Environment variables
Set these in Settings → Environment Variables in the menu-bar tray.
Frigate+
Section titled “Frigate+”PLUS_API_KEY
Section titled “PLUS_API_KEY”| Default | Effect |
|---|---|
| unset | Frigate+ Subscription not enabled |
Frigate+ API Key | Frigate+ Subscription enabled |
Needed to take advantage of a Frigate+ subscription, if you have one.
Fregata-specific
Section titled “Fregata-specific”These are the env vars introduced by the Fregata port itself.
FRIGATE_CACHE_SIZE_MB
Section titled “FRIGATE_CACHE_SIZE_MB”| Default | Effect |
|---|---|
| computed | Ceiling for the Basic RAM disk size in megabytes (1024 MB max). Default is a per-camera-config formula; set explicitly to lock a value. Does not apply to the Smart memory (tmpfs) cache backing — that one has a fixed 1 GB sparse cap that’s not user-tunable. See Performance → RAM-disk cache for the two modes and how you picked one in the welcome wizard. |
FREGATA_EXPOSE_INTERNAL_PORT
Section titled “FREGATA_EXPOSE_INTERNAL_PORT”| Default | Effect |
|---|---|
| unset | Port 5000 bound to 127.0.0.1 only (loopback). |
1 | Port 5000 bound to all interfaces (0.0.0.0), reachable from your LAN. |
Accepts 1, true, or yes. Any other value (or unset) keeps the default loopback binding. A warning is written to the Fregata log at startup whenever this is active.
If port 5000 is already bound by something else — most commonly macOS’s
AirPlay Receiver, which holds it permanently whenever enabled — Fregata
detects the conflict and automatically serves the same unauthenticated
endpoint on port 5050 instead, leaving port 5000 itself loopback-only.
You don’t need to disable AirPlay Receiver; check the Fregata log at
startup to confirm which port is active. See
Port 5000 already in use?
for details.
FREGATA_INTERNAL_PORT_FALLBACK
Section titled “FREGATA_INTERNAL_PORT_FALLBACK”| Default | Effect |
|---|---|
5050 | Port used for LAN-exposed unauthenticated access when port 5000 can’t be bound (see FREGATA_EXPOSE_INTERNAL_PORT above). |
<port> | Use this port instead, e.g. if 5050 is also taken on your network. |
Only relevant when FREGATA_EXPOSE_INTERNAL_PORT=1 and port 5000 is
unavailable. Has no effect otherwise. Same no-authentication warning as
FREGATA_EXPOSE_INTERNAL_PORT applies to whichever port ends up active.
Can’t be set to a port Fregata already uses internally — 5000, 5001,
5002, 8082, 8971, 1984, 8554, or 8555. An override matching one
of those is ignored (with a warning in the log) and the default (5050)
is used instead.
FREGATA_EXPOSE_GO2RTC_PORT
Section titled “FREGATA_EXPOSE_GO2RTC_PORT”| Default | Effect |
|---|---|
| unset | Port 1984 (go2rtc’s admin API) bound to 127.0.0.1 only (loopback). |
1 | Port 1984 bound to all interfaces (0.0.0.0), reachable from your LAN. |
Accepts 1, true, or yes. Any other value (or unset) keeps the default loopback binding. A warning is written to the Fregata log at startup whenever this is active.
Unlike FREGATA_EXPOSE_INTERNAL_PORT, there’s no conflict fallback here — go2rtc is its own process, so a failed bind only stops go2rtc, not the rest of Fregata, and port 1984 isn’t known to collide with anything on macOS. If you’ve set go2rtc.api.listen explicitly in your own config.yml, that takes precedence over this env var.
FREGATA_EXPOSE_RTSP_PORT
Section titled “FREGATA_EXPOSE_RTSP_PORT”| Default | Effect |
|---|---|
| unset | Port 8554 (go2rtc’s RTSP restream) bound to all interfaces (0.0.0.0), reachable from your LAN. |
0 | Port 8554 bound to 127.0.0.1 only (loopback) — locks the RTSP restream down to the same Mac. |
Accepts 0, false, or no to disable LAN exposure. Any other value (or unset) keeps the default LAN-open binding. A warning is written to the Fregata log at startup whenever the port is locked to loopback, so you always have a visible reminder that it’s disabled.
Unlike FREGATA_EXPOSE_INTERNAL_PORT, there’s no conflict fallback here — go2rtc is its own process, so a failed bind only stops go2rtc, not the rest of Fregata, and port 8554 isn’t known to collide with anything on macOS. If you’ve set go2rtc.rtsp.listen explicitly in your own config.yml, that takes precedence over this env var.
To require a login instead of relying on network exposure alone, set go2rtc.rtsp.username/password in config.yml:
go2rtc: rtsp: username: "admin" password: "pass"Clients then connect with rtsp://admin:pass@<mac-ip>:8554/<camera_name>. This is go2rtc’s own credential check — independent of FREGATA_EXPOSE_RTSP_PORT, independent of Frigate’s auth.enabled, and separate from whatever username/password your cameras use upstream.
FREGATA_TELEMETRY_DISABLED
Section titled “FREGATA_TELEMETRY_DISABLED”| Default | Effect |
|---|---|
| unset | Privacy-respecting Telemetry included in license check. |
1 | Telemetry omitted. |
The contents of the telemetry are listed at
Privacy & telemetry. Setting
this to 1 is a complete opt-out — nothing telemetry-shaped leaves
the Mac.
Optional Frigate config wiring
Section titled “Optional Frigate config wiring”These are read by config.yml via the {} YAML tag, not by
Fregata or the launcher. They exist because writing secrets in
plaintext into a file is generally a bad habit.
FREGATA_MQTT_PASSWORD
Section titled “FREGATA_MQTT_PASSWORD”Conventional name for the MQTT broker password. Reference in
config.yml:
mqtt: password: {FREGATA_MQTT_PASSWORD}You’re free to use any other name — it’s just variable Frigate’s config loader will look up. Pick a convention and stick with it.
Other secrets
Section titled “Other secrets”The same pattern works for any secret your config references:
FREGATA_GENAI_KEY, FREGATA_HOMEASSISTANT_TOKEN,
FREGATA_FRIGATE_PLUS_KEY, etc. Set them in the in-app editor and
reference them with {NAME} in config.yml.