@lobehub/lobehub 2.0.0-next.355 → 2.0.0-next.356

package/docs/self-hosting/advanced/auth.mdx

@@ -110,14 +110,15 @@ Used by email verification, password reset, and magic-link delivery. Two provide
 
 Send emails via SMTP protocol, suitable for users with existing email services. See [Nodemailer SMTP docs](https://nodemailer.com/smtp/).
 
-| Environment Variable     | Type     | Description                                             | Example             |
-| ------------------------ | -------- | ------------------------------------------------------- | ------------------- |
-| `EMAIL_SERVICE_PROVIDER` | Optional | Set to `nodemailer` (default)                           | `nodemailer`        |
-| `SMTP_HOST`              | Required | SMTP server hostname                                    | `smtp.gmail.com`    |
-| `SMTP_PORT`              | Required | SMTP server port (`587` for TLS, `465` for SSL)         | `587`               |
-| `SMTP_SECURE`            | Optional | `true` for SSL (port 465), `false` for TLS (port 587)   | `false`             |
-| `SMTP_USER`              | Required | SMTP auth username                                      | `user@gmail.com`    |
-| `SMTP_PASS`              | Required | SMTP auth password                                      | `your-app-password` |
+| Environment Variable     | Type     | Description                                                       | Example                |
+| ------------------------ | -------- | ----------------------------------------------------------------- | ---------------------- |
+| `EMAIL_SERVICE_PROVIDER` | Optional | Set to `nodemailer` (default)                                     | `nodemailer`           |
+| `SMTP_HOST`              | Required | SMTP server hostname                                              | `smtp.gmail.com`       |
+| `SMTP_PORT`              | Required | SMTP server port (`587` for TLS, `465` for SSL)                   | `587`                  |
+| `SMTP_SECURE`            | Optional | `true` for SSL (port 465), `false` for TLS (port 587)             | `false`                |
+| `SMTP_USER`              | Required | SMTP auth username                                                | `user@gmail.com`       |
+| `SMTP_PASS`              | Required | SMTP auth password                                                | `your-app-password`    |
+| `SMTP_FROM`              | Optional | Sender address (required for AWS SES), defaults to `SMTP_USER`    | `noreply@example.com`  |
 
 <Callout type={'warning'}>
   When using Gmail, you must use an App Password instead of your account password. Generate one at [Google App Passwords](https://myaccount.google.com/apppasswords).
@@ -127,11 +128,11 @@ Send emails via SMTP protocol, suitable for users with existing email services.
 
 [Resend](https://resend.com/) is a modern email API service with simple setup, recommended for new users.
 
-| Environment Variable     | Type        | Description                              | Example                     |
-| ------------------------ | ----------- | ---------------------------------------- | --------------------------- |
-| `EMAIL_SERVICE_PROVIDER` | Required    | Set to `resend`                          | `resend`                    |
-| `RESEND_API_KEY`         | Required    | Resend API Key                           | `re_xxxxxxxxxxxxxxxxxxxxxx` |
-| `RESEND_FROM`            | Recommended | Sender address, must be a verified domain| `noreply@your-domain.com`   |
+| Environment Variable     | Type        | Description                               | Example                     |
+| ------------------------ | ----------- | ----------------------------------------- | --------------------------- |
+| `EMAIL_SERVICE_PROVIDER` | Required    | Set to `resend`                           | `resend`                    |
+| `RESEND_API_KEY`         | Required    | Resend API Key                            | `re_xxxxxxxxxxxxxxxxxxxxxx` |
+| `RESEND_FROM`            | Recommended | Sender address, must be a verified domain | `noreply@your-domain.com`   |
 
 <Callout type={'info'}>
   Before using Resend, you need to [verify your sending domain](https://resend.com/docs/dashboard/domains/introduction), otherwise emails can only be sent to your own address.
@@ -139,9 +140,9 @@ Send emails via SMTP protocol, suitable for users with existing email services.
 
 ### Common Configuration
 
-| Environment Variable      | Type     | Description                                              | Example |
-| ------------------------- | -------- | -------------------------------------------------------- | ------- |
-| `AUTH_EMAIL_VERIFICATION` | Optional | Set to `1` to require email verification (off by default)| `1`     |
+| Environment Variable      | Type     | Description                                               | Example |
+| ------------------------- | -------- | --------------------------------------------------------- | ------- |
+| `AUTH_EMAIL_VERIFICATION` | Optional | Set to `1` to require email verification (off by default) | `1`     |
 
 ## Magic Link (Passwordless) Login
 
@@ -155,6 +156,19 @@ Enable magic-link login (depends on a working email provider above, off by defau
   Go to [Environment Variables](/docs/self-hosting/environment-variables/auth#better-auth) for detailed information on all Better Auth variables.
 </Callout>
 
+## Session Storage Configuration (Optional)
+
+By default, Better Auth uses the database to store session data. You can configure Redis as secondary storage for better performance and cross-instance session sharing.
+
+| Environment Variable | Type     | Description                                                  |
+| -------------------- | -------- | ------------------------------------------------------------ |
+| `REDIS_URL`          | Optional | Redis connection URL, enables Redis session storage when set |
+| `REDIS_PREFIX`       | Optional | Redis key prefix, defaults to `lobechat`                     |
+
+<Callout type={'info'}>
+  When Redis is configured, authentication session data will be stored in Redis, enabling session sharing across multiple service instances and faster session validation. See [Redis Cache Service](/docs/self-hosting/advanced/redis) for detailed configuration.
+</Callout>
+
 ## FAQ
 
 ### What SSO providers does Better Auth support?
@@ -164,3 +178,16 @@ Better Auth supports built-in providers (Google, GitHub, Microsoft, Apple, AWS C
 ### How do I enable multiple SSO providers?
 
 Set the `AUTH_SSO_PROVIDERS` environment variable with a comma-separated list, e.g., `google,github,microsoft`. The order determines the display order on the login page.
+
+### What if Casdoor users only have username without email?
+
+The current authentication system requires email. Please configure a valid email address for users in Casdoor. Using a real, valid email is strongly recommended, otherwise features like password reset and magic link login will not work.
+
+### How do I restrict registration to specific emails or domains?
+
+Set the `AUTH_ALLOWED_EMAILS` environment variable with a comma-separated list of allowed emails or domains. For example:
+
+- Allow only `example.com` domain: `AUTH_ALLOWED_EMAILS=example.com`
+- Allow multiple domains and specific emails: `AUTH_ALLOWED_EMAILS=example.com,company.org,admin@other.com`
+
+Leave empty to allow all emails. This restriction applies to both email registration and SSO login.

package/docs/self-hosting/advanced/auth.zh-CN.mdx

@@ -107,14 +107,15 @@ LobeChat 使用 [Better Auth](https://www.better-auth.com) 作为身份验证解
 
 使用 SMTP 协议发送邮件，适合已有邮箱服务的用户。参考 [Nodemailer SMTP 文档](https://nodemailer.com/smtp/)。
 
-| 环境变量                     | 类型 | 描述                                              | 示例                 |
-| ------------------------- | -- | ----------------------------------------------- | ------------------ |
-| `EMAIL_SERVICE_PROVIDER`  | 可选 | 设置为 `nodemailer`（默认值）                           | `nodemailer`       |
-| `SMTP_HOST`               | 必选 | SMTP 服务器主机名                                     | `smtp.gmail.com`   |
-| `SMTP_PORT`               | 必选 | SMTP 服务器端口（TLS 通常为 `587`，SSL 为 `465`）           | `587`              |
-| `SMTP_SECURE`             | 可选 | SSL 设置为 `true`（端口 465），TLS 设置为 `false`（端口 587） | `false`            |
-| `SMTP_USER`               | 必选 | SMTP 认证用户名                                      | `user@gmail.com`   |
-| `SMTP_PASS`               | 必选 | SMTP 认证密码                                       | `your-app-password`|
+| 环境变量                     | 类型 | 描述                                             | 示例                     |
+| ------------------------ | -- | ---------------------------------------------- | ---------------------- |
+| `EMAIL_SERVICE_PROVIDER` | 可选 | 设置为 `nodemailer`（默认值）                          | `nodemailer`           |
+| `SMTP_HOST`              | 必选 | SMTP 服务器主机名                                    | `smtp.gmail.com`       |
+| `SMTP_PORT`              | 必选 | SMTP 服务器端口（TLS 通常为 `587`，SSL 为 `465`）          | `587`                  |
+| `SMTP_SECURE`            | 可选 | SSL 设置为 `true`（端口 465），TLS 设置为 `false`（端口 587） | `false`                |
+| `SMTP_USER`              | 必选 | SMTP 认证用户名                                     | `user@gmail.com`       |
+| `SMTP_PASS`              | 必选 | SMTP 认证密码                                      | `your-app-password`    |
+| `SMTP_FROM`              | 可选 | 发件人地址（AWS SES 必填），默认为 `SMTP_USER`             | `noreply@example.com`  |
 
 <Callout type={'warning'}>
   使用 Gmail 时，需使用应用专用密码而非账户密码。前往 [Google 应用专用密码](https://myaccount.google.com/apppasswords) 生成。
@@ -124,11 +125,11 @@ LobeChat 使用 [Better Auth](https://www.better-auth.com) 作为身份验证解
 
 [Resend](https://resend.com/) 是一个现代邮件 API 服务，配置简单，推荐新用户使用。
 
-| 环境变量                     | 类型 | 描述                                 | 示例                          |
-| ------------------------- | -- | ---------------------------------- | --------------------------- |
-| `EMAIL_SERVICE_PROVIDER`  | 必选 | 设置为 `resend`                       | `resend`                    |
-| `RESEND_API_KEY`          | 必选 | Resend API Key                     | `re_xxxxxxxxxxxxxxxxxxxxxx` |
-| `RESEND_FROM`             | 推荐 | 发件人地址，需为 Resend 已验证域名下的邮箱          | `noreply@your-domain.com`   |
+| 环境变量                     | 类型 | 描述                        | 示例                          |
+| ------------------------ | -- | ------------------------- | --------------------------- |
+| `EMAIL_SERVICE_PROVIDER` | 必选 | 设置为 `resend`              | `resend`                    |
+| `RESEND_API_KEY`         | 必选 | Resend API Key            | `re_xxxxxxxxxxxxxxxxxxxxxx` |
+| `RESEND_FROM`            | 推荐 | 发件人地址，需为 Resend 已验证域名下的邮箱 | `noreply@your-domain.com`   |
 
 <Callout type={'info'}>
   使用 Resend 前需先 [验证发件域名](https://resend.com/docs/dashboard/domains/introduction)，否则只能发送到自己的邮箱。
@@ -136,9 +137,9 @@ LobeChat 使用 [Better Auth](https://www.better-auth.com) 作为身份验证解
 
 ### 通用配置
 
-| 环境变量                      | 类型 | 描述                           | 示例 |
-| ------------------------- | -- | ---------------------------- | -- |
-| `AUTH_EMAIL_VERIFICATION` | 可选 | 设置为 `1` 以要求用户在登录前验证邮箱（默认关闭） | `1`|
+| 环境变量                      | 类型 | 描述                          | 示例  |
+| ------------------------- | -- | --------------------------- | --- |
+| `AUTH_EMAIL_VERIFICATION` | 可选 | 设置为 `1` 以要求用户在登录前验证邮箱（默认关闭） | `1` |
 
 ## 魔法链接（免密）登录
 
@@ -152,6 +153,19 @@ LobeChat 使用 [Better Auth](https://www.better-auth.com) 作为身份验证解
   前往 [环境变量](/zh/docs/self-hosting/environment-variables/auth#better-auth) 可查阅所有 Better Auth 相关变量详情。
 </Callout>
 
+## 会话存储配置（可选）
+
+默认情况下，Better Auth 使用数据库存储会话数据。你可以配置 Redis 作为二级存储，以获得更好的性能和跨实例会话共享能力。
+
+| 环境变量           | 类型 | 描述                              |
+| -------------- | -- | ------------------------------- |
+| `REDIS_URL`    | 可选 | Redis 连接 URL，配置后自动启用 Redis 会话存储 |
+| `REDIS_PREFIX` | 可选 | Redis 键前缀，默认为 `lobechat`        |
+
+<Callout type={'info'}>
+  配置 Redis 后，认证会话数据将存储在 Redis 中，可以实现跨多个服务实例的会话共享，并提升会话验证速度。详细配置请参阅 [Redis 缓存服务](/zh/docs/self-hosting/advanced/redis)。
+</Callout>
+
 ## 常见问题
 
 ### Better Auth 支持哪些 SSO 提供商？
@@ -161,3 +175,17 @@ Better Auth 支持内置提供商（Google、GitHub、Microsoft、Apple、AWS Co
 ### 如何启用多个 SSO 提供商？
 
 设置 `AUTH_SSO_PROVIDERS` 环境变量，使用逗号分隔多个提供商，例如 `google,github,microsoft`。顺序决定登录页面上的显示顺序。
+
+### Casdoor 用户只有 username 没有 email 怎么办？
+
+当前身份验证方案强依赖 email。请在 Casdoor 中为用户配置有效的 email 地址。
+强烈建议使用真实有效的邮箱，否则密码重置、魔法链接登录等功能将无法使用。
+
+### 如何限制只允许特定邮箱或域名注册？
+
+设置 `AUTH_ALLOWED_EMAILS` 环境变量，支持完整邮箱地址或域名，以逗号分隔。例如：
+
+- 只允许 `example.com` 域名：`AUTH_ALLOWED_EMAILS=example.com`
+- 允许多个域名和特定邮箱：`AUTH_ALLOWED_EMAILS=example.com,company.org,admin@other.com`
+
+留空表示允许所有邮箱注册。此限制对邮箱注册和 SSO 登录均有效。

package/docs/self-hosting/advanced/redis/upstash.mdx

@@ -0,0 +1,69 @@
+---
+title: Configuring Upstash Redis Service
+description: Step-by-step guide to configure Upstash Redis for LobeChat cache and session storage.
+tags:
+  - Upstash
+  - Redis
+  - Cache
+  - Configuration Guide
+---
+
+# Configuring Upstash Redis Service
+
+[Upstash](https://upstash.com/) is a serverless Redis service that provides a free tier and pay-as-you-go pricing, making it ideal for LobeChat deployments.
+
+## Configuration Steps
+
+<Steps>
+  ### Create Redis Database on Upstash
+
+  1. Visit [Upstash Console](https://console.upstash.com/) and sign up
+  2. Click **Create Database** and configure: name, region, enable TLS
+  3. Copy the **Redis URL** (TCP connection, not REST API) from the database details page:
+
+  <Image alt={'Copy Redis URL from Upstash'} src={'https://hub-apac-1.lobeobjects.space/docs/43d110283ba816c0c2b45408e4f9d344.png'} />
+
+  ### Configure Environment Variables
+
+  ```shell
+  # Upstash Redis URL (copy from Upstash console)
+  REDIS_URL=rediss://default:xxxxxxxxxxxxx@us1-xxxxx-xxxxx.upstash.io:6379
+
+  # Optional: Enable TLS (recommended for Upstash)
+  REDIS_TLS=1
+
+  # Optional: Set a prefix for Redis keys
+  REDIS_PREFIX=lobechat
+  ```
+
+  <Callout type={'info'}>
+    Upstash uses `rediss://` (with double 's') for TLS connections. LobeChat supports this format automatically.
+  </Callout>
+</Steps>
+
+## Environment Variables Overview
+
+```shell
+# Upstash Redis Connection URL
+REDIS_URL=rediss://default:xxxxxxxxxxxxx@us1-xxxxx-xxxxx.upstash.io:6379
+
+# Optional: Enable TLS encryption (recommended for Upstash)
+REDIS_TLS=1
+
+# Optional: Key prefix for data isolation
+REDIS_PREFIX=lobechat
+```
+
+## Notes
+
+<Callout type={'tip'}>
+  Upstash offers a generous free tier with 10,000 commands per day, which is sufficient for personal use and small deployments.
+</Callout>
+
+<Callout type={'warning'}>
+  Make sure to keep your Redis URL secure and never expose it in client-side code or public repositories.
+</Callout>
+
+- **Free Tier Limits**: 10,000 commands/day, 256MB storage
+- **TLS Required**: Upstash requires TLS connections, ensure `REDIS_TLS=1` is set
+- **Regional vs Global**: Choose Global for better latency if your users are distributed worldwide

package/docs/self-hosting/advanced/redis/upstash.zh-CN.mdx

@@ -0,0 +1,69 @@
+---
+title: 配置 Upstash Redis 服务
+description: 详细指南：如何配置 Upstash Redis 用于 LobeChat 的缓存和会话存储。
+tags:
+  - Upstash
+  - Redis
+  - 缓存
+  - 配置指南
+---
+
+# 配置 Upstash Redis 服务
+
+[Upstash](https://upstash.com/) 是一个 Serverless Redis 服务，提供免费额度和按量付费模式，非常适合 LobeChat 部署使用。
+
+## 配置步骤
+
+<Steps>
+  ### 在 Upstash 创建 Redis 数据库
+
+  1. 访问 [Upstash 控制台](https://console.upstash.com/) 并注册
+  2. 点击 **Create Database**，配置：名称、区域、启用 TLS
+  3. 从数据库详情页复制 **Redis URL**（TCP 连接方式，不是 REST API）：
+
+  <Image alt={'从 Upstash 复制 Redis URL'} src={'https://hub-apac-1.lobeobjects.space/docs/43d110283ba816c0c2b45408e4f9d344.png'} />
+
+  ### 配置环境变量
+
+  ```shell
+  # Upstash Redis URL（从 Upstash 控制台复制）
+  REDIS_URL=rediss://default:xxxxxxxxxxxxx@us1-xxxxx-xxxxx.upstash.io:6379
+
+  # 可选：启用 TLS（Upstash 推荐）
+  REDIS_TLS=1
+
+  # 可选：设置 Redis 键前缀
+  REDIS_PREFIX=lobechat
+  ```
+
+  <Callout type={'info'}>
+    Upstash 使用 `rediss://`（双 's'）表示 TLS 连接，LobeChat 自动支持此格式。
+  </Callout>
+</Steps>
+
+## 环境变量概览
+
+```shell
+# Upstash Redis 连接 URL
+REDIS_URL=rediss://default:xxxxxxxxxxxxx@us1-xxxxx-xxxxx.upstash.io:6379
+
+# 可选：启用 TLS 加密（Upstash 推荐）
+REDIS_TLS=1
+
+# 可选：键前缀，用于数据隔离
+REDIS_PREFIX=lobechat
+```
+
+## 注意事项
+
+<Callout type={'tip'}>
+  Upstash 提供慷慨的免费额度：每天 10,000 次命令，足够个人使用和小规模部署。
+</Callout>
+
+<Callout type={'warning'}>
+  请确保安全保管你的 Redis URL，切勿在客户端代码或公开仓库中暴露。
+</Callout>
+
+- **免费额度限制**：每天 10,000 次命令，256MB 存储
+- **TLS 必需**：Upstash 要求 TLS 连接，确保设置 `REDIS_TLS=1`
+- **Regional vs Global**：如果用户分布全球，选择 Global 可获得更低延迟

package/docs/self-hosting/advanced/redis.mdx

@@ -0,0 +1,128 @@
+---
+title: Configure Redis Cache Service
+description: Learn how to configure Redis cache service to optimize LobeChat performance and session management.
+tags:
+  - Redis
+  - Cache
+  - Session Storage
+  - Performance
+---
+
+# Configure Redis Cache Service
+
+LobeChat uses Redis as a high-performance cache and session storage service to optimize system performance and manage user authentication state.
+
+<Callout type={'info'}>
+  LobeChat uses the standard Redis protocol (via ioredis library), supporting any Redis
+  protocol-compatible service, including official Redis, self-hosted Redis, and cloud provider Redis
+  services (such as AWS ElastiCache, Alibaba Cloud Redis, etc.).
+</Callout>
+
+## Use Cases
+
+Redis is used in LobeChat for the following scenarios:
+
+### Authentication Session Storage
+
+As secondary storage for Better Auth, used to store user authentication sessions and token data. This enables:
+
+- Sharing session state across multiple service instances
+- Faster session validation
+- Session revocation and management support
+
+### File Proxy Cache
+
+Caches S3 presigned URLs to reduce S3 API calls and optimize file access performance.
+
+### Agent Configuration Cache
+
+Caches Agent configuration data to reduce database queries and improve response speed.
+
+## Core Environment Variables
+
+<Steps>
+  ### `REDIS_URL`
+
+  The Redis server connection URL. This is required to enable Redis functionality.
+
+  ```shell
+  REDIS_URL=redis://localhost:6379
+  ```
+
+  Supported URL formats:
+
+  - Standard: `redis://localhost:6379`
+  - With authentication: `redis://username:password@localhost:6379`
+  - With database: `redis://localhost:6379/0`
+
+  ### `REDIS_PREFIX`
+
+  The prefix for Redis keys, used to isolate LobeChat data in a shared Redis instance.
+
+  - Default: `lobechat`
+  - Example: `REDIS_PREFIX=my-lobechat`
+
+  ### `REDIS_TLS`
+
+  Whether to enable TLS/SSL encrypted connection.
+
+  - Default: `false`
+  - Example: `REDIS_TLS=true`
+
+  <Callout type={'tip'}>
+    If you use Redis services from cloud providers, you usually need to enable TLS to ensure secure
+    data transmission.
+  </Callout>
+
+  ### `REDIS_PASSWORD`
+
+  Redis authentication password (optional). Set this if your Redis server is configured with password authentication.
+
+  ### `REDIS_USERNAME`
+
+  Redis authentication username (optional). Redis 6.0+ supports ACL user authentication. Set this if using username authentication.
+
+  ### `REDIS_DATABASE`
+
+  Redis database index (optional). Redis supports multiple databases (default 0-15), you can specify which database to use.
+
+  - Default: `0`
+  - Example: `REDIS_DATABASE=1`
+</Steps>
+
+## Configuration Examples
+
+### Local Development
+
+```shell
+REDIS_URL=redis://localhost:6379
+REDIS_PREFIX=lobechat-dev
+```
+
+### Production (with authentication)
+
+```shell
+REDIS_URL=redis://localhost:6379
+REDIS_PASSWORD=your-strong-password
+REDIS_PREFIX=lobechat
+REDIS_TLS=true
+```
+
+### Cloud Service (e.g., AWS ElastiCache)
+
+```shell
+REDIS_URL=redis://your-cluster.cache.amazonaws.com:6379
+REDIS_TLS=true
+REDIS_PREFIX=lobechat
+```
+
+## Notes
+
+<Callout type={'warning'}>
+  Redis is an optional service. If `REDIS_URL` is not configured, LobeChat will still function
+  normally, but will lose the caching and session management optimizations mentioned above.
+</Callout>
+
+- **Memory Management**: Redis is an in-memory database, ensure your server has sufficient memory
+- **Persistence**: Enable Redis RDB or AOF persistence to prevent data loss
+- **High Availability**: For production, consider using Redis Sentinel or Redis Cluster for high availability

package/docs/self-hosting/advanced/redis.zh-CN.mdx

@@ -0,0 +1,126 @@
+---
+title: 配置 Redis 缓存服务
+description: 了解如何配置 Redis 缓存服务以优化 LobeChat 的性能和会话管理。
+tags:
+  - Redis
+  - 缓存
+  - 会话存储
+  - 性能优化
+---
+
+# 配置 Redis 缓存服务
+
+LobeChat 使用 Redis 作为高性能缓存和会话存储服务，用于优化系统性能和管理用户认证状态。
+
+<Callout type={'info'}>
+  LobeChat 使用标准 Redis 协议（通过 ioredis 库），支持任何兼容 Redis 协议的服务，包括 Redis
+  官方服务、自部署 Redis、以及云服务商提供的 Redis 服务（如 AWS ElastiCache、阿里云 Redis
+  等）。
+</Callout>
+
+## 使用场景
+
+Redis 在 LobeChat 中主要用于以下场景：
+
+### 认证会话存储
+
+作为 Better Auth 的二级存储，用于存储用户认证 session 和 token 数据。这可以实现：
+
+- 跨多个服务实例共享会话状态
+- 更快的会话验证速度
+- 支持会话撤销和管理
+
+### 文件代理缓存
+
+缓存 S3 预签名 URL，减少对 S3 API 的调用次数，优化文件访问性能。
+
+### Agent 配置缓存
+
+缓存 Agent 配置数据，减少数据库查询，提升响应速度。
+
+## 核心环境变量
+
+<Steps>
+  ### `REDIS_URL`
+
+  Redis 服务器的连接 URL，这是启用 Redis 功能的必需配置。
+
+  ```shell
+  REDIS_URL=redis://localhost:6379
+  ```
+
+  支持的 URL 格式：
+
+  - 标准格式：`redis://localhost:6379`
+  - 带认证：`redis://username:password@localhost:6379`
+  - 带数据库：`redis://localhost:6379/0`
+
+  ### `REDIS_PREFIX`
+
+  Redis 键的前缀，用于在共享 Redis 实例中隔离 LobeChat 的数据。
+
+  - 默认值：`lobechat`
+  - 示例：`REDIS_PREFIX=my-lobechat`
+
+  ### `REDIS_TLS`
+
+  是否启用 TLS/SSL 加密连接。
+
+  - 默认值：`false`
+  - 示例：`REDIS_TLS=true`
+
+  <Callout type={'tip'}>
+    如果你使用云服务商提供的 Redis 服务，通常需要启用 TLS 以确保数据传输安全。
+  </Callout>
+
+  ### `REDIS_PASSWORD`
+
+  Redis 认证密码（可选）。如果 Redis 服务器配置了密码认证，需要设置此变量。
+
+  ### `REDIS_USERNAME`
+
+  Redis 认证用户名（可选）。Redis 6.0+ 支持 ACL 用户认证，如果使用了用户名认证，需要设置此变量。
+
+  ### `REDIS_DATABASE`
+
+  Redis 数据库索引（可选）。Redis 支持多个数据库（默认 0-15），可以指定使用的数据库。
+
+  - 默认值：`0`
+  - 示例：`REDIS_DATABASE=1`
+</Steps>
+
+## 配置示例
+
+### 本地开发
+
+```shell
+REDIS_URL=redis://localhost:6379
+REDIS_PREFIX=lobechat-dev
+```
+
+### 生产环境（带认证）
+
+```shell
+REDIS_URL=redis://localhost:6379
+REDIS_PASSWORD=your-strong-password
+REDIS_PREFIX=lobechat
+REDIS_TLS=true
+```
+
+### 云服务（如 AWS ElastiCache）
+
+```shell
+REDIS_URL=redis://your-cluster.cache.amazonaws.com:6379
+REDIS_TLS=true
+REDIS_PREFIX=lobechat
+```
+
+## 注意事项
+
+<Callout type={'warning'}>
+  Redis 是可选服务。如果不配置 `REDIS_URL`，LobeChat 仍然可以正常运行，但会失去上述缓存和会话管理的优化功能。
+</Callout>
+
+- **内存管理**：Redis 是内存数据库，请确保服务器有足够的内存
+- **持久化**：建议启用 Redis 的 RDB 或 AOF 持久化，防止数据丢失
+- **高可用**：生产环境建议使用 Redis Sentinel 或 Redis Cluster 实现高可用

package/docs/self-hosting/environment-variables/auth.mdx

@@ -27,7 +27,7 @@ LobeChat provides a complete authentication service capability when deployed. Th
 - Default: `-`
 - Example: `Tfhi2t2pelSMEA8eaV61KaqPNEndFFdMIxDaJnS1CUI=`
 
-#### `NEXT_PUBLIC_AUTH_EMAIL_VERIFICATION`
+#### `AUTH_EMAIL_VERIFICATION`
 
 - Type: Optional
 - Description: Set to `1` to require email verification before users can sign in. Users must verify their email address after registration.
@@ -41,6 +41,13 @@ LobeChat provides a complete authentication service capability when deployed. Th
 - Default: `-`
 - Example: `google,github,microsoft,cognito`
 
+#### `AUTH_ALLOWED_EMAILS`
+
+- Type: Optional
+- Description: Comma-separated list of allowed emails or domains for registration. Supports full email addresses (e.g., `user@example.com`) or domain names (e.g., `example.com`). Leave empty to allow all emails.
+- Default: `-`
+- Example: `example.com,admin@other.com`
+
 #### `JWKS_KEY`
 
 - Type: Required
@@ -95,6 +102,13 @@ These settings are required for email verification and password reset features.
 - Default: `-`
 - Example: `your-app-specific-password`
 
+#### `SMTP_FROM`
+
+- Type: Optional
+- Description: Sender email address. Required for AWS SES where `SMTP_USER` is not a valid email address. If not set, defaults to `SMTP_USER`.
+- Default: Value of `SMTP_USER`
+- Example: `noreply@example.com`
+
 ### Google
 
 #### `AUTH_GOOGLE_ID`

package/docs/self-hosting/environment-variables/auth.zh-CN.mdx

@@ -25,7 +25,7 @@ LobeChat 在部署时提供了完善的身份验证服务能力，以下是相
 - 默认值：`-`
 - 示例：`Tfhi2t2pelSMEA8eaV61KaqPNEndFFdMIxDaJnS1CUI=`
 
-#### `NEXT_PUBLIC_AUTH_EMAIL_VERIFICATION`
+#### `AUTH_EMAIL_VERIFICATION`
 
 - 类型：可选
 - 描述：设置为 `1` 以要求用户在登录前验证邮箱。用户注册后必须验证邮箱地址。
@@ -39,6 +39,13 @@ LobeChat 在部署时提供了完善的身份验证服务能力，以下是相
 - 默认值：`-`
 - 示例：`google,github,microsoft,cognito`
 
+#### `AUTH_ALLOWED_EMAILS`
+
+- 类型：可选
+- 描述：允许注册的邮箱或域名白名单，以逗号分隔。支持完整邮箱地址（如 `user@example.com`）或域名（如 `example.com`）。留空表示允许所有邮箱。
+- 默认值：`-`
+- 示例：`example.com,admin@other.com`
+
 #### `JWKS_KEY`
 
 - 类型：必选
@@ -93,6 +100,13 @@ LobeChat 在部署时提供了完善的身份验证服务能力，以下是相
 - 默认值：`-`
 - 示例：`your-app-specific-password`
 
+#### `SMTP_FROM`
+
+- 类型：可选
+- 描述：发件人邮箱地址。AWS SES 等服务需要此配置（因为 `SMTP_USER` 不是有效邮箱地址）。若未设置，默认使用 `SMTP_USER`。
+- 默认值：`SMTP_USER` 的值
+- 示例：`noreply@example.com`
+
 ### Google
 
 #### `AUTH_GOOGLE_ID`

package/docs/self-hosting/environment-variables/basic.mdx

@@ -19,6 +19,19 @@ LobeChat provides some additional configuration options during deployment, which
 
 ## Common Variables
 
+### `KEY_VAULTS_SECRET`
+
+- Type: Required (server database mode)
+- Description: Used to encrypt sensitive information stored by users in the database (such as API Keys, baseURL, etc.), preventing exposure of critical information in case of database breach
+- Default: -
+- Example: `Kix2wcUONd4CX51E/ZPAd36BqM4wzJgKjPtz2sGztqQ=`
+
+<Callout type={'warning'}>
+  This key is used to encrypt sensitive data. Once set, do not change it, otherwise encrypted data cannot be decrypted.
+</Callout>
+
+<GenerateSecret envName="KEY_VAULTS_SECRET" />
+
 ### `API_KEY_SELECT_MODE`
 
 - Type：Optional