Skip to main content

Environment Configuration

Temporal CLI and SDKs support configuring a Temporal Client using environment variables and TOML configuration files, rather than setting connection options programmatically in your code. This decouples connection settings from application logic, making it easier to manage different environments such as development, staging, and production without code changes.

SUPPORT, STABILITY, and DEPENDENCY INFO

This feature is currently in Pre-release in the Go and Python Temporal SDKs, as well as the Temporal CLI.

Configuration methods

You can configure your client using a TOML file, environment variables, or a combination of both. The configuration is loaded with a specific order of precedence:

  1. Environment variables: These have the highest precedence. If an environment variable defines a setting, it will always override any value set in a configuration file. This makes it easy to provide secrets in dynamic environments.
  2. TOML configuration file: A TOML file can be used to define one or more configuration profiles. This file is located by checking the following sources in order:
    1. The path specified by the TEMPORAL_CONFIG_FILE environment variable.
    2. The default configuration path for your operating system:
      • Linux: ~/.config/temporalio/temporal.toml
      • macOS: $HOME/Library/Application Support/temporal/temporal.toml
      • Windows: %AppData%\temporal\temporal.toml

Configuration profiles

You can use configuration profiles to maintain separate configurations within a single file for different environments. The Temporal client uses the default profile unless you specify another via the TEMPORAL_PROFILE environment variable or in the SDK's load options. If a requested profile doesn't exist, the application will return an error.

Configuration settings

The following table details all available settings, their corresponding environment variables, and their TOML file paths.

SettingEnvironment VariableTOML PathDescription
Configuration File PathTEMPORAL_CONFIG_FILENAPath to the TOML configuration file
Server AddressTEMPORAL_ADDRESSprofile.<name>.addressThe host and port of the Temporal Frontend service (e.g., "localhost:7233").
NamespaceTEMPORAL_NAMESPACEprofile.<name>.namespaceThe Temporal Namespace to connect to.
API KeyTEMPORAL_API_KEYprofile.<name>.api_keyAn API key for authentication. If present, TLS is enabled by default.
Enable/Disable TLSTEMPORAL_TLSprofile.<name>.tls.disabledSet to "true" to enable TLS, "false" to disable. In TOML, disabled = true turns TLS off.
Client CertificateTEMPORAL_TLS_CLIENT_CERT_DATAprofile.<name>.tls.client_cert_dataThe raw PEM data containing the client's public TLS certificate. Alternatively, you can use TEMPORAL_TLS_CLIENT_CERT_PATH to provide a path to the certificate or the TOML profile.<name>.tls.client_cert_path.
Client Certificate PathTEMPORAL_TLS_CLIENT_CERT_PATHprofile.<name>.tls.client_cert_pathA filesystem path to the client's public TLS certificate. Alternatively, you can provide the raw PEM data using TEMPORAL_TLS_CLIENT_CERT_DATA or the TOML profile.<name>.tls.client_cert_data.
Client KeyTEMPORAL_TLS_CLIENT_KEY_DATAprofile.<name>.tls.client_key_dataThe raw PEM data containing the client's private TLS key. Alternatively, you can use TEMPORAL_TLS_CLIENT_KEY_PATH to provide a path to the key or the TOML profile.<name>.tls.client_key_path.
Client Key PathTEMPORAL_TLS_CLIENT_KEY_PATHprofile.<name>.tls.client_key_pathA filesystem path to the client's private TLS key. Alternatively, you can provide the raw PEM data using TEMPORAL_TLS_CLIENT_KEY_DATA or the TOML profile.<name>.tls.client_key_data.
Server CA CertTEMPORAL_TLS_SERVER_CA_CERT_DATAprofile.<name>.tls.server_ca_cert_dataThe raw PEM data for the Certificate Authority certificate used to verify the server. Alternatively, you can use TEMPORAL_TLS_SERVER_CA_CERT_PATH to provide a path or the TOML profile.<name>.tls.server_ca_cert_path.
Server CA Cert PathTEMPORAL_TLS_SERVER_CA_CERT_PATHprofile.<name>.tls.server_ca_cert_pathA filesystem path to the Certificate Authority certificate. Alternatively, you can provide the raw PEM data using TEMPORAL_TLS_SERVER_CA_CERT_DATA or the TOML profile.<name>.tls.server_ca_cert_data.
TLS Server NameTEMPORAL_TLS_SERVER_NAMEprofile.<name>.tls.server_nameOverrides the server name used for Server Name Indication (SNI) in the TLS handshake.
Disable Host VerificationTEMPORAL_TLS_DISABLE_HOST_VERIFICATIONprofile.<name>.tls.disable_host_verificationA boolean to disable server hostname verification. Use with caution. Not supported by all SDKs.
Codec EndpointTEMPORAL_CODEC_ENDPOINTprofile.<name>.codec.endpointThe endpoint for a remote Data Converter. This is not supported by all SDKs. SDKs that support this configuration don't apply it by default. Intended mostly for CLI use.
Codec AuthTEMPORAL_CODEC_AUTHprofile.<name>.codec.authThe authorization header value for the remote data converter.
gRPC MetadataTEMPORAL_GRPC_META_*profile.<name>.grpc_metaSets gRPC headers. The part after _META_ becomes the header key (e.g., _SOME_KEY -> some-key).

TOML Configuration Example

Here is an example temporal.toml file that defines two profiles: default for local development and prod for production.

# Default profile for local development
[profile.default]
address = "localhost:7233"
namespace = "default"

# Optional: Add custom gRPC headers
[profile.default.grpc_meta]
my-custom-header = "development-value"
trace-id = "dev-trace-123"

# Production profile for Temporal Cloud
[profile.prod]
address = "your-namespace.a1b2c.tmprl.cloud:7233"
namespace = "your-namespace"
api_key = "your-api-key-here"

# TLS configuration for production
[profile.prod.tls]
# TLS is auto-enabled when this TLS config or API key is present, but you can configure it explicitly
# disabled = false
# Use certificate files for mTLS
client_cert_path = "/etc/temporal/certs/client.pem"
client_key_path = "/etc/temporal/certs/client.key"

# Custom headers for production
[profile.prod.grpc_meta]
environment = "production"
service-version = "v1.2.3"

# Staging profile with inline certificate data
[profile.staging]
address = "staging.temporal.example.com:7233"
namespace = "staging"

[profile.staging.tls]
# Example of providing certificate data directly (base64 or PEM format)
client_cert_data = """-----BEGIN CERTIFICATE-----
MIICertificateDataHere...
-----END CERTIFICATE-----"""
client_key_data = """-----BEGIN PRIVATE KEY-----
MIIPrivateKeyDataHere...
-----END PRIVATE KEY-----"""

CLI Integration

The Temporal CLI tool includes temporal config commands that allow you to read and write to the TOML configuration file. This provides a convenient way to manage your connection profiles without manually editing the file.

  • temporal config get <property>: Reads a specific value from the current profile.
  • temporal config set <property> <value>: Sets a property in the current profile.
  • temporal config delete <property>: Deletes a property from the current profile.
  • temporal config list: Lists all available profiles in the config file.

These CLI commands directly manipulate the temporal.toml file. This differs from the SDKs, which only read from the file and environment at runtime to establish a client connection. The CLI is a tool for managing the configuration source, while the SDKs are consumers of that configuration. You can select a profile for the CLI to use with the --profile flag. For example, temporal --profile prod ....

The following code blocks provide copy-paste-friendly examples for setting up CLI profiles for both local development and Temporal Cloud.

This example shows how to set up a default profile for local development and a prod profile for Temporal Cloud using an API key.

# (Optional) initialize the default profile for local development
temporal config set --prop address --value "localhost:7233"
temporal config set --prop namespace --value "default"

# Configure a Temporal Cloud profile that authenticates with an API key
temporal --profile prod config set --prop address --value "<region>.<cloud_provider>.api.temporal.io:7233"
temporal --profile prod config set --prop namespace --value "<namespace_id>.<account_id>"
temporal --profile prod config set --prop api_key --value "<your-api-key>"

Load configuration profile and environment variables

If you don't specify a profile, the SDKs load the default profile and the environment variables. If you haven't set TEMPORAL_CONFIG_FILE, the SDKs will look for the configuration file in the default location. Refer to Configuration methods for the default locations for your operating system.

No matter what profile you choose to load, environment variables are always loaded when you use the APIs in the environmental configuration package to load Temporal Client connection options. They always take precedence over TOML file settings in the profiles.

To load the default profile along with any environment variables in Go, use the envconfig.MustLoadDefaultClientOptions() function from the temporalio.envconfig package.

package main

import (
	"fmt"
	"log"

	"go.temporal.io/sdk/client"
	"go.temporal.io/sdk/contrib/envconfig"
)

func main() {
	// Loads the "default" profile from the standard location and environment variables.
	c, err := client.Dial(envconfig.MustLoadDefaultClientOptions())
	if err != nil {
		log.Fatalf("Failed to create client: %v", err)
	}
	defer c.Close()

	fmt.Printf("✅ Connected to Temporal namespace %q on %s\n", c.Options().Namespace, c.Options().HostPort)
}

Load configuration from a custom path

To load configuration from a non-standard file location without relying on the TEMPORAL_CONFIG_FILE environment variable, you can use a function from the temporalio.envconfig package. The specific method you need to call depends on the SDK you are using.

This is useful if you store application-specific configurations separately. Loading connection options using this method will still respect environment variables, which take precedence over the file settings.

To load a specific profile from a custom filepath in Go, use the envconfig.LoadClientOptions() function with the ConfigFilePath field set in the LoadClientOptionsRequest struct. Use the ConfigFileProfile field to specify the profile name.

After loading the connection options, you can override specific settings programmatically before passing them to client.Dial(). Refer to the GO SDK API documentation for all available options.

package main

import (
	"fmt"
	"log"

	"go.temporal.io/sdk/client"
	"go.temporal.io/sdk/contrib/envconfig"
)

func main() {
	// Load a specific profile from the TOML config file.
	// This requires a [profile.prod] section in your config.
	opts, err := envconfig.LoadClientOptions(envconfig.LoadClientOptionsRequest{
		ConfigFileProfile: "prod",
	})
	if err != nil {
		log.Fatalf("Failed to load 'prod' profile: %v", err)
	}

  // Programmatically override the Namespace value.
  opts.Namespace = "new-namespace"

	c, err := client.Dial(opts)
	if err != nil {
		log.Fatalf("Failed to connect using 'prod' profile: %v", err)
	}
	defer c.Close()

	fmt.Printf("✅ Connected to Temporal namespace %q on %s using 'prod' profile\n", c.Options().Namespace, c.Options().HostPort)
}