Content and file storage
| Variable | Default | Description |
|---|---|---|
FINERACT_CONTENT_FILESYSTEM_ENABLED | true | Store uploaded files on the local filesystem. |
FINERACT_CONTENT_FILESYSTEM_ROOT_FOLDER | ~/.fineract | Root directory for file uploads. Change to a persistent volume path in containerised deployments. |
FINERACT_CONTENT_S3_ENABLED | false | Store uploaded files in AWS S3 instead of the filesystem. |
FINERACT_CONTENT_S3_BUCKET_NAME | (empty) | S3 bucket name. |
FINERACT_CONTENT_S3_REGION | (empty) | AWS region for the S3 bucket. |
FINERACT_CONTENT_S3_ACCESS_KEY | (empty) | AWS access key. Prefer IAM instance profiles where possible. |
FINERACT_CONTENT_S3_SECRET_KEY | (empty) | AWS secret key. |
FINERACT_CONTENT_S3_ENDPOINT | (empty) | Custom S3-compatible endpoint (for MinIO or other S3-compatible stores). |
FINERACT_CONTENT_S3_PATH_STYLE_ADDRESSING_ENABLED | false | Use path-style addressing instead of virtual-hosted. Required for MinIO and some S3-compatible stores. |
FINERACT_MULTIPART_FILE_SIZE | 5MB | Maximum size of an individual uploaded file. |
FINERACT_MULTIPART_REQUEST_SIZE | 10MB | Maximum size of a multipart HTTP request. |
FINERACT_CONTENT_REGEX_WHITELIST_ENABLED | true | Validate file names against an allowed regex list. |
FINERACT_CONTENT_MIME_WHITELIST_ENABLED | true | Validate file MIME types against an allowed list. |
Feature flags
| Variable | Default | Description |
|---|---|---|
FINERACT_MODULE_SELF_SERVICE_ENABLED | false | Enable the self-service banking module (client-facing APIs). |
FINERACT_MODULE_INVESTOR_ENABLED | true | Enable the investor module. |
FINERACT_MODULE_LOAN_ORIGINATION_ENABLED | true | Enable the loan origination module. |
FINERACT_USER_NOTIFICATION_SYSTEM_ENABLED | true | Enable in-app user notification delivery. |
FINERACT_JOB_LOAN_COB_ENABLED | true | Enable the Loan Close of Business processing job. |
FINERACT_JOB_JOURNAL_ENTRY_AGGREGATION_ENABLED | true | Enable journal entry aggregation job. |
FINERACT_IDEMPOTENCY_KEY_HEADER_NAME | Idempotency-Key | HTTP header name for idempotency keys on write requests. |
FINERACT_CLIENT_IP_TRACKING_ENABLED | false | Track client IP addresses in audit logs. |
Observability
| Variable | Default | Description |
|---|---|---|
FINERACT_LOGGING_JSON_ENABLED | false | Output logs as structured JSON (useful when shipping to a log aggregator). |
FINERACT_LOGGING_HTTP_CORRELATION_ID_ENABLED | false | Attach a correlation ID to each request for distributed tracing. |
FINERACT_LOGGING_HTTP_CORRELATION_ID_HEADER_NAME | X-Correlation-ID | HTTP header used to carry the correlation ID. |
FINERACT_STATEMENT_LOGGING_ENABLED | false | Log every SQL statement executed. Only enable temporarily for debugging - very verbose. |
FINERACT_SAMPLING_ENABLED | false | Enable method-level performance sampling. |
FINERACT_SAMPLING_RATE | 1000 | Sample one call per N invocations. |
FINERACT_MANAGEMENT_CLOUDWATCH_ENABLED | false | Publish metrics to AWS CloudWatch. |
FINERACT_MANAGEMENT_METRICS_DISTRIBUTION_HTTP_SERVER_REQUESTS | false | Publish HTTP request percentile histograms to the metrics endpoint. |
OTEL_SERVICE_NAME | fineract | OpenTelemetry service name for distributed tracing. |
Liquibase
| Variable | Default | Description |
|---|---|---|
FINERACT_LIQUIBASE_ENABLED | true | Run Liquibase schema migrations on startup. Set to false on worker nodes that should not perform migrations. |
Quick reference: minimal production environment
The following is the minimum set of variables needed to run Fineract against PostgreSQL in production. All other settings use their defaults.
bash
# Database - tenant store
FINERACT_HIKARI_DRIVER_SOURCE_CLASS_NAME=org.postgresql.Driver
FINERACT_HIKARI_JDBC_URL=jdbc:postgresql://db:5432/fineract_tenants
FINERACT_HIKARI_USERNAME=postgres
FINERACT_HIKARI_PASSWORD=<strong-password>
# Database - tenant data
FINERACT_DEFAULT_TENANTDB_HOSTNAME=db
FINERACT_DEFAULT_TENANTDB_PORT=5432
FINERACT_DEFAULT_TENANTDB_UID=postgres
FINERACT_DEFAULT_TENANTDB_PWD=<strong-password>
FINERACT_DEFAULT_TENANTDB_TIMEZONE=UTC
# Security
FINERACT_DEFAULT_TENANTDB_MASTER_PASSWORD=<strong-master-password>
FINERACT_SERVER_SSL_KEY_STORE=/etc/ssl/fineract/keystore.jks
FINERACT_SERVER_SSL_KEY_STORE_PASSWORD=<keystore-password>
FINERACT_SECURITY_CORS_ALLOWED_ORIGIN_PATTERNS=https://your-app.example.com
# Node
FINERACT_NODE_ID=1