# Emby Watch Party Configuration # # Only the boot-essential values live here. All mutable runtime # settings (logging, security, rate limits, late-join vote, static # session, REQUIRE_LOGIN, FORCE_TRANSCODE, etc.) are managed via the # Admin Panel at /admin and persisted to config.json. A restart is # only required for changes to the values below. # ============== Application ============== # Network bind. 0.0.0.0 listens on all interfaces (typical for Docker). WATCH_PARTY_BIND=0.0.0.0 WATCH_PARTY_PORT=5000 # Session cookie lifetime in seconds (default: 24h). SESSION_EXPIRY=86400 # Base URL prefix for reverse-proxy deployments behind a subpath. # Example: APP_PREFIX=/watchparty serves the entire app under # https://example.com/watchparty/ -- backend routers, Socket.IO, # /assets, and the SPA all honour the prefix at runtime, so the same # image works for any subpath (or for root) without a rebuild. # Leave empty (default) for root-of-domain deployments. #APP_PREFIX=/watchparty # ============== Session Cookie (new in 2.0.0-beta18) ============== # The signing key for the party-bound session cookie. Must persist # across process restarts AND across every uvicorn worker or existing # cookies stop verifying -- generate ONCE with `openssl rand -hex 32` # (or `python -c "import secrets; print(secrets.token_hex(32))"`) and # leave it. If unset, an ephemeral random key is generated at boot # with a loud warning: fine for local dev, catastrophic in production # (every restart kicks everyone out of their party, and --workers >1 # produces non-deterministic session state per request). SESSION_SECRET=change-me-openssl-rand-hex-32 # When `true`, the session cookie carries the Secure flag so browsers # only send it over HTTPS. Set `true` in every deployment behind TLS; # leave `false` for local http://localhost dev (cookies stripped from # insecure origins if this is `true`, which locks you out). SESSION_COOKIE_SECURE=false # ============== Socket.IO CORS (new in 2.0.0-beta18) ============== # Comma-separated origin allowlist for the Socket.IO server. `*` # (default, historical behaviour) accepts XHR-poll handshakes from any # origin -- convenient for testing, but pair with per-IP throttling # in production. Pin to your real origin(s) for a proper deployment, # e.g. `https://watchparty.example.com,https://staging.example.com`. CORS_ALLOWED_ORIGINS=* # ============== Emby Server ============== # Only the admin API key is required here. Per-user authentication is # an in-app action: any party member clicks "Login to Become Host" # inside the party and supplies their own Emby credentials. The # backend never stores long-lived user credentials at rest -- only # this admin server key. EMBY_SERVER_URL=http://localhost:8096 EMBY_API_KEY=your-api-key-here