diff --git a/static/env-vars/activitylog-config-example.yaml b/static/env-vars/activitylog-config-example.yaml
new file mode 100644
index 00000000..8641ec98
--- /dev/null
+++ b/static/env-vars/activitylog-config-example.yaml
@@ -0,0 +1,58 @@
+# Autogenerated
+# Filename: activitylog-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9197
+  token: ""
+  pprof: false
+  zpages: false
+events:
+  endpoint: 127.0.0.1:9233
+  cluster: opencloud-cluster
+  tls_insecure: false
+  tls_root_ca_certificate: ""
+  enable_tls: false
+  username: ""
+  password: ""
+store:
+  store: nats-js-kv
+  nodes:
+  - 127.0.0.1:9233
+  database: activitylog
+  table: ""
+  ttl: 0s
+  username: ""
+  password: ""
+reva_gateway: eu.opencloud.api.gateway
+grpc_client_tls: null
+http:
+  addr: 127.0.0.1:9195
+  root: /
+  cors:
+    allow_origins:
+    - '*'
+    allow_methods:
+    - GET
+    allow_headers:
+    - Authorization
+    - Origin
+    - Content-Type
+    - Accept
+    - X-Requested-With
+    - X-Request-Id
+    - Ocs-Apirequest
+    allow_credentials: true
+  tls:
+    enabled: false
+    cert: ""
+    key: ""
+token_manager:
+  jwt_secret: ""
+translation_path: ""
+default_language: en
+service_account:
+  service_account_id: ""
+  service_account_secret: ""
+write_buffer_duration: 10s
+max_activities: 6000
diff --git a/static/env-vars/activitylog_configvars.md b/static/env-vars/activitylog_configvars.md
index d3e04384..41781b93 100644
--- a/static/env-vars/activitylog_configvars.md
+++ b/static/env-vars/activitylog_configvars.md
@@ -1,43 +1,40 @@
 Environment variables for the **activitylog** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`ACTIVITYLOG_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`ACTIVITYLOG_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`ACTIVITYLOG_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`ACTIVITYLOG_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`ACTIVITYLOG_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9197`|
-|`ACTIVITYLOG_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`ACTIVITYLOG_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`ACTIVITYLOG_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`OC_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`|
-|`OC_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`|
-|`OC_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`|
-|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.`|``|
-|`OC_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`|
-|`OC_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_PERSISTENT_STORE`<br/>`ACTIVITYLOG_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|`nats-js-kv`|
-|`OC_PERSISTENT_STORE_NODES`<br/>`ACTIVITYLOG_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
-|`ACTIVITYLOG_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`activitylog`|
-|`ACTIVITYLOG_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``|
-|`OC_PERSISTENT_STORE_TTL`<br/>`ACTIVITYLOG_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. See the Environment Variable Types description for more details.`|`0s`|
-|`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`ACTIVITYLOG_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`ACTIVITYLOG_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|`eu.opencloud.api.gateway`|
-|`ACTIVITYLOG_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9195`|
-|`ACTIVITYLOG_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`|
-|`OC_CORS_ALLOW_ORIGINS`<br/>`ACTIVITYLOG_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`|
-|`OC_CORS_ALLOW_METHODS`<br/>`ACTIVITYLOG_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET]`|
-|`OC_CORS_ALLOW_HEADERS`<br/>`ACTIVITYLOG_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]`|
-|`OC_CORS_ALLOW_CREDENTIALS`<br/>`ACTIVITYLOG_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`|
-|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`|
-|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``|
-|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``|
-|`OC_JWT_SECRET`<br/>`ACTIVITYLOG_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_TRANSLATION_PATH`<br/>`ACTIVITYLOG_TRANSLATION_PATH`| 1.0.0 |string|`(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.`|``|
-|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|`The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.`|`en`|
-|`OC_SERVICE_ACCOUNT_ID`<br/>`ACTIVITYLOG_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``|
-|`OC_SERVICE_ACCOUNT_SECRET`<br/>`ACTIVITYLOG_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``|
-|`ACTIVITYLOG_WRITE_BUFFER_DURATION`| 4.0.0 |Duration|`The duration to wait before flushing the write buffer. This is used to reduce the number of writes to the store.`|`10s`|
-|`ACTIVITYLOG_MAX_ACTIVITIES`| 4.0.0 |int|`The maximum number of activities to keep in the store per resource. If the number of activities exceeds this value, the oldest activities will be removed.`|`6000`|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`ACTIVITYLOG_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`ACTIVITYLOG_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9197|
+|`ACTIVITYLOG_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`ACTIVITYLOG_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`ACTIVITYLOG_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`OC_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|127.0.0.1:9233|
+|`OC_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|opencloud-cluster|
+|`OC_INSECURE`<br/>`OC_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|false|
+|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.`||
+|`OC_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|false|
+|`OC_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_PERSISTENT_STORE`<br/>`ACTIVITYLOG_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|nats-js-kv|
+|`OC_PERSISTENT_STORE_NODES`<br/>`ACTIVITYLOG_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|[127.0.0.1:9233]|
+|`ACTIVITYLOG_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|activitylog|
+|`ACTIVITYLOG_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`||
+|`OC_PERSISTENT_STORE_TTL`<br/>`ACTIVITYLOG_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. See the Environment Variable Types description for more details.`|0s|
+|`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`ACTIVITYLOG_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`ACTIVITYLOG_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|eu.opencloud.api.gateway|
+|`ACTIVITYLOG_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|127.0.0.1:9195|
+|`ACTIVITYLOG_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|/|
+|`OC_CORS_ALLOW_ORIGINS`<br/>`ACTIVITYLOG_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|[*]|
+|`OC_CORS_ALLOW_METHODS`<br/>`ACTIVITYLOG_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|[GET]|
+|`OC_CORS_ALLOW_HEADERS`<br/>`ACTIVITYLOG_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]|
+|`OC_CORS_ALLOW_CREDENTIALS`<br/>`ACTIVITYLOG_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|true|
+|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|false|
+|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`||
+|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`||
+|`OC_JWT_SECRET`<br/>`ACTIVITYLOG_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_TRANSLATION_PATH`<br/>`ACTIVITYLOG_TRANSLATION_PATH`| 1.0.0 |string|`(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.`||
+|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|`The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.`|en|
+|`OC_SERVICE_ACCOUNT_ID`<br/>`ACTIVITYLOG_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`||
+|`OC_SERVICE_ACCOUNT_SECRET`<br/>`ACTIVITYLOG_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`||
+|`ACTIVITYLOG_WRITE_BUFFER_DURATION`| 4.0.0 |Duration|`The duration to wait before flushing the write buffer. This is used to reduce the number of writes to the store.`|10s|
+|`ACTIVITYLOG_MAX_ACTIVITIES`| 4.0.0 |int|`The maximum number of activities to keep in the store per resource. If the number of activities exceeds this value, the oldest activities will be removed.`|6000|
diff --git a/static/env-vars/activitylog_readme.md b/static/env-vars/activitylog_readme.md
index f80fc09e..9e9aad1e 100644
--- a/static/env-vars/activitylog_readme.md
+++ b/static/env-vars/activitylog_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Activitylog
-date: 2025-11-27T22:56:02.331192+01:00
+date: 2026-01-13T10:10:18.221111046+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/activitylog
diff --git a/static/env-vars/antivirus-config-example.yaml b/static/env-vars/antivirus-config-example.yaml
new file mode 100644
index 00000000..95ab8770
--- /dev/null
+++ b/static/env-vars/antivirus-config-example.yaml
@@ -0,0 +1,31 @@
+# Autogenerated
+# Filename: antivirus-config-example.yaml
+
+file: ""
+loglevel: error
+debug:
+  addr: 127.0.0.1:9277
+  token: ""
+  pprof: false
+  zpages: false
+infected-file-handling: delete
+events:
+  endpoint: 127.0.0.1:9233
+  cluster: opencloud-cluster
+  tls_insecure: false
+  tls_root_ca_certificate: ""
+  enable_tls: false
+  username: ""
+  password: ""
+workers: 10
+scanner:
+  type: clamav
+  clamav:
+    socket: /run/clamav/clamd.ctl
+    scan_timeout: 5m0s
+  icap:
+    scan_timeout: 5m0s
+    url: icap://127.0.0.1:1344
+    service: avscan
+max-scan-size: 100MB
+max-scan-size-mode: partial
diff --git a/static/env-vars/antivirus_configvars.md b/static/env-vars/antivirus_configvars.md
index 092c14d0..02532888 100644
--- a/static/env-vars/antivirus_configvars.md
+++ b/static/env-vars/antivirus_configvars.md
@@ -1,30 +1,27 @@
 Environment variables for the **antivirus** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`ANTIVIRUS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`ANTIVIRUS_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`ANTIVIRUS_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`ANTIVIRUS_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`ANTIVIRUS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9277`|
-|`ANTIVIRUS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`ANTIVIRUS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`ANTIVIRUS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`ANTIVIRUS_INFECTED_FILE_HANDLING`| 1.0.0 |string|`Defines the behaviour when a virus has been found. Supported options are: 'delete', 'continue' and 'abort '. Delete will delete the file. Continue will mark the file as infected but continues further processing. Abort will keep the file in the uploads folder for further admin inspection and will not move it to its final destination.`|`delete`|
-|`OC_EVENTS_ENDPOINT`<br/>`ANTIVIRUS_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`|
-|`OC_EVENTS_CLUSTER`<br/>`ANTIVIRUS_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`|
-|`OC_INSECURE`<br/>`ANTIVIRUS_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`|
-|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`ANTIVIRUS_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided ANTIVIRUS_EVENTS_TLS_INSECURE will be seen as false.`|``|
-|`OC_EVENTS_ENABLE_TLS`<br/>`ANTIVIRUS_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`|
-|`OC_EVENTS_AUTH_USERNAME`<br/>`ANTIVIRUS_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_EVENTS_AUTH_PASSWORD`<br/>`ANTIVIRUS_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`ANTIVIRUS_WORKERS`| 1.0.0 |int|`The number of concurrent go routines that fetch events from the event queue.`|`10`|
-|`ANTIVIRUS_SCANNER_TYPE`| 1.0.0 |ScannerType|`The antivirus scanner to use. Supported values are 'clamav' and 'icap'.`|`clamav`|
-|`ANTIVIRUS_CLAMAV_SOCKET`| 1.0.0 |string|`The socket clamav is running on. Note the default value is an example which needs adaption according your OS.`|`/run/clamav/clamd.ctl`|
-|`ANTIVIRUS_CLAMAV_SCAN_TIMEOUT`| 2.1.0 |Duration|`Scan timeout for the ClamAV client. Defaults to '5m' (5 minutes). See the Environment Variable Types description for more details.`|`5m0s`|
-|`ANTIVIRUS_ICAP_SCAN_TIMEOUT`| 1.0.0 |Duration|`Scan timeout for the ICAP client. Defaults to '5m' (5 minutes). See the Environment Variable Types description for more details.`|`5m0s`|
-|`ANTIVIRUS_ICAP_URL`| 1.0.0 |string|`URL of the ICAP server.`|`icap://127.0.0.1:1344`|
-|`ANTIVIRUS_ICAP_SERVICE`| 1.0.0 |string|`The name of the ICAP service.`|`avscan`|
-|`ANTIVIRUS_MAX_SCAN_SIZE`| 1.0.0 |string|`The maximum scan size the virus scanner can handle.0 means unlimited. Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB.`|`100MB`|
-|`ANTIVIRUS_MAX_SCAN_SIZE_MODE`| 2.1.0 |MaxScanSizeMode|`Defines the mode of handling files that exceed the maximum scan size. Supported options are: 'skip', which skips files that are bigger than the max scan size, and 'truncate' (default), which only uses the file up to the max size.`|`partial`|
-|`ANTIVIRUS_DEBUG_SCAN_OUTCOME`| 1.0.0 |string|`A predefined outcome for virus scanning, FOR DEBUG PURPOSES ONLY! (example values: 'found,infected')`|``|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`ANTIVIRUS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`ANTIVIRUS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9277|
+|`ANTIVIRUS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`ANTIVIRUS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`ANTIVIRUS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`ANTIVIRUS_INFECTED_FILE_HANDLING`| 1.0.0 |string|`Defines the behaviour when a virus has been found. Supported options are: 'delete', 'continue' and 'abort '. Delete will delete the file. Continue will mark the file as infected but continues further processing. Abort will keep the file in the uploads folder for further admin inspection and will not move it to its final destination.`|delete|
+|`OC_EVENTS_ENDPOINT`<br/>`ANTIVIRUS_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|127.0.0.1:9233|
+|`OC_EVENTS_CLUSTER`<br/>`ANTIVIRUS_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|opencloud-cluster|
+|`OC_INSECURE`<br/>`OC_EVENTS_TLS_INSECURE`<br/>`ANTIVIRUS_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|false|
+|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`ANTIVIRUS_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided ANTIVIRUS_EVENTS_TLS_INSECURE will be seen as false.`||
+|`OC_EVENTS_ENABLE_TLS`<br/>`ANTIVIRUS_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|false|
+|`OC_EVENTS_AUTH_USERNAME`<br/>`ANTIVIRUS_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_EVENTS_AUTH_PASSWORD`<br/>`ANTIVIRUS_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`ANTIVIRUS_WORKERS`| 1.0.0 |int|`The number of concurrent go routines that fetch events from the event queue.`|10|
+|`ANTIVIRUS_SCANNER_TYPE`| 1.0.0 |ScannerType|`The antivirus scanner to use. Supported values are 'clamav' and 'icap'.`|clamav|
+|`ANTIVIRUS_CLAMAV_SOCKET`| 1.0.0 |string|`The socket clamav is running on. Note the default value is an example which needs adaption according your OS.`|/run/clamav/clamd.ctl|
+|`ANTIVIRUS_CLAMAV_SCAN_TIMEOUT`| 2.1.0 |Duration|`Scan timeout for the ClamAV client. Defaults to '5m' (5 minutes). See the Environment Variable Types description for more details.`|5m0s|
+|`ANTIVIRUS_ICAP_SCAN_TIMEOUT`| 1.0.0 |Duration|`Scan timeout for the ICAP client. Defaults to '5m' (5 minutes). See the Environment Variable Types description for more details.`|5m0s|
+|`ANTIVIRUS_ICAP_URL`| 1.0.0 |string|`URL of the ICAP server.`|icap://127.0.0.1:1344|
+|`ANTIVIRUS_ICAP_SERVICE`| 1.0.0 |string|`The name of the ICAP service.`|avscan|
+|`ANTIVIRUS_MAX_SCAN_SIZE`| 1.0.0 |string|`The maximum scan size the virus scanner can handle.0 means unlimited. Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB.`|100MB|
+|`ANTIVIRUS_MAX_SCAN_SIZE_MODE`| 2.1.0 |MaxScanSizeMode|`Defines the mode of handling files that exceed the maximum scan size. Supported options are: 'skip', which skips files that are bigger than the max scan size, and 'truncate' (default), which only uses the file up to the max size.`|partial|
+|`ANTIVIRUS_DEBUG_SCAN_OUTCOME`| 1.0.0 |string|`A predefined outcome for virus scanning, FOR DEBUG PURPOSES ONLY! (example values: 'found,infected')`||
diff --git a/static/env-vars/antivirus_readme.md b/static/env-vars/antivirus_readme.md
index 8ca479e5..ecdf003f 100644
--- a/static/env-vars/antivirus_readme.md
+++ b/static/env-vars/antivirus_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Antivirus
-date: 2025-11-27T22:56:02.331592+01:00
+date: 2026-01-13T10:10:18.221217477+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/antivirus
@@ -63,13 +63,13 @@ Several factors can make it necessary to limit the maximum filesize the antiviru
 Use the `ANTIVIRUS_MAX_SCAN_SIZE` environment variable to scan only a given number of bytes,
 or to skip the whole resource.
 
-Even if it's recommended to scan the whole file, several factors like scanner type and version,
+Even if it is recommended to scan the whole file, several factors like scanner type and version,
 bandwidth, performance issues, etc. might make a limit necessary.
 
-In such cases, the antivirus the max scan size mode can be handy, the following modes are available:
+In such cases, the antivirus max scan size mode can be handy, the following modes are available:
 
-  -   `partial`: The file is scanned up to the given size. The rest of the file is not scanned. This is the default mode `ANTIVIRUS_MAX_SCAN_SIZE=partial`
-  -   `skip`: The file is skipped and not scanned. `ANTIVIRUS_MAX_SCAN_SIZE=skip`
+  -   `partial`: The file is scanned up to the given size. The rest of the file is not scanned. This is the default mode `ANTIVIRUS_MAX_SCAN_SIZE_MODE=partial`
+  -   `skip`: The file is skipped and not scanned. `ANTIVIRUS_MAX_SCAN_SIZE_MODE=skip`
 
 **IMPORTANT**
 > Streaming of files to the virus scan service still [needs to be implemented](https://github.com/owncloud/ocis/issues/6803).
diff --git a/static/env-vars/app-provider-config-example.yaml b/static/env-vars/app-provider-config-example.yaml
new file mode 100644
index 00000000..ca94cbba
--- /dev/null
+++ b/static/env-vars/app-provider-config-example.yaml
@@ -0,0 +1,36 @@
+# Autogenerated
+# Filename: app-provider-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9165
+  token: ""
+  pprof: false
+  zpages: false
+grpc:
+  addr: 127.0.0.1:9164
+  tls: null
+  protocol: tcp
+token_manager:
+  jwt_secret: ""
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+external_addr: eu.opencloud.api.app-provider
+driver: ""
+drivers:
+  wopi:
+    app_api_key: ""
+    app_desktop_only: false
+    app_icon_uri: ""
+    app_internal_url: ""
+    app_name: ""
+    app_url: ""
+    app_disable_chat: false
+    insecure: false
+    wopi_server_iop_secret: ""
+    wopi_server_external_url: ""
+    wopi_folder_url_base_url: https://localhost:9200/
+    wopi_folder_url_path_template: /f/{{.ResourceID}}
diff --git a/static/env-vars/app-provider_configvars.md b/static/env-vars/app-provider_configvars.md
index ae45b515..8065673b 100644
--- a/static/env-vars/app-provider_configvars.md
+++ b/static/env-vars/app-provider_configvars.md
@@ -1,33 +1,30 @@
 Environment variables for the **app-provider** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`APP_PROVIDER_SERVICE_NAME`| 1.0.0 |string|`The name of the service. This needs to be changed when using more than one app provider. Each app provider configured needs to be identified by a unique service name. Possible examples are: 'app-provider-collabora', 'app-provider-onlyoffice', 'app-provider-office365'.`|`app-provider`|
-|`OC_LOG_LEVEL`<br/>`APP_PROVIDER_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`APP_PROVIDER_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`APP_PROVIDER_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`APP_PROVIDER_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`APP_PROVIDER_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9165`|
-|`APP_PROVIDER_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint`|``|
-|`APP_PROVIDER_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling`|`false`|
-|`APP_PROVIDER_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can  be used for collecting and viewing traces in-memory.`|`false`|
-|`APP_PROVIDER_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9164`|
-|`OC_GRPC_PROTOCOL`<br/>`APP_PROVIDER_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GPRC service.`|`tcp`|
-|`OC_JWT_SECRET`<br/>`APP_PROVIDER_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`APP_PROVIDER_EXTERNAL_ADDR`| 1.0.0 |string|`Address of the app provider, where the GATEWAY service can reach it.`|`eu.opencloud.api.app-provider`|
-|`APP_PROVIDER_DRIVER`| 1.0.0 |string|`Driver, the APP PROVIDER services uses. Only 'wopi' is supported as of now.`|``|
-|`APP_PROVIDER_WOPI_APP_API_KEY`| 1.0.0 |string|`API key for the wopi app.`|``|
-|`APP_PROVIDER_WOPI_APP_DESKTOP_ONLY`| 1.0.0 |bool|`Offer this app only on desktop.`|`false`|
-|`APP_PROVIDER_WOPI_APP_ICON_URI`| 1.0.0 |string|`URI to an app icon to be used by clients.`|``|
-|`APP_PROVIDER_WOPI_APP_INTERNAL_URL`| 1.0.0 |string|`Internal URL to the app, like in your DMZ.`|``|
-|`APP_PROVIDER_WOPI_APP_NAME`| 1.0.0 |string|`Human readable app name.`|``|
-|`APP_PROVIDER_WOPI_APP_URL`| 1.0.0 |string|`URL for end users to access the app.`|``|
-|`APP_PROVIDER_WOPI_DISABLE_CHAT`<br/>`OC_WOPI_DISABLE_CHAT`| 1.0.0 |bool|`Disable the chat functionality of the office app.`|`false`|
-|`APP_PROVIDER_WOPI_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for requests to the WOPI server and the web office application. Do not set this in production environments.`|`false`|
-|`APP_PROVIDER_WOPI_WOPI_SERVER_IOP_SECRET`| 1.0.0 |string|`Shared secret of the CS3org WOPI server.`|``|
-|`APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL`| 1.0.0 |string|`External url of the CS3org WOPI server.`|``|
-|`OC_URL`<br/>`APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL`| 1.0.0 |string|`Base url to navigate back from the app to the containing folder in the file list.`|`https://localhost:9200/`|
-|`APP_PROVIDER_WOPI_FOLDER_URL_PATH_TEMPLATE`| 1.0.0 |string|`Path template to navigate back from the app to the containing folder in the file list. Supported template variables are {{.ResourceInfo.ResourceID}}, {{.ResourceInfo.Mtime.Seconds}}, {{.ResourceInfo.Name}}, {{.ResourceInfo.Path}}, {{.ResourceInfo.Type}}, {{.ResourceInfo.Id.SpaceId}}, {{.ResourceInfo.Id.StorageId}}, {{.ResourceInfo.Id.OpaqueId}}, {{.ResourceInfo.MimeType}}`|`/f/{{.ResourceID}}`|
+|---|---|---|---|---|
+|`APP_PROVIDER_SERVICE_NAME`| 1.0.0 |string|`The name of the service. This needs to be changed when using more than one app provider. Each app provider configured needs to be identified by a unique service name. Possible examples are: 'app-provider-collabora', 'app-provider-onlyoffice', 'app-provider-office365'.`|app-provider|
+|`OC_LOG_LEVEL`<br/>`APP_PROVIDER_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`APP_PROVIDER_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9165|
+|`APP_PROVIDER_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint`||
+|`APP_PROVIDER_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling`|false|
+|`APP_PROVIDER_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can  be used for collecting and viewing traces in-memory.`|false|
+|`APP_PROVIDER_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9164|
+|`OC_GRPC_PROTOCOL`<br/>`APP_PROVIDER_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GPRC service.`|tcp|
+|`OC_JWT_SECRET`<br/>`APP_PROVIDER_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`APP_PROVIDER_EXTERNAL_ADDR`| 1.0.0 |string|`Address of the app provider, where the GATEWAY service can reach it.`|eu.opencloud.api.app-provider|
+|`APP_PROVIDER_DRIVER`| 1.0.0 |string|`Driver, the APP PROVIDER services uses. Only 'wopi' is supported as of now.`||
+|`APP_PROVIDER_WOPI_APP_API_KEY`| 1.0.0 |string|`API key for the wopi app.`||
+|`APP_PROVIDER_WOPI_APP_DESKTOP_ONLY`| 1.0.0 |bool|`Offer this app only on desktop.`|false|
+|`APP_PROVIDER_WOPI_APP_ICON_URI`| 1.0.0 |string|`URI to an app icon to be used by clients.`||
+|`APP_PROVIDER_WOPI_APP_INTERNAL_URL`| 1.0.0 |string|`Internal URL to the app, like in your DMZ.`||
+|`APP_PROVIDER_WOPI_APP_NAME`| 1.0.0 |string|`Human readable app name.`||
+|`APP_PROVIDER_WOPI_APP_URL`| 1.0.0 |string|`URL for end users to access the app.`||
+|`APP_PROVIDER_WOPI_DISABLE_CHAT`<br/>`OC_WOPI_DISABLE_CHAT`| 1.0.0 |bool|`Disable the chat functionality of the office app.`|false|
+|`APP_PROVIDER_WOPI_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for requests to the WOPI server and the web office application. Do not set this in production environments.`|false|
+|`APP_PROVIDER_WOPI_WOPI_SERVER_IOP_SECRET`| 1.0.0 |string|`Shared secret of the CS3org WOPI server.`||
+|`APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL`| 1.0.0 |string|`External url of the CS3org WOPI server.`||
+|`OC_URL`<br/>`APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL`| 1.0.0 |string|`Base url to navigate back from the app to the containing folder in the file list.`|https://localhost:9200/|
+|`APP_PROVIDER_WOPI_FOLDER_URL_PATH_TEMPLATE`| 1.0.0 |string|`Path template to navigate back from the app to the containing folder in the file list. Supported template variables are {{.ResourceInfo.ResourceID}}, {{.ResourceInfo.Mtime.Seconds}}, {{.ResourceInfo.Name}}, {{.ResourceInfo.Path}}, {{.ResourceInfo.Type}}, {{.ResourceInfo.Id.SpaceId}}, {{.ResourceInfo.Id.StorageId}}, {{.ResourceInfo.Id.OpaqueId}}, {{.ResourceInfo.MimeType}}`|/f/{{.ResourceID}}|
diff --git a/static/env-vars/app-provider_readme.md b/static/env-vars/app-provider_readme.md
index c3424bc2..73b79fc1 100644
--- a/static/env-vars/app-provider_readme.md
+++ b/static/env-vars/app-provider_readme.md
@@ -1,6 +1,6 @@
 ---
 title: App Provider
-date: 2025-11-27T22:56:02.331696+01:00
+date: 2026-01-13T10:10:18.221300262+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/app-provider
diff --git a/static/env-vars/app-registry-config-example.yaml b/static/env-vars/app-registry-config-example.yaml
new file mode 100644
index 00000000..8d6d72d8
--- /dev/null
+++ b/static/env-vars/app-registry-config-example.yaml
@@ -0,0 +1,106 @@
+# Autogenerated
+# Filename: app-registry-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9243
+  token: ""
+  pprof: false
+  zpages: false
+grpc:
+  addr: 127.0.0.1:9242
+  tls: null
+  protocol: tcp
+token_manager:
+  jwt_secret: ""
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+app_registry:
+  mimetypes:
+  - mime_type: application/pdf
+    extension: pdf
+    name: PDF
+    description: PDF document
+    icon: ""
+    default_app: ""
+    allow_creation: false
+  - mime_type: application/vnd.oasis.opendocument.text
+    extension: odt
+    name: OpenDocument
+    description: OpenDocument text document
+    icon: ""
+    default_app: ""
+    allow_creation: true
+  - mime_type: application/vnd.oasis.opendocument.spreadsheet
+    extension: ods
+    name: OpenSpreadsheet
+    description: OpenDocument spreadsheet document
+    icon: ""
+    default_app: ""
+    allow_creation: true
+  - mime_type: application/vnd.oasis.opendocument.presentation
+    extension: odp
+    name: OpenPresentation
+    description: OpenDocument presentation document
+    icon: ""
+    default_app: ""
+    allow_creation: true
+  - mime_type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
+    extension: docx
+    name: Microsoft Word
+    description: Microsoft Word document
+    icon: ""
+    default_app: ""
+    allow_creation: true
+  - mime_type: application/vnd.openxmlformats-officedocument.wordprocessingml.form
+    extension: docxf
+    name: Form Document
+    description: Form Document
+    icon: ""
+    default_app: ""
+    allow_creation: true
+  - mime_type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
+    extension: xlsx
+    name: Microsoft Excel
+    description: Microsoft Excel document
+    icon: ""
+    default_app: ""
+    allow_creation: true
+  - mime_type: application/vnd.openxmlformats-officedocument.presentationml.presentation
+    extension: pptx
+    name: Microsoft PowerPoint
+    description: Microsoft PowerPoint document
+    icon: ""
+    default_app: ""
+    allow_creation: true
+  - mime_type: application/vnd.jupyter
+    extension: ipynb
+    name: Jupyter Notebook
+    description: Jupyter Notebook
+    icon: ""
+    default_app: ""
+    allow_creation: false
+  - mime_type: text/markdown
+    extension: md
+    name: Markdown file
+    description: Markdown file
+    icon: ""
+    default_app: ""
+    allow_creation: true
+  - mime_type: application/compressed-markdown
+    extension: zmd
+    name: Compressed markdown file
+    description: Compressed markdown file
+    icon: ""
+    default_app: ""
+    allow_creation: false
+  - mime_type: application/vnd.geogebra.slides
+    extension: ggs
+    name: GeoGebra Slides
+    description: GeoGebra Slides
+    icon: ""
+    default_app: ""
+    allow_creation: false
diff --git a/static/env-vars/app-registry_configvars.md b/static/env-vars/app-registry_configvars.md
index 1546f281..2705fa47 100644
--- a/static/env-vars/app-registry_configvars.md
+++ b/static/env-vars/app-registry_configvars.md
@@ -1,18 +1,15 @@
 Environment variables for the **app-registry** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`APP_REGISTRY_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`APP_REGISTRY_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`APP_REGISTRY_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`APP_REGISTRY_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`APP_REGISTRY_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9243`|
-|`APP_REGISTRY_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`APP_REGISTRY_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`APP_REGISTRY_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`APP_REGISTRY_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9242`|
-|`OC_GRPC_PROTOCOL`<br/>`APP_REGISTRY_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`|
-|`OC_JWT_SECRET`<br/>`APP_REGISTRY_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`APP_REGISTRY_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`APP_REGISTRY_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9243|
+|`APP_REGISTRY_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`APP_REGISTRY_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`APP_REGISTRY_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`APP_REGISTRY_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9242|
+|`OC_GRPC_PROTOCOL`<br/>`APP_REGISTRY_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|tcp|
+|`OC_JWT_SECRET`<br/>`APP_REGISTRY_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
diff --git a/static/env-vars/app-registry_readme.md b/static/env-vars/app-registry_readme.md
index 5f7d4ff0..7b5b3603 100644
--- a/static/env-vars/app-registry_readme.md
+++ b/static/env-vars/app-registry_readme.md
@@ -1,6 +1,6 @@
 ---
 title: App Registry
-date: 2025-11-27T22:56:02.33178+01:00
+date: 2026-01-13T10:10:18.221373841+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/app-registry
diff --git a/static/env-vars/audit-config-example.yaml b/static/env-vars/audit-config-example.yaml
new file mode 100644
index 00000000..bf4ac3c4
--- /dev/null
+++ b/static/env-vars/audit-config-example.yaml
@@ -0,0 +1,22 @@
+# Autogenerated
+# Filename: audit-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9229
+  token: ""
+  pprof: false
+  zpages: false
+events:
+  endpoint: 127.0.0.1:9233
+  cluster: opencloud-cluster
+  tls_insecure: false
+  tls_root_ca_certificate: ""
+  enable_tls: false
+  username: ""
+  password: ""
+auditlog:
+  log_to_console: true
+  log_to_file: false
+  filepath: ""
+  format: json
diff --git a/static/env-vars/audit_configvars.md b/static/env-vars/audit_configvars.md
index 103db962..6e90b094 100644
--- a/static/env-vars/audit_configvars.md
+++ b/static/env-vars/audit_configvars.md
@@ -1,23 +1,20 @@
 Environment variables for the **audit** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`AUDIT_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`AUDIT_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`AUDIT_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`AUDIT_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`AUDIT_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9229`|
-|`AUDIT_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`AUDIT_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`AUDIT_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`OC_EVENTS_ENDPOINT`<br/>`AUDIT_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`|
-|`OC_EVENTS_CLUSTER`<br/>`AUDIT_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`|
-|`OC_INSECURE`<br/>`AUDIT_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`|
-|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`AUDIT_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided AUDIT_EVENTS_TLS_INSECURE will be seen as false.`|``|
-|`OC_EVENTS_ENABLE_TLS`<br/>`AUDIT_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`|
-|`OC_EVENTS_AUTH_USERNAME`<br/>`AUDIT_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_EVENTS_AUTH_PASSWORD`<br/>`AUDIT_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`AUDIT_LOG_TO_CONSOLE`| 1.0.0 |bool|`Logs to stdout if set to 'true'. Independent of the LOG_TO_FILE option.`|`true`|
-|`AUDIT_LOG_TO_FILE`| 1.0.0 |bool|`Logs to file if set to 'true'. Independent of the LOG_TO_CONSOLE option.`|`false`|
-|`AUDIT_FILEPATH`| 1.0.0 |string|`Filepath of the logfile. Mandatory if LOG_TO_FILE is set to 'true'.`|``|
-|`AUDIT_FORMAT`| 1.0.0 |string|`Log format. Supported values are '' (empty) and 'json'. Using 'json' is advised, '' (empty) renders the 'minimal' format. See the text description for more details.`|`json`|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`AUDIT_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`AUDIT_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9229|
+|`AUDIT_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`AUDIT_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`AUDIT_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`OC_EVENTS_ENDPOINT`<br/>`AUDIT_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|127.0.0.1:9233|
+|`OC_EVENTS_CLUSTER`<br/>`AUDIT_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|opencloud-cluster|
+|`OC_INSECURE`<br/>`OC_EVENTS_TLS_INSECURE`<br/>`AUDIT_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|false|
+|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`AUDIT_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided AUDIT_EVENTS_TLS_INSECURE will be seen as false.`||
+|`OC_EVENTS_ENABLE_TLS`<br/>`AUDIT_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|false|
+|`OC_EVENTS_AUTH_USERNAME`<br/>`AUDIT_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_EVENTS_AUTH_PASSWORD`<br/>`AUDIT_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`AUDIT_LOG_TO_CONSOLE`| 1.0.0 |bool|`Logs to stdout if set to 'true'. Independent of the LOG_TO_FILE option.`|true|
+|`AUDIT_LOG_TO_FILE`| 1.0.0 |bool|`Logs to file if set to 'true'. Independent of the LOG_TO_CONSOLE option.`|false|
+|`AUDIT_FILEPATH`| 1.0.0 |string|`Filepath of the logfile. Mandatory if LOG_TO_FILE is set to 'true'.`||
+|`AUDIT_FORMAT`| 1.0.0 |string|`Log format. Supported values are '' (empty) and 'json'. Using 'json' is advised, '' (empty) renders the 'minimal' format. See the text description for more details.`|json|
diff --git a/static/env-vars/audit_readme.md b/static/env-vars/audit_readme.md
index 375fcc57..77611693 100644
--- a/static/env-vars/audit_readme.md
+++ b/static/env-vars/audit_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Audit
-date: 2025-11-27T22:56:02.331876+01:00
+date: 2026-01-13T10:10:18.22149578+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/audit
diff --git a/static/env-vars/auth-app-config-example.yaml b/static/env-vars/auth-app-config-example.yaml
new file mode 100644
index 00000000..07995bab
--- /dev/null
+++ b/static/env-vars/auth-app-config-example.yaml
@@ -0,0 +1,60 @@
+# Autogenerated
+# Filename: auth-app-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9245
+  token: ""
+  pprof: false
+  zpages: false
+grpc:
+  addr: 127.0.0.1:9246
+  tls: null
+  protocol: tcp
+http:
+  addr: 127.0.0.1:9247
+  root: /
+  cors:
+    allow_origins:
+    - '*'
+    allow_methods:
+    - GET
+    - POST
+    - DELETE
+    allow_headers:
+    - Authorization
+    - Origin
+    - Content-Type
+    - Accept
+    - X-Requested-With
+    - X-Request-Id
+    - Ocs-Apirequest
+    allow_credentials: true
+  tls:
+    enabled: false
+    cert: ""
+    key: ""
+grpc_client_tls: null
+token_manager:
+  jwt_secret: ""
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+skip_user_groups_in_token: false
+machine_auth_api_key: ""
+allow_impersonation: false
+storage_driver: jsoncs3
+storage_drivers:
+  jsoncs3:
+    provider_addr: eu.opencloud.api.storage-system
+    system_user_id: ""
+    system_user_idp: internal
+    system_user_api_key: ""
+    password_generator: diceware
+    password_generator_options:
+      diceware:
+        number_of_words: 6
+      randon:
+        password_length: 0
diff --git a/static/env-vars/auth-app_configvars.md b/static/env-vars/auth-app_configvars.md
index 07f8cda4..431d9c79 100644
--- a/static/env-vars/auth-app_configvars.md
+++ b/static/env-vars/auth-app_configvars.md
@@ -1,38 +1,35 @@
 Environment variables for the **auth-app** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`AUTH_APP_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`AUTH_APP_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`AUTH_APP_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`AUTH_APP_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`AUTH_APP_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9245`|
-|`AUTH_APP_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`AUTH_APP_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`AUTH_APP_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can  be used for collecting and viewing traces in-memory.`|`false`|
-|`AUTH_APP_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9246`|
-|`OC_GRPC_PROTOCOL`<br/>`AUTH_APP_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`|
-|`AUTH_APP_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9247`|
-|`AUTH_APP_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`|
-|`OC_CORS_ALLOW_ORIGINS`<br/>`AUTH_APP_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`|
-|`OC_CORS_ALLOW_METHODS`<br/>`AUTH_APP_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET POST DELETE]`|
-|`OC_CORS_ALLOW_HEADERS`<br/>`AUTH_APP_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]`|
-|`OC_CORS_ALLOW_CREDENTIALS`<br/>`AUTH_APP_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`|
-|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`|
-|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``|
-|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``|
-|`OC_JWT_SECRET`<br/>`AUTH_APP_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`AUTH_APP_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the encoding of the user's group memberships in the access token. This reduces the token size, especially when users are members of a large number of groups.`|`false`|
-|`OC_MACHINE_AUTH_API_KEY`<br/>`AUTH_APP_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`The machine auth API key used to validate internal requests necessary to access resources from other services.`|``|
-|`AUTH_APP_ENABLE_IMPERSONATION`| 1.0.0 |bool|`Allows admins to create app tokens for other users. Used for migration. Do NOT use in productive deployments.`|`false`|
-|`AUTH_APP_STORAGE_DRIVER`| 4.0.0 |string|`Driver to be used to persist the app tokes . Supported values are 'jsoncs3', 'json'.`|`jsoncs3`|
-|`AUTH_APP_JSONCS3_PROVIDER_ADDR`| 4.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`|
-|`OC_SYSTEM_USER_ID`<br/>`AUTH_APP_JSONCS3_SYSTEM_USER_ID`| 4.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``|
-|`OC_SYSTEM_USER_IDP`<br/>`AUTH_APP_JSONCS3_SYSTEM_USER_IDP`| 4.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`|
-|`OC_SYSTEM_USER_API_KEY`<br/>`AUTH_APP_JSONCS3_SYSTEM_USER_API_KEY`| 4.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``|
-|`AUTH_APP_JSONCS3_PASSWORD_GENERATOR`| 4.0.0 |string|`The password generator that should be used for generating app tokens. Supported values are: 'diceware' and 'random'.`|`diceware`|
-|`AUTH_APP_JSONCS3_DICEWARE_NUMBER_OF_WORDS`| 4.0.0 |int|`The number of words the generated passphrase will have.`|`6`|
-|`AUTH_APP_JSONCS3_RANDOM_PASSWORD_LENGTH`| 4.0.0 |int|`The number of charactors the generated passwords will have.`|`0`|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`AUTH_APP_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`AUTH_APP_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9245|
+|`AUTH_APP_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`AUTH_APP_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`AUTH_APP_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can  be used for collecting and viewing traces in-memory.`|false|
+|`AUTH_APP_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9246|
+|`OC_GRPC_PROTOCOL`<br/>`AUTH_APP_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|tcp|
+|`AUTH_APP_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|127.0.0.1:9247|
+|`AUTH_APP_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|/|
+|`OC_CORS_ALLOW_ORIGINS`<br/>`AUTH_APP_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|[*]|
+|`OC_CORS_ALLOW_METHODS`<br/>`AUTH_APP_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|[GET POST DELETE]|
+|`OC_CORS_ALLOW_HEADERS`<br/>`AUTH_APP_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]|
+|`OC_CORS_ALLOW_CREDENTIALS`<br/>`AUTH_APP_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|true|
+|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|false|
+|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`||
+|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`||
+|`OC_JWT_SECRET`<br/>`AUTH_APP_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`AUTH_APP_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the encoding of the user's group memberships in the access token. This reduces the token size, especially when users are members of a large number of groups.`|false|
+|`OC_MACHINE_AUTH_API_KEY`<br/>`AUTH_APP_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`The machine auth API key used to validate internal requests necessary to access resources from other services.`||
+|`AUTH_APP_ENABLE_IMPERSONATION`| 1.0.0 |bool|`Allows admins to create app tokens for other users. Used for migration. Do NOT use in productive deployments.`|false|
+|`AUTH_APP_STORAGE_DRIVER`| 4.0.0 |string|`Driver to be used to persist the app tokes . Supported values are 'jsoncs3', 'json'.`|jsoncs3|
+|`AUTH_APP_JSONCS3_PROVIDER_ADDR`| 4.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|eu.opencloud.api.storage-system|
+|`OC_SYSTEM_USER_ID`<br/>`AUTH_APP_JSONCS3_SYSTEM_USER_ID`| 4.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`||
+|`OC_SYSTEM_USER_IDP`<br/>`AUTH_APP_JSONCS3_SYSTEM_USER_IDP`| 4.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|internal|
+|`OC_SYSTEM_USER_API_KEY`<br/>`AUTH_APP_JSONCS3_SYSTEM_USER_API_KEY`| 4.0.0 |string|`API key for the STORAGE-SYSTEM system user.`||
+|`AUTH_APP_JSONCS3_PASSWORD_GENERATOR`| 4.0.0 |string|`The password generator that should be used for generating app tokens. Supported values are: 'diceware' and 'random'.`|diceware|
+|`AUTH_APP_JSONCS3_DICEWARE_NUMBER_OF_WORDS`| 4.0.0 |int|`The number of words the generated passphrase will have.`|6|
+|`AUTH_APP_JSONCS3_RANDOM_PASSWORD_LENGTH`| 4.0.0 |int|`The number of charactors the generated passwords will have.`|0|
diff --git a/static/env-vars/auth-app_readme.md b/static/env-vars/auth-app_readme.md
index 1e09e336..89154570 100644
--- a/static/env-vars/auth-app_readme.md
+++ b/static/env-vars/auth-app_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Auth-App
-date: 2025-11-27T22:56:02.331944+01:00
+date: 2026-01-13T10:10:18.22159136+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/auth-app
diff --git a/static/env-vars/auth-basic-config-example.yaml b/static/env-vars/auth-basic-config-example.yaml
new file mode 100644
index 00000000..73195eb2
--- /dev/null
+++ b/static/env-vars/auth-basic-config-example.yaml
@@ -0,0 +1,67 @@
+# Autogenerated
+# Filename: auth-basic-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9147
+  token: ""
+  pprof: false
+  zpages: false
+grpc:
+  addr: 127.0.0.1:9146
+  tls: null
+  protocol: tcp
+token_manager:
+  jwt_secret: ""
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+skip_user_groups_in_token: false
+auth_provider: ldap
+auth_providers:
+  ldap:
+    uri: ldaps://localhost:9235
+    ca_cert: /home/chaser/.opencloud/idm/ldap.crt
+    insecure: false
+    bind_dn: uid=reva,ou=sysusers,o=libregraph-idm
+    bind_password: ""
+    user_base_dn: ou=users,o=libregraph-idm
+    group_base_dn: ou=groups,o=libregraph-idm
+    user_scope: sub
+    group_scope: sub
+    user_filter: ""
+    group_filter: ""
+    user_object_class: inetOrgPerson
+    group_object_class: groupOfNames
+    login_attributes:
+    - uid
+    idp: https://localhost:9200
+    disable_user_mechanism: attribute
+    ldap_disabled_users_group_dn: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm
+    user_schema:
+      id: openCloudUUID
+      tenant_id: ""
+      id_is_octet_string: false
+      mail: mail
+      display_name: displayname
+      user_name: uid
+      user_enabled: openCloudUserEnabled
+    group_schema:
+      id: openCloudUUID
+      id_is_octet_string: false
+      mail: mail
+      display_name: cn
+      group_name: cn
+      member: member
+  owncloudsql:
+    db_username: owncloud
+    db_password: ""
+    db_host: mysql
+    db_port: 3306
+    db_name: owncloud
+    idp: https://localhost:9200
+    nobody: 90
+    join_username: false
+    join_owncloud_uuid: false
diff --git a/static/env-vars/auth-basic_configvars.md b/static/env-vars/auth-basic_configvars.md
index 5e86abc5..60f67888 100644
--- a/static/env-vars/auth-basic_configvars.md
+++ b/static/env-vars/auth-basic_configvars.md
@@ -1,59 +1,56 @@
 Environment variables for the **auth-basic** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`AUTH_BASIC_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`AUTH_BASIC_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`AUTH_BASIC_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`AUTH_BASIC_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`AUTH_BASIC_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9147`|
-|`AUTH_BASIC_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`AUTH_BASIC_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`AUTH_BASIC_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can  be used for collecting and viewing traces in-memory.`|`false`|
-|`AUTH_BASIC_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9146`|
-|`OC_GRPC_PROTOCOL`<br/>`AUTH_BASIC_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`|
-|`OC_JWT_SECRET`<br/>`AUTH_BASIC_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`AUTH_BASIC_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.`|`false`|
-|`AUTH_BASIC_AUTH_MANAGER`| 1.0.0 |string|`The authentication manager to check if credentials are valid. Supported value is 'ldap'.`|`ldap`|
-|`OC_LDAP_URI`<br/>`AUTH_BASIC_LDAP_URI`| 1.0.0 |string|`URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'`|`ldaps://localhost:9235`|
-|`OC_LDAP_CACERT`<br/>`AUTH_BASIC_LDAP_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|`/var/lib/opencloud/idm/ldap.crt`|
-|`OC_LDAP_INSECURE`<br/>`AUTH_BASIC_LDAP_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.`|`false`|
-|`OC_LDAP_BIND_DN`<br/>`AUTH_BASIC_LDAP_BIND_DN`| 1.0.0 |string|`LDAP DN to use for simple bind authentication with the target LDAP server.`|`uid=reva,ou=sysusers,o=libregraph-idm`|
-|`OC_LDAP_BIND_PASSWORD`<br/>`AUTH_BASIC_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`|``|
-|`OC_LDAP_USER_BASE_DN`<br/>`AUTH_BASIC_LDAP_USER_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|`ou=users,o=libregraph-idm`|
-|`OC_LDAP_GROUP_BASE_DN`<br/>`AUTH_BASIC_LDAP_GROUP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP groups.`|`ou=groups,o=libregraph-idm`|
-|`OC_LDAP_USER_SCOPE`<br/>`AUTH_BASIC_LDAP_USER_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'.`|`sub`|
-|`OC_LDAP_GROUP_SCOPE`<br/>`AUTH_BASIC_LDAP_GROUP_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'.`|`sub`|
-|`OC_LDAP_USER_FILTER`<br/>`AUTH_BASIC_LDAP_USER_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.`|``|
-|`OC_LDAP_GROUP_FILTER`<br/>`AUTH_BASIC_LDAP_GROUP_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for group searches.`|``|
-|`OC_LDAP_USER_OBJECTCLASS`<br/>`AUTH_BASIC_LDAP_USER_OBJECTCLASS`| 1.0.0 |string|`The object class to use for users in the default user search filter ('inetOrgPerson').`|`inetOrgPerson`|
-|`OC_LDAP_GROUP_OBJECTCLASS`<br/>`AUTH_BASIC_LDAP_GROUP_OBJECTCLASS`| 1.0.0 |string|`The object class to use for groups in the default group search filter ('groupOfNames').`|`groupOfNames`|
-|`LDAP_LOGIN_ATTRIBUTES`<br/>`AUTH_BASIC_LDAP_LOGIN_ATTRIBUTES`| 1.0.0 |[]string|`A list of user object attributes that can be used for login. See the Environment Variable Types description for more details.`|`[uid]`|
-|`OC_URL`<br/>`OC_OIDC_ISSUER`<br/>`AUTH_BASIC_IDP_URL`| 1.0.0 |string|`The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.`|`https://localhost:9200`|
-|`OC_LDAP_DISABLE_USER_MECHANISM`<br/>`AUTH_BASIC_DISABLE_USER_MECHANISM`| 1.0.0 |string|`An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed.`|`attribute`|
-|`OC_LDAP_DISABLED_USERS_GROUP_DN`<br/>`AUTH_BASIC_DISABLED_USERS_GROUP_DN`| 1.0.0 |string|`The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'.`|`cn=DisabledUsersGroup,ou=groups,o=libregraph-idm`|
-|`OC_LDAP_USER_SCHEMA_ID`<br/>`AUTH_BASIC_LDAP_USER_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.`|`openCloudUUID`|
-|`OC_LDAP_USER_SCHEMA_TENANT_ID`<br/>`AUTH_BASIC_LDAP_USER_SCHEMA_TENANT_ID`| 4.0.0 |string|`LDAP Attribute to use for the tenant ID of users. This is used to identify the tenant of a user in a multi-tenant environment.`|``|
-|`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`<br/>`AUTH_BASIC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user IDs.`|`false`|
-|`OC_LDAP_USER_SCHEMA_MAIL`<br/>`AUTH_BASIC_LDAP_USER_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of users.`|`mail`|
-|`OC_LDAP_USER_SCHEMA_DISPLAYNAME`<br/>`AUTH_BASIC_LDAP_USER_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of users.`|`displayname`|
-|`OC_LDAP_USER_SCHEMA_USERNAME`<br/>`AUTH_BASIC_LDAP_USER_SCHEMA_USERNAME`| 1.0.0 |string|`LDAP Attribute to use for username of users.`|`uid`|
-|`OC_LDAP_USER_ENABLED_ATTRIBUTE`<br/>`AUTH_BASIC_LDAP_USER_ENABLED_ATTRIBUTE`| 1.0.0 |string|`LDAP attribute to use as a flag telling if the user is enabled or disabled.`|`openCloudUserEnabled`|
-|`OC_LDAP_GROUP_SCHEMA_ID`<br/>`AUTH_BASIC_LDAP_GROUP_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique id for groups. This should be a stable globally unique id (e.g. a UUID).`|`openCloudUUID`|
-|`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`<br/>`AUTH_BASIC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group IDs.`|`false`|
-|`OC_LDAP_GROUP_SCHEMA_MAIL`<br/>`AUTH_BASIC_LDAP_GROUP_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of groups (can be empty).`|`mail`|
-|`OC_LDAP_GROUP_SCHEMA_DISPLAYNAME`<br/>`AUTH_BASIC_LDAP_GROUP_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).`|`cn`|
-|`OC_LDAP_GROUP_SCHEMA_GROUPNAME`<br/>`AUTH_BASIC_LDAP_GROUP_SCHEMA_GROUPNAME`| 1.0.0 |string|`LDAP Attribute to use for the name of groups.`|`cn`|
-|`OC_LDAP_GROUP_SCHEMA_MEMBER`<br/>`AUTH_BASIC_LDAP_GROUP_SCHEMA_MEMBER`| 1.0.0 |string|`LDAP Attribute that is used for group members.`|`member`|
-|`AUTH_BASIC_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|`Database user to use for authenticating with the owncloud database.`|`owncloud`|
-|`AUTH_BASIC_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|`Password for the database user.`|``|
-|`AUTH_BASIC_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|`Hostname of the database server.`|`mysql`|
-|`AUTH_BASIC_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|`Network port to use for the database connection.`|`3306`|
-|`AUTH_BASIC_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|`Name of the owncloud database.`|`owncloud`|
-|`AUTH_BASIC_OWNCLOUDSQL_IDP`| 1.0.0 |string|`The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.`|`https://localhost:9200`|
-|`AUTH_BASIC_OWNCLOUDSQL_NOBODY`| 1.0.0 |int64|`Fallback number if no numeric UID and GID properties are provided.`|`90`|
-|`AUTH_BASIC_OWNCLOUDSQL_JOIN_USERNAME`| 1.0.0 |bool|`Join the user properties table to read usernames`|`false`|
-|`AUTH_BASIC_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID`| 1.0.0 |bool|`Join the user properties table to read user ID's.`|`false`|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`AUTH_BASIC_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`AUTH_BASIC_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9147|
+|`AUTH_BASIC_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`AUTH_BASIC_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`AUTH_BASIC_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can  be used for collecting and viewing traces in-memory.`|false|
+|`AUTH_BASIC_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9146|
+|`OC_GRPC_PROTOCOL`<br/>`AUTH_BASIC_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|tcp|
+|`OC_JWT_SECRET`<br/>`AUTH_BASIC_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`AUTH_BASIC_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.`|false|
+|`AUTH_BASIC_AUTH_MANAGER`| 1.0.0 |string|`The authentication manager to check if credentials are valid. Supported value is 'ldap'.`|ldap|
+|`OC_LDAP_URI`<br/>`AUTH_BASIC_LDAP_URI`| 1.0.0 |string|`URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'`|ldaps://localhost:9235|
+|`OC_LDAP_CACERT`<br/>`AUTH_BASIC_LDAP_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|/home/chaser/.opencloud/idm/ldap.crt|
+|`OC_LDAP_INSECURE`<br/>`AUTH_BASIC_LDAP_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.`|false|
+|`OC_LDAP_BIND_DN`<br/>`AUTH_BASIC_LDAP_BIND_DN`| 1.0.0 |string|`LDAP DN to use for simple bind authentication with the target LDAP server.`|uid=reva,ou=sysusers,o=libregraph-idm|
+|`OC_LDAP_BIND_PASSWORD`<br/>`AUTH_BASIC_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`||
+|`OC_LDAP_USER_BASE_DN`<br/>`AUTH_BASIC_LDAP_USER_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|ou=users,o=libregraph-idm|
+|`OC_LDAP_GROUP_BASE_DN`<br/>`AUTH_BASIC_LDAP_GROUP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP groups.`|ou=groups,o=libregraph-idm|
+|`OC_LDAP_USER_SCOPE`<br/>`AUTH_BASIC_LDAP_USER_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'.`|sub|
+|`OC_LDAP_GROUP_SCOPE`<br/>`AUTH_BASIC_LDAP_GROUP_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'.`|sub|
+|`OC_LDAP_USER_FILTER`<br/>`AUTH_BASIC_LDAP_USER_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.`||
+|`OC_LDAP_GROUP_FILTER`<br/>`AUTH_BASIC_LDAP_GROUP_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for group searches.`||
+|`OC_LDAP_USER_OBJECTCLASS`<br/>`AUTH_BASIC_LDAP_USER_OBJECTCLASS`| 1.0.0 |string|`The object class to use for users in the default user search filter ('inetOrgPerson').`|inetOrgPerson|
+|`OC_LDAP_GROUP_OBJECTCLASS`<br/>`AUTH_BASIC_LDAP_GROUP_OBJECTCLASS`| 1.0.0 |string|`The object class to use for groups in the default group search filter ('groupOfNames').`|groupOfNames|
+|`LDAP_LOGIN_ATTRIBUTES`<br/>`AUTH_BASIC_LDAP_LOGIN_ATTRIBUTES`| 1.0.0 |[]string|`A list of user object attributes that can be used for login. See the Environment Variable Types description for more details.`|[uid]|
+|`OC_URL`<br/>`OC_OIDC_ISSUER`<br/>`AUTH_BASIC_IDP_URL`| 1.0.0 |string|`The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.`|https://localhost:9200|
+|`OC_LDAP_DISABLE_USER_MECHANISM`<br/>`AUTH_BASIC_DISABLE_USER_MECHANISM`| 1.0.0 |string|`An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed.`|attribute|
+|`OC_LDAP_DISABLED_USERS_GROUP_DN`<br/>`AUTH_BASIC_DISABLED_USERS_GROUP_DN`| 1.0.0 |string|`The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'.`|cn=DisabledUsersGroup,ou=groups,o=libregraph-idm|
+|`OC_LDAP_USER_SCHEMA_ID`<br/>`AUTH_BASIC_LDAP_USER_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.`|openCloudUUID|
+|`OC_LDAP_USER_SCHEMA_TENANT_ID`<br/>`AUTH_BASIC_LDAP_USER_SCHEMA_TENANT_ID`| 4.0.0 |string|`LDAP Attribute to use for the tenant ID of users. This is used to identify the tenant of a user in a multi-tenant environment.`||
+|`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`<br/>`AUTH_BASIC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user IDs.`|false|
+|`OC_LDAP_USER_SCHEMA_MAIL`<br/>`AUTH_BASIC_LDAP_USER_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of users.`|mail|
+|`OC_LDAP_USER_SCHEMA_DISPLAYNAME`<br/>`AUTH_BASIC_LDAP_USER_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of users.`|displayname|
+|`OC_LDAP_USER_SCHEMA_USERNAME`<br/>`AUTH_BASIC_LDAP_USER_SCHEMA_USERNAME`| 1.0.0 |string|`LDAP Attribute to use for username of users.`|uid|
+|`OC_LDAP_USER_ENABLED_ATTRIBUTE`<br/>`AUTH_BASIC_LDAP_USER_ENABLED_ATTRIBUTE`| 1.0.0 |string|`LDAP attribute to use as a flag telling if the user is enabled or disabled.`|openCloudUserEnabled|
+|`OC_LDAP_GROUP_SCHEMA_ID`<br/>`AUTH_BASIC_LDAP_GROUP_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique id for groups. This should be a stable globally unique id (e.g. a UUID).`|openCloudUUID|
+|`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`<br/>`AUTH_BASIC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group IDs.`|false|
+|`OC_LDAP_GROUP_SCHEMA_MAIL`<br/>`AUTH_BASIC_LDAP_GROUP_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of groups (can be empty).`|mail|
+|`OC_LDAP_GROUP_SCHEMA_DISPLAYNAME`<br/>`AUTH_BASIC_LDAP_GROUP_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).`|cn|
+|`OC_LDAP_GROUP_SCHEMA_GROUPNAME`<br/>`AUTH_BASIC_LDAP_GROUP_SCHEMA_GROUPNAME`| 1.0.0 |string|`LDAP Attribute to use for the name of groups.`|cn|
+|`OC_LDAP_GROUP_SCHEMA_MEMBER`<br/>`AUTH_BASIC_LDAP_GROUP_SCHEMA_MEMBER`| 1.0.0 |string|`LDAP Attribute that is used for group members.`|member|
+|`AUTH_BASIC_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|`Database user to use for authenticating with the owncloud database.`|owncloud|
+|`AUTH_BASIC_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|`Password for the database user.`||
+|`AUTH_BASIC_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|`Hostname of the database server.`|mysql|
+|`AUTH_BASIC_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|`Network port to use for the database connection.`|3306|
+|`AUTH_BASIC_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|`Name of the owncloud database.`|owncloud|
+|`AUTH_BASIC_OWNCLOUDSQL_IDP`| 1.0.0 |string|`The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.`|https://localhost:9200|
+|`AUTH_BASIC_OWNCLOUDSQL_NOBODY`| 1.0.0 |int64|`Fallback number if no numeric UID and GID properties are provided.`|90|
+|`AUTH_BASIC_OWNCLOUDSQL_JOIN_USERNAME`| 1.0.0 |bool|`Join the user properties table to read usernames`|false|
+|`AUTH_BASIC_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID`| 1.0.0 |bool|`Join the user properties table to read user ID's.`|false|
diff --git a/static/env-vars/auth-basic_readme.md b/static/env-vars/auth-basic_readme.md
index 29adb32f..64892915 100644
--- a/static/env-vars/auth-basic_readme.md
+++ b/static/env-vars/auth-basic_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Auth-Basic
-date: 2025-11-27T22:56:02.332069+01:00
+date: 2026-01-13T10:10:18.221714732+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/auth-basic
diff --git a/static/env-vars/auth-bearer-config-example.yaml b/static/env-vars/auth-bearer-config-example.yaml
new file mode 100644
index 00000000..172a07a6
--- /dev/null
+++ b/static/env-vars/auth-bearer-config-example.yaml
@@ -0,0 +1,27 @@
+# Autogenerated
+# Filename: auth-bearer-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9149
+  token: ""
+  pprof: false
+  zpages: false
+grpc:
+  addr: 127.0.0.1:9148
+  tls: null
+  protocol: tcp
+token_manager:
+  jwt_secret: ""
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+skip_user_groups_in_token: false
+oidc:
+  issuer: https://localhost:9200
+  insecure: false
+  id_claim: preferred_username
+  uid_claim: ""
+  gid_claim: ""
diff --git a/static/env-vars/auth-bearer_configvars.md b/static/env-vars/auth-bearer_configvars.md
index ce85b095..23e07cea 100644
--- a/static/env-vars/auth-bearer_configvars.md
+++ b/static/env-vars/auth-bearer_configvars.md
@@ -1,24 +1,21 @@
 Environment variables for the **auth-bearer** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`AUTH_BEARER_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`AUTH_BEARER_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`AUTH_BEARER_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`AUTH_BEARER_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`AUTH_BEARER_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9149`|
-|`AUTH_BEARER_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`AUTH_BEARER_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`AUTH_BEARER_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`AUTH_BEARER_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9148`|
-|`OC_GRPC_PROTOCOL`<br/>`AUTH_BEARER_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`|
-|`OC_JWT_SECRET`<br/>`AUTH_BEARER_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`AUTH_BEARER_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.`|`false`|
-|`OC_URL`<br/>`OC_OIDC_ISSUER`<br/>`AUTH_BEARER_OIDC_ISSUER`| 1.0.0 |string|`URL of the OIDC issuer. It defaults to URL of the builtin IDP.`|`https://localhost:9200`|
-|`OC_INSECURE`<br/>`AUTH_BEARER_OIDC_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the OIDC issuer.`|`false`|
-|`AUTH_BEARER_OIDC_ID_CLAIM`| 1.0.0 |string|`Name of the claim, which holds the user identifier.`|`preferred_username`|
-|`AUTH_BEARER_OIDC_UID_CLAIM`| 1.0.0 |string|`Name of the claim, which holds the UID.`|``|
-|`AUTH_BEARER_OIDC_GID_CLAIM`| 1.0.0 |string|`Name of the claim, which holds the GID.`|``|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`AUTH_BEARER_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`AUTH_BEARER_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9149|
+|`AUTH_BEARER_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`AUTH_BEARER_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`AUTH_BEARER_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`AUTH_BEARER_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9148|
+|`OC_GRPC_PROTOCOL`<br/>`AUTH_BEARER_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|tcp|
+|`OC_JWT_SECRET`<br/>`AUTH_BEARER_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`AUTH_BEARER_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.`|false|
+|`OC_URL`<br/>`OC_OIDC_ISSUER`<br/>`AUTH_BEARER_OIDC_ISSUER`| 1.0.0 |string|`URL of the OIDC issuer. It defaults to URL of the builtin IDP.`|https://localhost:9200|
+|`OC_INSECURE`<br/>`AUTH_BEARER_OIDC_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the OIDC issuer.`|false|
+|`AUTH_BEARER_OIDC_ID_CLAIM`| 1.0.0 |string|`Name of the claim, which holds the user identifier.`|preferred_username|
+|`AUTH_BEARER_OIDC_UID_CLAIM`| 1.0.0 |string|`Name of the claim, which holds the UID.`||
+|`AUTH_BEARER_OIDC_GID_CLAIM`| 1.0.0 |string|`Name of the claim, which holds the GID.`||
diff --git a/static/env-vars/auth-bearer_readme.md b/static/env-vars/auth-bearer_readme.md
index fa141399..473b2276 100644
--- a/static/env-vars/auth-bearer_readme.md
+++ b/static/env-vars/auth-bearer_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Auth-Bearer
-date: 2025-11-27T22:56:02.332138+01:00
+date: 2026-01-13T10:10:18.221795033+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/auth-bearer
diff --git a/static/env-vars/auth-machine-config-example.yaml b/static/env-vars/auth-machine-config-example.yaml
new file mode 100644
index 00000000..6589a0f4
--- /dev/null
+++ b/static/env-vars/auth-machine-config-example.yaml
@@ -0,0 +1,22 @@
+# Autogenerated
+# Filename: auth-machine-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9167
+  token: ""
+  pprof: false
+  zpages: false
+grpc:
+  addr: 127.0.0.1:9166
+  tls: null
+  protocol: tcp
+token_manager:
+  jwt_secret: ""
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+skip_user_groups_in_token: false
+machine_auth_api_key: ""
diff --git a/static/env-vars/auth-machine_configvars.md b/static/env-vars/auth-machine_configvars.md
index 11f65a55..7b7a008a 100644
--- a/static/env-vars/auth-machine_configvars.md
+++ b/static/env-vars/auth-machine_configvars.md
@@ -1,20 +1,17 @@
 Environment variables for the **auth-machine** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`AUTH_MACHINE_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`AUTH_MACHINE_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`AUTH_MACHINE_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`AUTH_MACHINE_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`AUTH_MACHINE_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9167`|
-|`AUTH_MACHINE_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`AUTH_MACHINE_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`AUTH_MACHINE_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`AUTH_MACHINE_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9166`|
-|`OC_GRPC_PROTOCOL`<br/>`AUTH_MACHINE_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`|
-|`OC_JWT_SECRET`<br/>`AUTH_MACHINE_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`AUTH_MACHINE_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.`|`false`|
-|`OC_MACHINE_AUTH_API_KEY`<br/>`AUTH_MACHINE_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`|``|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`AUTH_MACHINE_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`AUTH_MACHINE_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9167|
+|`AUTH_MACHINE_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`AUTH_MACHINE_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`AUTH_MACHINE_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`AUTH_MACHINE_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9166|
+|`OC_GRPC_PROTOCOL`<br/>`AUTH_MACHINE_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|tcp|
+|`OC_JWT_SECRET`<br/>`AUTH_MACHINE_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`AUTH_MACHINE_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.`|false|
+|`OC_MACHINE_AUTH_API_KEY`<br/>`AUTH_MACHINE_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`||
diff --git a/static/env-vars/auth-machine_readme.md b/static/env-vars/auth-machine_readme.md
index ec99dc8c..cdc37d02 100644
--- a/static/env-vars/auth-machine_readme.md
+++ b/static/env-vars/auth-machine_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Auth-Machine
-date: 2025-11-27T22:56:02.332206+01:00
+date: 2026-01-13T10:10:18.221854796+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/auth-machine
diff --git a/static/env-vars/auth-service-config-example.yaml b/static/env-vars/auth-service-config-example.yaml
new file mode 100644
index 00000000..e2f0797e
--- /dev/null
+++ b/static/env-vars/auth-service-config-example.yaml
@@ -0,0 +1,23 @@
+# Autogenerated
+# Filename: auth-service-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9198
+  token: ""
+  pprof: false
+  zpages: false
+grpc:
+  addr: 127.0.0.1:9199
+  tls: null
+  protocol: tcp
+token_manager:
+  jwt_secret: ""
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+service_account:
+  service_account_id: ""
+  service_account_secret: ""
diff --git a/static/env-vars/auth-service_configvars.md b/static/env-vars/auth-service_configvars.md
index 7b90239d..72d94a31 100644
--- a/static/env-vars/auth-service_configvars.md
+++ b/static/env-vars/auth-service_configvars.md
@@ -1,20 +1,17 @@
 Environment variables for the **auth-service** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`AUTH_SERVICE_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`AUTH_SERVICE_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`AUTH_SERVICE_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`AUTH_SERVICE_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`AUTH_SERVICE_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9198`|
-|`AUTH_SERVICE_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`AUTH_SERVICE_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`AUTH_SERVICE_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`AUTH_SERVICE_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9199`|
-|`OC_GRPC_PROTOCOL`<br/>`AUTH_SERVICE_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`|
-|`OC_JWT_SECRET`<br/>`AUTH_SERVICE_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`OC_SERVICE_ACCOUNT_ID`<br/>`AUTH_SERVICE_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``|
-|`OC_SERVICE_ACCOUNT_SECRET`<br/>`AUTH_SERVICE_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`AUTH_SERVICE_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`AUTH_SERVICE_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9198|
+|`AUTH_SERVICE_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`AUTH_SERVICE_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`AUTH_SERVICE_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`AUTH_SERVICE_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9199|
+|`OC_GRPC_PROTOCOL`<br/>`AUTH_SERVICE_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|tcp|
+|`OC_JWT_SECRET`<br/>`AUTH_SERVICE_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`OC_SERVICE_ACCOUNT_ID`<br/>`AUTH_SERVICE_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`||
+|`OC_SERVICE_ACCOUNT_SECRET`<br/>`AUTH_SERVICE_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`||
diff --git a/static/env-vars/auth-service_readme.md b/static/env-vars/auth-service_readme.md
index 3452959c..ac092b2b 100644
--- a/static/env-vars/auth-service_readme.md
+++ b/static/env-vars/auth-service_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Auth-Service
-date: 2025-11-27T22:56:02.332268+01:00
+date: 2026-01-13T10:10:18.22192099+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/auth-service
diff --git a/static/env-vars/clientlog-config-example.yaml b/static/env-vars/clientlog-config-example.yaml
new file mode 100644
index 00000000..6b5e7843
--- /dev/null
+++ b/static/env-vars/clientlog-config-example.yaml
@@ -0,0 +1,24 @@
+# Autogenerated
+# Filename: clientlog-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9260
+  token: ""
+  pprof: false
+  zpages: false
+grpc_client_tls: null
+token_manager:
+  jwt_secret: ""
+reva_gateway: eu.opencloud.api.gateway
+events:
+  endpoint: 127.0.0.1:9233
+  cluster: opencloud-cluster
+  tls_insecure: false
+  tls_root_ca_certificate: ""
+  enable_tls: false
+  username: ""
+  password: ""
+service_account:
+  service_account_id: ""
+  service_account_secret: ""
diff --git a/static/env-vars/clientlog_configvars.md b/static/env-vars/clientlog_configvars.md
index 0ba67365..3d33982a 100644
--- a/static/env-vars/clientlog_configvars.md
+++ b/static/env-vars/clientlog_configvars.md
@@ -1,23 +1,20 @@
 Environment variables for the **clientlog** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`CLIENTLOG_USERLOG_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`CLIENTLOG_USERLOG_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`CLIENTLOG_USERLOG_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`CLIENTLOG_USERLOG_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`CLIENTLOG_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9260`|
-|`CLIENTLOG_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`CLIENTLOG_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`CLIENTLOG_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`OC_JWT_SECRET`<br/>`CLIENTLOG_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|`eu.opencloud.api.gateway`|
-|`OC_EVENTS_ENDPOINT`<br/>`CLIENTLOG_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`|
-|`OC_EVENTS_CLUSTER`<br/>`CLIENTLOG_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`|
-|`OC_INSECURE`<br/>`CLIENTLOG_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`|
-|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`CLIENTLOG_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.`|``|
-|`OC_EVENTS_ENABLE_TLS`<br/>`CLIENTLOG_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`|
-|`OC_EVENTS_AUTH_USERNAME`<br/>`CLIENTLOG_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_EVENTS_AUTH_PASSWORD`<br/>`CLIENTLOG_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_SERVICE_ACCOUNT_ID`<br/>`CLIENTLOG_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``|
-|`OC_SERVICE_ACCOUNT_SECRET`<br/>`CLIENTLOG_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`CLIENTLOG_USERLOG_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`CLIENTLOG_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9260|
+|`CLIENTLOG_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`CLIENTLOG_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`CLIENTLOG_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`OC_JWT_SECRET`<br/>`CLIENTLOG_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|eu.opencloud.api.gateway|
+|`OC_EVENTS_ENDPOINT`<br/>`CLIENTLOG_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|127.0.0.1:9233|
+|`OC_EVENTS_CLUSTER`<br/>`CLIENTLOG_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|opencloud-cluster|
+|`OC_INSECURE`<br/>`OC_EVENTS_TLS_INSECURE`<br/>`CLIENTLOG_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|false|
+|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`CLIENTLOG_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.`||
+|`OC_EVENTS_ENABLE_TLS`<br/>`CLIENTLOG_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|false|
+|`OC_EVENTS_AUTH_USERNAME`<br/>`CLIENTLOG_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_EVENTS_AUTH_PASSWORD`<br/>`CLIENTLOG_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_SERVICE_ACCOUNT_ID`<br/>`CLIENTLOG_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`||
+|`OC_SERVICE_ACCOUNT_SECRET`<br/>`CLIENTLOG_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`||
diff --git a/static/env-vars/clientlog_readme.md b/static/env-vars/clientlog_readme.md
index ae27070c..e5163fb6 100644
--- a/static/env-vars/clientlog_readme.md
+++ b/static/env-vars/clientlog_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Clientlog Service
-date: 2025-11-27T22:56:02.332344+01:00
+date: 2026-01-13T10:10:18.221982315+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/clientlog
diff --git a/static/env-vars/collaboration-config-example.yaml b/static/env-vars/collaboration-config-example.yaml
new file mode 100644
index 00000000..072e1d7f
--- /dev/null
+++ b/static/env-vars/collaboration-config-example.yaml
@@ -0,0 +1,54 @@
+# Autogenerated
+# Filename: collaboration-config-example.yaml
+
+app:
+  name: Collabora
+  product: ""
+  description: Open office documents with Collabora
+  icon: image-edit
+  addr: https://127.0.0.1:9980
+  insecure: false
+  proofkeys:
+    disable: false
+    duration: 12h
+  licensecheckenable: false
+store:
+  store: nats-js-kv
+  nodes:
+  - 127.0.0.1:9233
+  database: collaboration
+  table: ""
+  ttl: 30m0s
+  username: ""
+  password: ""
+token_manager:
+  jwt_secret: ""
+grpc:
+  addr: 127.0.0.1:9301
+  protocol: tcp
+http:
+  addr: 127.0.0.1:9300
+  tls:
+    enabled: false
+    cert: ""
+    key: ""
+wopi:
+  wopisrc: https://localhost:9300
+  secret: ""
+  disable_chat: false
+  proxy_url: ""
+  proxy_secret: ""
+  short_tokens: false
+cs3api:
+  gateway:
+    name: eu.opencloud.api.gateway
+  datagateway:
+    insecure: false
+  grpc_client_tls: null
+  app_registration_interval: 30s
+loglevel: error
+debug:
+  addr: 127.0.0.1:9304
+  token: ""
+  pprof: false
+  zpages: false
diff --git a/static/env-vars/collaboration_configvars.md b/static/env-vars/collaboration_configvars.md
index 69eaa680..1a0f2b52 100644
--- a/static/env-vars/collaboration_configvars.md
+++ b/static/env-vars/collaboration_configvars.md
@@ -1,45 +1,42 @@
 Environment variables for the **collaboration** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`COLLABORATION_SERVICE_NAME`| 3.6.0 |string|`The name of the service which is registered. You only need to change this when more than one collaboration service is needed.`|`collaboration`|
-|`COLLABORATION_APP_NAME`| 1.0.0 |string|`The name of the app which is shown to the user. You can chose freely but you are limited to a single word without special characters or whitespaces. We recommend to use pascalCase like 'CollaboraOnline'.`|`Collabora`|
-|`COLLABORATION_APP_PRODUCT`| 1.0.0 |string|`The WebOffice app, either Collabora, OnlyOffice, Microsoft365 or MicrosoftOfficeOnline.`|``|
-|`COLLABORATION_APP_DESCRIPTION`| 1.0.0 |string|`App description`|`Open office documents with Collabora`|
-|`COLLABORATION_APP_ICON`| 1.0.0 |string|`Icon for the app`|`image-edit`|
-|`COLLABORATION_APP_ADDR`| 1.0.0 |string|`The URL where the WOPI app is located, such as \https://127.0.0.1:8080.`|`https://127.0.0.1:9980`|
-|`COLLABORATION_APP_INSECURE`| 1.0.0 |bool|`Skip TLS certificate verification when connecting to the WOPI app`|`false`|
-|`COLLABORATION_APP_PROOF_DISABLE`| 1.0.0 |bool|`Disable the proof keys verification`|`false`|
-|`COLLABORATION_APP_PROOF_DURATION`| 1.0.0 |string|`Duration for the proof keys to be cached in memory, using time.ParseDuration format. If the duration can't be parsed, we'll use the default 12h as duration`|`12h`|
-|`COLLABORATION_APP_LICENSE_CHECK_ENABLE`| 1.0.0 |bool|`Enable license checking to edit files. Needs to be enabled when using Microsoft365 with the business flow.`|`false`|
-|`OC_PERSISTENT_STORE`<br/>`COLLABORATION_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|`nats-js-kv`|
-|`OC_PERSISTENT_STORE_NODES`<br/>`COLLABORATION_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
-|`COLLABORATION_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`collaboration`|
-|`COLLABORATION_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``|
-|`OC_PERSISTENT_STORE_TTL`<br/>`COLLABORATION_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. Defaults to '30m' (30 minutes). See the Environment Variable Types description for more details.`|`30m0s`|
-|`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`COLLABORATION_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`COLLABORATION_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_JWT_SECRET`<br/>`COLLABORATION_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`COLLABORATION_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9301`|
-|`OC_GRPC_PROTOCOL`<br/>`COLLABORATION_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`|
-|`COLLABORATION_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9300`|
-|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`|
-|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``|
-|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``|
-|`COLLABORATION_WOPI_SRC`| 1.0.0 |string|`The WOPI source base URL containing schema, host and port. Set this to the schema and domain where the collaboration service is reachable for the wopi app, such as \https://office.example.test.`|`https://localhost:9300`|
-|`COLLABORATION_WOPI_SECRET`| 1.0.0 |string|`Used to mint and verify WOPI JWT tokens and encrypt and decrypt the REVA JWT token embedded in the WOPI JWT token.`|``|
-|`COLLABORATION_WOPI_DISABLE_CHAT`<br/>`OC_WOPI_DISABLE_CHAT`| 1.0.0 |bool|`Disable chat in the office web frontend. This feature applies to OnlyOffice and Microsoft.`|`false`|
-|`COLLABORATION_WOPI_PROXY_URL`| 1.0.0 |string|`The URL to the OpenCloud WOPI proxy. Optional. To use this feature, you need an office365 proxy subscription. If you become part of the Microsoft CSP program (\https://learn.microsoft.com/en-us/partner-center/enroll/csp-overview), you can use WebOffice without a proxy.`|``|
-|`COLLABORATION_WOPI_PROXY_SECRET`| 1.0.0 |string|`Optional, the secret to authenticate against the OpenCloud WOPI proxy. This secret can be obtained from OpenCloud via the office365 proxy subscription.`|``|
-|`COLLABORATION_WOPI_SHORTTOKENS`| 1.0.0 |bool|`Use short access tokens for WOPI access. This is useful for office packages, like Microsoft Office Online, which have URL length restrictions. If enabled, a persistent store must be configured.`|`false`|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata.`|`eu.opencloud.api.gateway`|
-|`COLLABORATION_CS3API_DATAGATEWAY_INSECURE`| 1.0.0 |bool|`Connect to the CS3API data gateway insecurely.`|`false`|
-|`COLLABORATION_CS3API_APP_REGISTRATION_INTERVAL`| 4.0.0 |Duration|`The interval at which the app provider registers itself.`|`30s`|
-|`OC_LOG_LEVEL`<br/>`COLLABORATION_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`COLLABORATION_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`COLLABORATION_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`COLLABORATION_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`COLLABORATION_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9304`|
-|`COLLABORATION_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`COLLABORATION_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`COLLABORATION_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
+|---|---|---|---|---|
+|`COLLABORATION_SERVICE_NAME`| 3.6.0 |string|`The name of the service which is registered. You only need to change this when more than one collaboration service is needed.`|collaboration|
+|`COLLABORATION_APP_NAME`| 1.0.0 |string|`The name of the app which is shown to the user. You can chose freely but you are limited to a single word without special characters or whitespaces. We recommend to use pascalCase like 'CollaboraOnline'.`|Collabora|
+|`COLLABORATION_APP_PRODUCT`| 1.0.0 |string|`The WebOffice app, either Collabora, OnlyOffice, Microsoft365 or MicrosoftOfficeOnline.`||
+|`COLLABORATION_APP_DESCRIPTION`| 1.0.0 |string|`App description`|Open office documents with Collabora|
+|`COLLABORATION_APP_ICON`| 1.0.0 |string|`Icon for the app`|image-edit|
+|`COLLABORATION_APP_ADDR`| 1.0.0 |string|`The URL where the WOPI app is located, such as \https://127.0.0.1:8080.`|https://127.0.0.1:9980|
+|`COLLABORATION_APP_INSECURE`| 1.0.0 |bool|`Skip TLS certificate verification when connecting to the WOPI app`|false|
+|`COLLABORATION_APP_PROOF_DISABLE`| 1.0.0 |bool|`Disable the proof keys verification`|false|
+|`COLLABORATION_APP_PROOF_DURATION`| 1.0.0 |string|`Duration for the proof keys to be cached in memory, using time.ParseDuration format. If the duration can't be parsed, we'll use the default 12h as duration`|12h|
+|`COLLABORATION_APP_LICENSE_CHECK_ENABLE`| 1.0.0 |bool|`Enable license checking to edit files. Needs to be enabled when using Microsoft365 with the business flow.`|false|
+|`OC_PERSISTENT_STORE`<br/>`COLLABORATION_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|nats-js-kv|
+|`OC_PERSISTENT_STORE_NODES`<br/>`COLLABORATION_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|[127.0.0.1:9233]|
+|`COLLABORATION_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|collaboration|
+|`COLLABORATION_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`||
+|`OC_PERSISTENT_STORE_TTL`<br/>`COLLABORATION_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. Defaults to '30m' (30 minutes). See the Environment Variable Types description for more details.`|30m0s|
+|`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`COLLABORATION_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`COLLABORATION_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_JWT_SECRET`<br/>`COLLABORATION_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`COLLABORATION_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9301|
+|`OC_GRPC_PROTOCOL`<br/>`COLLABORATION_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|tcp|
+|`COLLABORATION_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|127.0.0.1:9300|
+|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|false|
+|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`||
+|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`||
+|`COLLABORATION_WOPI_SRC`| 1.0.0 |string|`The WOPI source base URL containing schema, host and port. Set this to the schema and domain where the collaboration service is reachable for the wopi app, such as \https://office.example.test.`|https://localhost:9300|
+|`COLLABORATION_WOPI_SECRET`| 1.0.0 |string|`Used to mint and verify WOPI JWT tokens and encrypt and decrypt the REVA JWT token embedded in the WOPI JWT token.`||
+|`COLLABORATION_WOPI_DISABLE_CHAT`<br/>`OC_WOPI_DISABLE_CHAT`| 1.0.0 |bool|`Disable chat in the office web frontend. This feature applies to OnlyOffice and Microsoft.`|false|
+|`COLLABORATION_WOPI_PROXY_URL`| 1.0.0 |string|`The URL to the OpenCloud WOPI proxy. Optional. To use this feature, you need an office365 proxy subscription. If you become part of the Microsoft CSP program (\https://learn.microsoft.com/en-us/partner-center/enroll/csp-overview), you can use WebOffice without a proxy.`||
+|`COLLABORATION_WOPI_PROXY_SECRET`| 1.0.0 |string|`Optional, the secret to authenticate against the OpenCloud WOPI proxy. This secret can be obtained from OpenCloud via the office365 proxy subscription.`||
+|`COLLABORATION_WOPI_SHORTTOKENS`| 1.0.0 |bool|`Use short access tokens for WOPI access. This is useful for office packages, like Microsoft Office Online, which have URL length restrictions. If enabled, a persistent store must be configured.`|false|
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata.`|eu.opencloud.api.gateway|
+|`COLLABORATION_CS3API_DATAGATEWAY_INSECURE`| 1.0.0 |bool|`Connect to the CS3API data gateway insecurely.`|false|
+|`COLLABORATION_CS3API_APP_REGISTRATION_INTERVAL`| 4.0.0 |Duration|`The interval at which the app provider registers itself.`|30s|
+|`OC_LOG_LEVEL`<br/>`COLLABORATION_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`COLLABORATION_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9304|
+|`COLLABORATION_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`COLLABORATION_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`COLLABORATION_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
diff --git a/static/env-vars/collaboration_readme.md b/static/env-vars/collaboration_readme.md
index 8a1d29fe..cf0abafb 100644
--- a/static/env-vars/collaboration_readme.md
+++ b/static/env-vars/collaboration_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Collaboration
-date: 2025-11-27T22:56:02.332416+01:00
+date: 2026-01-13T10:10:18.222049742+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/collaboration
diff --git a/static/env-vars/eventhistory-config-example.yaml b/static/env-vars/eventhistory-config-example.yaml
new file mode 100644
index 00000000..1473cd23
--- /dev/null
+++ b/static/env-vars/eventhistory-config-example.yaml
@@ -0,0 +1,30 @@
+# Autogenerated
+# Filename: eventhistory-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9270
+  token: ""
+  pprof: false
+  zpages: false
+grpc:
+  addr: 127.0.0.1:9274
+  tls: null
+grpc_client_tls: null
+events:
+  endpoint: 127.0.0.1:9233
+  cluster: opencloud-cluster
+  tls_insecure: false
+  tls_root_ca_certificate: ""
+  enable_tls: false
+  username: ""
+  password: ""
+store:
+  store: nats-js-kv
+  nodes:
+  - 127.0.0.1:9233
+  database: eventhistory
+  table: ""
+  ttl: 336h0m0s
+  username: ""
+  password: ""
diff --git a/static/env-vars/eventhistory_configvars.md b/static/env-vars/eventhistory_configvars.md
index 00df06cd..b6623610 100644
--- a/static/env-vars/eventhistory_configvars.md
+++ b/static/env-vars/eventhistory_configvars.md
@@ -1,27 +1,24 @@
 Environment variables for the **eventhistory** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`EVENTHISTORY_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`EVENTHISTORY_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`EVENTHISTORY_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`EVENTHISTORY_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`EVENTHISTORY_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9270`|
-|`EVENTHISTORY_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`EVENTHISTORY_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`EVENTHISTORY_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`EVENTHISTORY_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9274`|
-|`OC_EVENTS_ENDPOINT`<br/>`EVENTHISTORY_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`|
-|`OC_EVENTS_CLUSTER`<br/>`EVENTHISTORY_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`|
-|`OC_INSECURE`<br/>`EVENTHISTORY_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`|
-|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`EVENTHISTORY_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. Will be seen as empty if NOTIFICATIONS_EVENTS_TLS_INSECURE is provided.`|``|
-|`OC_EVENTS_ENABLE_TLS`<br/>`EVENTHISTORY_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`|
-|`OC_EVENTS_AUTH_USERNAME`<br/>`EVENTHISTORY_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_EVENTS_AUTH_PASSWORD`<br/>`EVENTHISTORY_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_PERSISTENT_STORE`<br/>`EVENTHISTORY_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|`nats-js-kv`|
-|`OC_PERSISTENT_STORE_NODES`<br/>`EVENTHISTORY_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
-|`EVENTHISTORY_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`eventhistory`|
-|`EVENTHISTORY_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``|
-|`OC_PERSISTENT_STORE_TTL`<br/>`EVENTHISTORY_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|`336h0m0s`|
-|`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`EVENTHISTORY_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`EVENTHISTORY_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`EVENTHISTORY_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`EVENTHISTORY_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9270|
+|`EVENTHISTORY_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`EVENTHISTORY_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`EVENTHISTORY_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`EVENTHISTORY_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9274|
+|`OC_EVENTS_ENDPOINT`<br/>`EVENTHISTORY_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|127.0.0.1:9233|
+|`OC_EVENTS_CLUSTER`<br/>`EVENTHISTORY_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|opencloud-cluster|
+|`OC_INSECURE`<br/>`OC_EVENTS_TLS_INSECURE`<br/>`EVENTHISTORY_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|false|
+|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`EVENTHISTORY_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. Will be seen as empty if NOTIFICATIONS_EVENTS_TLS_INSECURE is provided.`||
+|`OC_EVENTS_ENABLE_TLS`<br/>`EVENTHISTORY_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|false|
+|`OC_EVENTS_AUTH_USERNAME`<br/>`EVENTHISTORY_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_EVENTS_AUTH_PASSWORD`<br/>`EVENTHISTORY_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_PERSISTENT_STORE`<br/>`EVENTHISTORY_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|nats-js-kv|
+|`OC_PERSISTENT_STORE_NODES`<br/>`EVENTHISTORY_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|[127.0.0.1:9233]|
+|`EVENTHISTORY_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|eventhistory|
+|`EVENTHISTORY_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`||
+|`OC_PERSISTENT_STORE_TTL`<br/>`EVENTHISTORY_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|336h0m0s|
+|`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`EVENTHISTORY_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`EVENTHISTORY_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`||
diff --git a/static/env-vars/eventhistory_readme.md b/static/env-vars/eventhistory_readme.md
index 6d31ac18..439e20ca 100644
--- a/static/env-vars/eventhistory_readme.md
+++ b/static/env-vars/eventhistory_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Eventhistory
-date: 2025-11-27T22:56:02.332506+01:00
+date: 2026-01-13T10:10:18.222111478+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/eventhistory
diff --git a/static/env-vars/extended_configvars.md b/static/env-vars/extended_configvars.md
index 9e1abaec..1ceb8619 100644
--- a/static/env-vars/extended_configvars.md
+++ b/static/env-vars/extended_configvars.md
@@ -1,13 +1,135 @@
 # Environment variables with extended scope not included in a service
 
-| Name | Type | Default Value | Description |
+| Name | Type | Description | Default Value |
 |---|---|---|---|
-`EXPERIMENTAL_REGISTER_INTERVAL` | duration | 25s | The interval at which services will re-register themselves with the registry to prevent expiry. Only change on supervision of openCloud Support. |
-`EXPERIMENTAL_REGISTER_TTL` | duration | 30s | The time-to-live for a service registration in the registry. Services must re-register before this time to prevent expiry. Only change on supervision of openCloud Support. |
-`MICRO_LOG_LEVEL` | string | Error | Set the log level for the internal go micro framework. Only change on supervision of openCloud Support. |
-`MICRO_REGISTRY` | string | nats-js-kv | The type of registry to use. Only change on supervision of openCloud Support. |
-`MICRO_REGISTRY_ADDRESS` | string | 127.0.0.1:9233 | The bind address of the internal natsjs registry. Only change on supervision of openCloud Support. |
-`MICRO_REGISTRY_AUTH_PASSWORD` | string |  | Optional when using nats to authenticate with the nats cluster. |
-`OC_BASE_DATA_PATH` | string |  | The base directory location used by several services and for user data. See the General Info section in the documentation for more details on defaults. Services can have, if available, an individual setting with an own environment variable. |
-`OC_CONFIG_DIR` | string |  | The default directory location for config files. See the General Info section in the documentation for more details on defaults. |
-`OC_GRPC_MAX_RECEIVED_MESSAGE_SIZE` | integer | 10240000 | Sets the maximum message size in bytes the GRPC client can receive. |
\ No newline at end of file
+`APPDATA` |  |  |  |
+`CI` |  |  |  |
+`CI` |  |  |  |
+`CI` |  |  |  |
+`CI_SYSTEM_NAME` |  |  |  |
+`CI_SYSTEM_NAME` |  |  |  |
+`CS3_GATEWAY` |  |  |  |
+`CS3_GATEWAY` |  |  |  |
+`CS3_MACHINE_AUTH_API_KEY` |  |  |  |
+`CS3_MACHINE_AUTH_API_KEY` |  |  |  |
+`DAYS` |  |  |  |
+`DAYS` |  |  |  |
+`DaemonMarkVar` |  |  |  |
+`GITHUB_API_TOKEN` |  |  |  |
+`GITHUB_TOKEN` |  |  |  |
+`GITHUB_USER` |  |  |  |
+`GOPATH` |  |  |  |
+`GOPATH` |  |  |  |
+`GRACEFUL` |  |  |  |
+`GRACEFUL` |  |  |  |
+`HOME` |  |  |  |
+`HOSTNAME` |  |  |  |
+`HOSTNAME` |  |  |  |
+`HOSTNAME` |  |  |  |
+`HOSTNAME` |  |  |  |
+`HOSTNAME` |  |  |  |
+`HOSTNAME` |  |  |  |
+`HOSTNAME` |  |  |  |
+`IS_RACE_QUICK_TEST` |  |  |  |
+`KOPANO_DEBUG_SERVER_REQUEST_LOG` |  |  |  |
+`KRB5CCNAME` |  |  |  |
+`KRB5CCNAME` |  |  |  |
+`KRB5_CONFIG` |  |  |  |
+`KRB5_CONFIG` |  |  |  |
+`LDAP_BASEDN` |  |  |  |
+`LDAP_BINDDN` |  |  |  |
+`LDAP_BINDPW` |  |  |  |
+`LDAP_EMAIL_ATTRIBUTE` |  |  |  |
+`LDAP_FAMILY_NAME_ATTRIBUTE` |  |  |  |
+`LDAP_FILTER` |  |  |  |
+`LDAP_GIVEN_NAME_ATTRIBUTE` |  |  |  |
+`LDAP_LOGIN_ATTRIBUTE` |  |  |  |
+`LDAP_NAME_ATTRIBUTE` |  |  |  |
+`LDAP_SCOPE` |  |  |  |
+`LDAP_SUB_ATTRIBUTES` |  |  |  |
+`LDAP_TLS_CACERT` |  |  |  |
+`LDAP_UIDNUMBER_ATTRIBUTE` |  |  |  |
+`LDAP_URI` |  |  |  |
+`LDAP_UUID_ATTRIBUTE` |  |  |  |
+`LDAP_UUID_ATTRIBUTE_TYPE` |  |  |  |
+`LIBREGRAPH_SCOPED_URIS` |  |  |  |
+`LIBREGRAPH_URI` |  |  |  |
+`LICOD_ENCRYPTION_SECRET` |  |  |  |
+`LICOD_SIGNING_KID` |  |  |  |
+`LICOD_VALIDATION_KEYS_PATH` |  |  |  |
+`LOGNAME` |  |  |  |
+`MICRO_LOG_LEVEL` |  |  |  |
+`MICRO_LOG_LEVEL` |  |  |  |
+`MICRO_LOG_LEVEL` |  |  |  |
+`MICRO_LOG_LEVEL` |  |  |  |
+`MONTH` |  |  |  |
+`MONTH` |  |  |  |
+`NEXTCLOUD` |  |  |  |
+`NEXTCLOUD` |  |  |  |
+`NEXTCLOUD` |  |  |  |
+`NEXTCLOUD` |  |  |  |
+`OC_BASE_DATA_PATH` |  |  |  |
+`OC_BASE_DATA_PATH` |  |  |  |
+`OC_CONFIG_DIR` |  |  |  |
+`OC_CONFIG_DIR` |  |  |  |
+`OC_GRPC_MAX_RECEIVED_MESSAGE_SIZE` |  |  |  |
+`PATH` |  |  |  |
+`PATH` |  |  |  |
+`PATH` |  |  |  |
+`RCLONE_CONFIG` |  |  |  |
+`RCLONE_CONFIG` |  |  |  |
+`RCLONE_CONFIG_PASS` |  |  |  |
+`RCLONE_PASSWORD_CHANGE` |  |  |  |
+`RCLONE_PLUGIN_PATH` |  |  |  |
+`REDIS_ADDRESS` |  |  |  |
+`REVA_APPPROVIDER_IOPSECRET` |  |  |  |
+`REVA_SMTP_SENDER_PASSWORD` |  |  |  |
+`RUN_CMD_TEST` |  |  |  |
+`RUN_CMD_TEST` |  |  |  |
+`RUN_LDAP_TESTS` |  |  |  |
+`RUN_LDAP_TESTS` |  |  |  |
+`RUN_LDAP_TESTS` |  |  |  |
+`SQL_ADDRESS` |  |  |  |
+`SQL_DBNAME` |  |  |  |
+`SQL_PASSWORD` |  |  |  |
+`SQL_USERNAME` |  |  |  |
+`TERM` |  |  |  |
+`USER` |  |  |  |
+`USE_TESTCONTAINERS` |  |  |  |
+`USE_TESTCONTAINERS` |  |  |  |
+`XDG_CONFIG_HOME` |  |  |  |
+`YEAR` |  |  |  |
+`YEAR` |  |  |  |
+`_RCLONE_CONFIG_KEY_FILE` |  |  |  |
+`_registryAddressEnv` |  |  |  |
+`_registryAddressEnv` |  |  |  |
+`_registryAddressEnv` |  |  |  |
+`_registryAddressEnv` |  |  |  |
+`_registryAddressEnv` |  |  |  |
+`_registryAddressEnv` |  |  |  |
+`_registryAddressEnv` |  |  |  |
+`_registryAddressEnv` |  |  |  |
+`_registryEnv` |  |  |  |
+`_registryEnv` |  |  |  |
+`_registryEnv` |  |  |  |
+`_registryEnv` |  |  |  |
+`_registryPasswordEnv` |  |  |  |
+`_registryPasswordEnv` |  |  |  |
+`_registryPasswordEnv` |  |  |  |
+`_registryPasswordEnv` |  |  |  |
+`_registryRegisterIntervalEnv` |  |  |  |
+`_registryRegisterIntervalEnv` |  |  |  |
+`_registryRegisterTTLEnv` |  |  |  |
+`_registryRegisterTTLEnv` |  |  |  |
+`_registryUsernameEnv` |  |  |  |
+`_registryUsernameEnv` |  |  |  |
+`_registryUsernameEnv` |  |  |  |
+`_registryUsernameEnv` |  |  |  |
+`_serverMaxConnectionAgeEnv` |  |  |  |
+`_serverMaxConnectionAgeEnv` |  |  |  |
+`_serverMaxConnectionAgeEnv` |  |  |  |
+`name` |  |  |  |
+    
+    
+    
+    
\ No newline at end of file
diff --git a/static/env-vars/frontend-config-example.yaml b/static/env-vars/frontend-config-example.yaml
new file mode 100644
index 00000000..7c582356
--- /dev/null
+++ b/static/env-vars/frontend-config-example.yaml
@@ -0,0 +1,166 @@
+# Autogenerated
+# Filename: frontend-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9141
+  token: ""
+  pprof: false
+  zpages: false
+http:
+  addr: 127.0.0.1:9140
+  protocol: tcp
+  prefix: ""
+  cors:
+    allow_origins:
+    - https://localhost:9200
+    allow_methods:
+    - OPTIONS
+    - HEAD
+    - GET
+    - PUT
+    - POST
+    - PATCH
+    - DELETE
+    - MKCOL
+    - PROPFIND
+    - PROPPATCH
+    - MOVE
+    - COPY
+    - REPORT
+    - SEARCH
+    allow_headers:
+    - Origin
+    - Accept
+    - Content-Type
+    - Depth
+    - Authorization
+    - Ocs-Apirequest
+    - If-None-Match
+    - If-Match
+    - Destination
+    - Overwrite
+    - X-Request-Id
+    - X-Requested-With
+    - Tus-Resumable
+    - Tus-Checksum-Algorithm
+    - Upload-Concat
+    - Upload-Length
+    - Upload-Metadata
+    - Upload-Defer-Length
+    - Upload-Expires
+    - Upload-Checksum
+    - Upload-Offset
+    - X-HTTP-Method-Override
+    - Cache-Control
+    allow_credentials: false
+transfer_secret: ""
+token_manager:
+  jwt_secret: ""
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+machine_auth_api_key: ""
+skip_user_groups_in_token: false
+enable_favorites: false
+max_quota: 0
+upload_max_chunk_size: 10000000
+upload_http_method_override: ""
+default_upload_protocol: tus
+enable_federated_sharing_incoming: false
+enable_federated_sharing_outgoing: false
+search_min_length: 3
+disable_sse: false
+disable_radicale: false
+default_link_permissions: 1
+public_url: https://localhost:9200
+max_concurrency: 1
+app_handler:
+  insecure: false
+  secure_view_app_addr: eu.opencloud.api.collaboration
+archiver:
+  max_num_files: 10000
+  max_size: 1073741824
+  insecure: false
+data_gateway:
+  prefix: data
+ocs:
+  prefix: ocs
+  share_prefix: /Shares
+  home_namespace: /users/{{.Id.OpaqueId}}
+  additional_info_attribute: '{{.Mail}}'
+  stat_cache_type: memory
+  stat_cache_nodes:
+  - 127.0.0.1:9233
+  stat_cache_database: cache-stat
+  stat_cache_table: ""
+  stat_cache_ttl: 5m0s
+  stat_cache_disable_persistence: false
+  stat_cache_auth_username: ""
+  stat_cache_auth_password: ""
+  enable_denials: false
+  list_ocm_shares: true
+  include_ocm_sharees: false
+  public_sharing_share_must_have_password: true
+  public_sharing_writeableshare_must_have_password: false
+  show_email_in_results: false
+ocdav:
+  prefix: ""
+  skip_user_groups_in_token: false
+  webdav_namespace: /users/{{.Id.OpaqueId}}
+  files_namespace: /users/{{.Id.OpaqueId}}
+  shares_namespace: /Shares
+  ocm_namespace: /public
+  public_url: https://localhost:9200
+  insecure: false
+  enable_http_tpc: false
+  gateway_request_timeout: 84300
+  machine_auth_api_key: ""
+  allow_propfind_depth_infinity: false
+  name_validation:
+    invalid_chars:
+    - "\f"
+    - "\r"
+    - |2+
+
+    - \
+    max_length: 255
+checksums:
+  supported_types:
+  - sha1
+  - md5
+  - adler32
+  preferred_upload_type: sha1
+read_only_user_attributes: []
+ldap_server_write_enabled: true
+edit_login_allowed_disabled: false
+full_text_search: false
+check_for_updates: true
+middleware:
+  auth:
+    credentials_by_user_agent: {}
+events:
+  endpoint: 127.0.0.1:9233
+  cluster: opencloud-cluster
+  tls_insecure: false
+  tls_root_ca_certificate: ""
+  enable_tls: false
+  username: ""
+  password: ""
+grpc_client_tls: null
+auto_accept_shares: true
+service_account:
+  service_account_id: ""
+  service_account_secret: ""
+password_policy:
+  min_characters: 8
+  min_lowercase_characters: 1
+  min_uppercase_characters: 1
+  min_digits: 1
+  min_special_characters: 1
+  banned_passwords_list: ""
+configurable_notifications: false
+groupware:
+  enabled: false
diff --git a/static/env-vars/frontend_configvars.md b/static/env-vars/frontend_configvars.md
index 415a7032..56f0c608 100644
--- a/static/env-vars/frontend_configvars.md
+++ b/static/env-vars/frontend_configvars.md
@@ -1,10 +1,10 @@
 
-2025-11-27-22-55-58
+2026-01-13-10-09-59
 
 # Deprecation Notice
 
 | Deprecation Info | Deprecation Version | Removal Version | Deprecation Replacement |
-|---|---|---|:---|
+|---|---|---|---|
 | The OCS API is deprecated | 1.0.0 | next-prod |  |
 | The OCS API is deprecated | 1.0.0 | next-prod |  |
 | The OCS API is deprecated | 1.0.0 | next-prod |  |
@@ -24,90 +24,101 @@
 Environment variables for the **frontend** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`FRONTEND_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`FRONTEND_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`FRONTEND_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`FRONTEND_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`FRONTEND_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9141`|
-|`FRONTEND_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`FRONTEND_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`FRONTEND_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`FRONTEND_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9140`|
-|`FRONTEND_HTTP_PROTOCOL`| 1.0.0 |string|`The transport protocol of the HTTP service.`|`tcp`|
-|`FRONTEND_HTTP_PREFIX`| 1.0.0 |string|`The Path prefix where the frontend can be accessed (defaults to /).`|``|
-|`OC_CORS_ALLOW_ORIGINS`<br/>`FRONTEND_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[https://localhost:9200]`|
-|`OC_CORS_ALLOW_METHODS`<br/>`FRONTEND_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[OPTIONS HEAD GET PUT POST PATCH DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH]`|
-|`OC_CORS_ALLOW_HEADERS`<br/>`FRONTEND_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control]`|
-|`OC_CORS_ALLOW_CREDENTIALS`<br/>`FRONTEND_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`false`|
-|`OC_TRANSFER_SECRET`| 1.0.0 |string|`Transfer secret for signing file up- and download requests.`|``|
-|`OC_JWT_SECRET`<br/>`FRONTEND_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`OC_MACHINE_AUTH_API_KEY`<br/>`FRONTEND_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`The machine auth API key used to validate internal requests necessary to access resources from other services.`|``|
-|`FRONTEND_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`|
-|`FRONTEND_ENABLE_FAVORITES`| 1.0.0 |bool|`Enables the support for favorites in the clients.`|`false`|
-|`OC_SPACES_MAX_QUOTA`<br/>`FRONTEND_MAX_QUOTA`| 1.0.0 |uint64|`Set the global max quota value in bytes. A value of 0 equals unlimited. The value is provided via capabilities.`|`0`|
-|`FRONTEND_UPLOAD_MAX_CHUNK_SIZE`| 1.0.0 |int|`Sets the max chunk sizes in bytes for uploads via the clients.`|`10000000`|
-|`FRONTEND_UPLOAD_HTTP_METHOD_OVERRIDE`| 1.0.0 |string|`Advise TUS to replace PATCH requests by POST requests.`|``|
-|`FRONTEND_DEFAULT_UPLOAD_PROTOCOL`| 1.0.0 |string|`The default upload protocol to use in clients. Currently only 'tus' is available. See the developer API documentation for more details about TUS.`|`tus`|
-|`OC_ENABLE_OCM`<br/>`FRONTEND_ENABLE_FEDERATED_SHARING_INCOMING`| 1.0.0 |bool|`Changing this value is NOT supported. Enables support for incoming federated sharing for clients. The backend behaviour is not changed.`|`false`|
-|`OC_ENABLE_OCM`<br/>`FRONTEND_ENABLE_FEDERATED_SHARING_OUTGOING`| 1.0.0 |bool|`Changing this value is NOT supported. Enables support for outgoing federated sharing for clients. The backend behaviour is not changed.`|`false`|
-|`FRONTEND_SEARCH_MIN_LENGTH`| 1.0.0 |int|`Minimum number of characters to enter before a client should start a search for Share receivers. This setting can be used to customize the user experience if e.g too many results are displayed.`|`3`|
-|`OC_EDITION`<br/>`FRONTEND_EDITION`| 1.0.0 |string|`Edition of OpenCloud. Used for branding purposes.`|``|
-|`OC_DISABLE_SSE`<br/>`FRONTEND_DISABLE_SSE`| 1.0.0 |bool|`When set to true, clients are informed that the Server-Sent Events endpoint is not accessible.`|`false`|
-|`FRONTEND_DISABLE_RADICALE`| 4.0.0 |bool|`When set to true, clients are informed that the Radicale (CalDAV/CardDAV) is not accessible.`|`false`|
-|`FRONTEND_DEFAULT_LINK_PERMISSIONS`| 1.0.0 |int|`Defines the default permissions a link is being created with. Possible values are 0 (= internal link, for instance members only) and 1 (= public link with viewer permissions). Defaults to 1.`|`1`|
-|`OC_URL`<br/>`FRONTEND_PUBLIC_URL`| 1.0.0 |string|`The public facing URL of the OpenCloud frontend.`|`https://localhost:9200`|
-|`OC_MAX_CONCURRENCY`<br/>`FRONTEND_MAX_CONCURRENCY`| 1.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.`|`1`|
-|`OC_INSECURE`<br/>`FRONTEND_APP_HANDLER_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the frontend.`|`false`|
-|`FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR`| 1.0.0 |string|`Service name or address of the app provider to use for secure view. Should match the service name or address of the registered CS3 app provider.`|`eu.opencloud.api.collaboration`|
-|`FRONTEND_ARCHIVER_MAX_NUM_FILES`| 1.0.0 |int64|`Max number of files that can be packed into an archive.`|`10000`|
-|`FRONTEND_ARCHIVER_MAX_SIZE`| 1.0.0 |int64|`Max size in bytes of the zip archive the archiver can create.`|`1073741824`|
-|`OC_INSECURE`<br/>`FRONTEND_ARCHIVER_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the archiver.`|`false`|
-|`FRONTEND_DATA_GATEWAY_PREFIX`| 1.0.0 |string|`Path prefix for the data gateway.`|`data`|
-|`FRONTEND_OCS_PREFIX`| 1.0.0 |string|`URL path prefix for the OCS service. Note that the string must not start with '/'.`|`ocs`|
-|`FRONTEND_OCS_SHARE_PREFIX`| 1.0.0 |string|`Path prefix for shares as part of a CS3 resource. Note that the path must start with '/'.`|`/Shares`|
-|`FRONTEND_OCS_PERSONAL_NAMESPACE`| 1.0.0 |string|`Home namespace identifier.`|`/users/{{.Id.OpaqueId}}`|
-|`FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE`| 1.0.0 |string|`Additional information attribute for the user like {{.Mail}}.`|`{{.Mail}}`|
-|`OC_CACHE_STORE`<br/>`FRONTEND_OCS_STAT_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`|
-|`OC_CACHE_STORE_NODES`<br/>`FRONTEND_OCS_STAT_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
-|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`cache-stat`|
-|`FRONTEND_OCS_STAT_CACHE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``|
-|`OC_CACHE_TTL`<br/>`FRONTEND_OCS_STAT_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`5m0s`|
-|`OC_CACHE_DISABLE_PERSISTENCE`<br/>`FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false.`|`false`|
-|`OC_CACHE_AUTH_USERNAME`<br/>`FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to use for authentication. Only applies when using the 'nats-js-kv' store type.`|``|
-|`OC_CACHE_AUTH_PASSWORD`<br/>`FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to use for authentication. Only applies when using the 'nats-js-kv' store type.`|``|
-|`FRONTEND_OCS_ENABLE_DENIALS`| 1.0.0 |bool|`EXPERIMENTAL: enable the feature to deny access on folders.`|`false`|
-|`OC_ENABLE_OCM`<br/>`FRONTEND_OCS_LIST_OCM_SHARES`| 1.0.0 |bool|`Include OCM shares when listing shares. See the OCM service documentation for more details.`|`true`|
-|`OC_ENABLE_OCM`<br/>`FRONTEND_OCS_INCLUDE_OCM_SHAREES`| 1.0.0 |bool|`Include OCM sharees when listing sharees.`|`false`|
-|`OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD`<br/>`FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD`| 1.0.0 |bool|`Set this to true if you want to enforce passwords on all public shares.`|`true`|
-|`OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`<br/>`FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`| 1.0.0 |bool|`Set this to true if you want to enforce passwords for writable shares. Only effective if the setting for 'passwords on all public shares' is set to false.`|`false`|
-|`OC_SHOW_USER_EMAIL_IN_RESULTS`| 1.0.0 |bool|`Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses.`|`false`|
-|`FRONTEND_CHECKSUMS_SUPPORTED_TYPES`| 1.0.0 |[]string|`A list of checksum types that indicate to clients which hashes the server can use to verify upload integrity. Supported types are 'sha1', 'md5' and 'adler32'. See the Environment Variable Types description for more details.`|`[sha1 md5 adler32]`|
-|`FRONTEND_CHECKSUMS_PREFERRED_UPLOAD_TYPE`| 1.0.0 |string|`The supported checksum type for uploads that indicates to clients supporting multiple hash algorithms which one is preferred by the server. Must be one out of the defined list of SUPPORTED_TYPES.`|`sha1`|
-|`FRONTEND_READONLY_USER_ATTRIBUTES`| 1.0.0 |[]string|`A list of user attributes to indicate as read-only. Supported values: 'user.onPremisesSamAccountName' (username), 'user.displayName', 'user.mail', 'user.passwordProfile' (password), 'user.appRoleAssignments' (role), 'user.memberOf' (groups), 'user.accountEnabled' (login allowed), 'drive.quota' (quota). See the Environment Variable Types description for more details.`|`[]`|
-|`OC_LDAP_SERVER_WRITE_ENABLED`<br/>`FRONTEND_LDAP_SERVER_WRITE_ENABLED`| 1.0.0 |bool|`Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OC_LDAP_USER_SCHEMA_* and 'OC_LDAP_GROUP_SCHEMA_* variables).`|`true`|
-|`FRONTEND_EDIT_LOGIN_ALLOWED_DISABLED`| 3.4.0 |bool|`Used to set if login is allowed/forbidden for for User.`|`false`|
-|`FRONTEND_FULL_TEXT_SEARCH_ENABLED`| 1.0.0 |bool|`Set to true to signal the web client that full-text search is enabled.`|`false`|
-|`FRONTEND_CHECK_FOR_UPDATES`| 3.6.0 |bool|`Enable automatic checking for updates. Defaults to true.`|`true`|
-|`OC_EVENTS_ENDPOINT`<br/>`FRONTEND_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`|
-|`OC_EVENTS_CLUSTER`<br/>`FRONTEND_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`|
-|`OC_INSECURE`<br/>`FRONTEND_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`|
-|`FRONTEND_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`OCS_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.`|``|
-|`OC_EVENTS_ENABLE_TLS`<br/>`FRONTEND_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`|
-|`OC_EVENTS_AUTH_USERNAME`<br/>`FRONTEND_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_EVENTS_AUTH_PASSWORD`<br/>`FRONTEND_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`FRONTEND_AUTO_ACCEPT_SHARES`| 1.0.0 |bool|`Defines if shares should be auto accepted by default. Users can change this setting individually in their profile.`|`true`|
-|`OC_SERVICE_ACCOUNT_ID`<br/>`FRONTEND_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``|
-|`OC_SERVICE_ACCOUNT_SECRET`<br/>`FRONTEND_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``|
-|`OC_PASSWORD_POLICY_DISABLED`<br/>`FRONTEND_PASSWORD_POLICY_DISABLED`| 1.0.0 |bool|`Disable the password policy. Defaults to false if not set.`|`false`|
-|`OC_PASSWORD_POLICY_MIN_CHARACTERS`<br/>`FRONTEND_PASSWORD_POLICY_MIN_CHARACTERS`| 1.0.0 |int|`Define the minimum password length. Defaults to 8 if not set.`|`8`|
-|`OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`<br/>`FRONTEND_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`| 1.0.0 |int|`Define the minimum number of uppercase letters. Defaults to 1 if not set.`|`1`|
-|`OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`<br/>`FRONTEND_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`| 1.0.0 |int|`Define the minimum number of lowercase letters. Defaults to 1 if not set.`|`1`|
-|`OC_PASSWORD_POLICY_MIN_DIGITS`<br/>`FRONTEND_PASSWORD_POLICY_MIN_DIGITS`| 1.0.0 |int|`Define the minimum number of digits. Defaults to 1 if not set.`|`1`|
-|`OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`<br/>`FRONTEND_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`| 1.0.0 |int|`Define the minimum number of characters from the special characters list to be present. Defaults to 1 if not set.`|`1`|
-|`OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`<br/>`FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`| 1.0.0 |string|`Path to the 'banned passwords list' file. This only impacts public link password validation. See the documentation for more details.`|``|
-|`FRONTEND_CONFIGURABLE_NOTIFICATIONS`| 1.0.0 |bool|`Allow configuring notifications via web client.`|`false`|
-|`FRONTEND_GROUPWARE_ENABLED`| 3.7.0 |bool|`Enable groupware features. Defaults to false.`|`false`|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`FRONTEND_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`FRONTEND_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9141|
+|`FRONTEND_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`FRONTEND_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`FRONTEND_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`FRONTEND_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|127.0.0.1:9140|
+|`FRONTEND_HTTP_PROTOCOL`| 1.0.0 |string|`The transport protocol of the HTTP service.`|tcp|
+|`FRONTEND_HTTP_PREFIX`| 1.0.0 |string|`The Path prefix where the frontend can be accessed (defaults to /).`||
+|`OC_CORS_ALLOW_ORIGINS`<br/>`FRONTEND_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|[https://localhost:9200]|
+|`OC_CORS_ALLOW_METHODS`<br/>`FRONTEND_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|[OPTIONS HEAD GET PUT POST PATCH DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH]|
+|`OC_CORS_ALLOW_HEADERS`<br/>`FRONTEND_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control]|
+|`OC_CORS_ALLOW_CREDENTIALS`<br/>`FRONTEND_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|false|
+|`OC_TRANSFER_SECRET`| 1.0.0 |string|`Transfer secret for signing file up- and download requests.`||
+|`OC_JWT_SECRET`<br/>`FRONTEND_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`OC_MACHINE_AUTH_API_KEY`<br/>`FRONTEND_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`The machine auth API key used to validate internal requests necessary to access resources from other services.`||
+|`FRONTEND_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|false|
+|`FRONTEND_ENABLE_FAVORITES`| 1.0.0 |bool|`Enables the support for favorites in the clients.`|false|
+|`OC_SPACES_MAX_QUOTA`<br/>`FRONTEND_MAX_QUOTA`| 1.0.0 |uint64|`Set the global max quota value in bytes. A value of 0 equals unlimited. The value is provided via capabilities.`|0|
+|`FRONTEND_UPLOAD_MAX_CHUNK_SIZE`| 1.0.0 |int|`Sets the max chunk sizes in bytes for uploads via the clients.`|10000000|
+|`FRONTEND_UPLOAD_HTTP_METHOD_OVERRIDE`| 1.0.0 |string|`Advise TUS to replace PATCH requests by POST requests.`||
+|`FRONTEND_DEFAULT_UPLOAD_PROTOCOL`| 1.0.0 |string|`The default upload protocol to use in clients. Currently only 'tus' is available. See the developer API documentation for more details about TUS.`|tus|
+|`OC_ENABLE_OCM`<br/>`FRONTEND_ENABLE_FEDERATED_SHARING_INCOMING`| 1.0.0 |bool|`Changing this value is NOT supported. Enables support for incoming federated sharing for clients. The backend behaviour is not changed.`|false|
+|`OC_ENABLE_OCM`<br/>`FRONTEND_ENABLE_FEDERATED_SHARING_OUTGOING`| 1.0.0 |bool|`Changing this value is NOT supported. Enables support for outgoing federated sharing for clients. The backend behaviour is not changed.`|false|
+|`FRONTEND_SEARCH_MIN_LENGTH`| 1.0.0 |int|`Minimum number of characters to enter before a client should start a search for Share receivers. This setting can be used to customize the user experience if e.g too many results are displayed.`|3|
+|`OC_DISABLE_SSE`<br/>`FRONTEND_DISABLE_SSE`| 1.0.0 |bool|`When set to true, clients are informed that the Server-Sent Events endpoint is not accessible.`|false|
+|`FRONTEND_DISABLE_RADICALE`| 4.0.0 |bool|`When set to true, clients are informed that the Radicale (CalDAV/CardDAV) is not accessible.`|false|
+|`FRONTEND_DEFAULT_LINK_PERMISSIONS`| 1.0.0 |int|`Defines the default permissions a link is being created with. Possible values are 0 (= internal link, for instance members only) and 1 (= public link with viewer permissions). Defaults to 1.`|1|
+|`OC_URL`<br/>`FRONTEND_PUBLIC_URL`| 1.0.0 |string|`The public facing URL of the OpenCloud frontend.`|https://localhost:9200|
+|`OC_MAX_CONCURRENCY`<br/>`FRONTEND_MAX_CONCURRENCY`| 1.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.`|1|
+|`OC_INSECURE`<br/>`FRONTEND_APP_HANDLER_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the frontend.`|false|
+|`FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR`| 1.0.0 |string|`Service name or address of the app provider to use for secure view. Should match the service name or address of the registered CS3 app provider.`|eu.opencloud.api.collaboration|
+|`FRONTEND_ARCHIVER_MAX_NUM_FILES`| 1.0.0 |int64|`Max number of files that can be packed into an archive.`|10000|
+|`FRONTEND_ARCHIVER_MAX_SIZE`| 1.0.0 |int64|`Max size in bytes of the zip archive the archiver can create.`|1073741824|
+|`OC_INSECURE`<br/>`FRONTEND_ARCHIVER_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the archiver.`|false|
+|`FRONTEND_DATA_GATEWAY_PREFIX`| 1.0.0 |string|`Path prefix for the data gateway.`|data|
+|`FRONTEND_OCS_PREFIX`| 1.0.0 |string|`URL path prefix for the OCS service. Note that the string must not start with '/'.`|ocs|
+|`FRONTEND_OCS_SHARE_PREFIX`| 1.0.0 |string|`Path prefix for shares as part of a CS3 resource. Note that the path must start with '/'.`|/Shares|
+|`FRONTEND_OCS_PERSONAL_NAMESPACE`| 1.0.0 |string|`Home namespace identifier.`|/users/{{.Id.OpaqueId}}|
+|`FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE`| 1.0.0 |string|`Additional information attribute for the user like {{.Mail}}.`|{{.Mail}}|
+|`OC_CACHE_STORE`<br/>`FRONTEND_OCS_STAT_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|memory|
+|`OC_CACHE_STORE_NODES`<br/>`FRONTEND_OCS_STAT_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|[127.0.0.1:9233]|
+|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|cache-stat|
+|`FRONTEND_OCS_STAT_CACHE_TABLE`| 1.0.0 |string|`The database table the store should use.`||
+|`OC_CACHE_TTL`<br/>`FRONTEND_OCS_STAT_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|5m0s|
+|`OC_CACHE_DISABLE_PERSISTENCE`<br/>`FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false.`|false|
+|`OC_CACHE_AUTH_USERNAME`<br/>`FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to use for authentication. Only applies when using the 'nats-js-kv' store type.`||
+|`OC_CACHE_AUTH_PASSWORD`<br/>`FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to use for authentication. Only applies when using the 'nats-js-kv' store type.`||
+|`FRONTEND_OCS_ENABLE_DENIALS`| 1.0.0 |bool|`EXPERIMENTAL: enable the feature to deny access on folders.`|false|
+|`OC_ENABLE_OCM`<br/>`FRONTEND_OCS_LIST_OCM_SHARES`| 1.0.0 |bool|`Include OCM shares when listing shares. See the OCM service documentation for more details.`|true|
+|`OC_ENABLE_OCM`<br/>`FRONTEND_OCS_INCLUDE_OCM_SHAREES`| 1.0.0 |bool|`Include OCM sharees when listing sharees.`|false|
+|`OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD`<br/>`FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD`| 1.0.0 |bool|`Set this to true if you want to enforce passwords on all public shares.`|true|
+|`OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`<br/>`FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`| 1.0.0 |bool|`Set this to true if you want to enforce passwords for writable shares. Only effective if the setting for 'passwords on all public shares' is set to false.`|false|
+|`OC_SHOW_USER_EMAIL_IN_RESULTS`| 1.0.0 |bool|`Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses.`|false|
+|`OCDAV_HTTP_PREFIX`<br/>`FRONTENT_OCDAV_HTTP_PREFIX`| 1.0.0 |string|`A URL path prefix for the handler.`||
+|`OCDAV_SKIP_USER_GROUPS_IN_TOKEN`<br/>`FRONTENT_OCDAV_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|false|
+|`OCDAV_WEBDAV_NAMESPACE`<br/>`FRONTENT_OCDAV_WEBDAV_NAMESPACE`| 1.0.0 |string|`Jail requests to /dav/webdav into this CS3 namespace. Supports template layouting with CS3 User properties.`|/users/{{.Id.OpaqueId}}|
+|`OCDAV_FILES_NAMESPACE`<br/>`FRONTENT_OCDAV_FILES_NAMESPACE`| 1.0.0 |string|`Jail requests to /dav/files/{username} into this CS3 namespace. Supports template layouting with CS3 User properties.`|/users/{{.Id.OpaqueId}}|
+|`OCDAV_SHARES_NAMESPACE`<br/>`FRONTENT_OCDAV_SHARES_NAMESPACE`| 1.0.0 |string|`The human readable path for the share jail. Relative to a users personal space root. Upcased intentionally.`|/Shares|
+|`OCDAV_OCM_NAMESPACE`<br/>`FRONTENT_OCDAV_OCM_NAMESPACE`| 1.0.0 |string|`The human readable path prefix for the ocm shares.`|/public|
+|`OC_URL`<br/>`OCDAV_PUBLIC_URL`<br/>`FRONTENT_OCDAV_PUBLIC_URL`| 1.0.0 |string|`URL where OpenCloud is reachable for users.`|https://localhost:9200|
+|`OC_INSECURE`<br/>`OCDAV_INSECURE`<br/>`FRONTENT_OCDAV_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the GATEWAY service.`|false|
+|`OCDAV_ENABLE_HTTP_TPC`<br/>`FRONTENT_OCDAV_ENABLE_HTTP_TPC`| next |bool|`Enable HTTP / WebDAV Third-Party-Copy support.`|false|
+|`OCDAV_GATEWAY_REQUEST_TIME`<br/>`FRONTENT_OUTOCDAV_GATEWAY_REQUEST_TIMEOUT`| 1.0.0 |int64|`Request timeout in seconds for requests from the oCDAV service to the GATEWAY service.`|84300|
+|`OC_MACHINE_AUTH_API_KEY`<br/>`OCDAV_MACHINE_AUTH_API_KEY`<br/>`FRONTENT_OCDAV_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`||
+|`OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY`<br/>`FRONTENT_OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY`| 1.0.0 |bool|`Allow the use of depth infinity in PROPFINDS. When enabled, a propfind will traverse through all subfolders. If many subfolders are expected, depth infinity can cause heavy server load and/or delayed response times.`|false|
+|`OCDAV_NAME_VALIDATION_INVALID_CHARS`<br/>`FRONTENT_OCDAV_NAME_VALIDATION_INVALID_CHARS`| next |[]string|`List of characters that are not allowed in file or folder names.`|[ 
 
+ \]|
+|`OCDAV_NAME_VALIDATION_MAX_LENGTH`<br/>`FRONTENT_OCDAV_NAME_VALIDATION_MAX_LENGTH`| next |int|`Max lenght og file or folder names.`|255|
+|`FRONTEND_CHECKSUMS_SUPPORTED_TYPES`| 1.0.0 |[]string|`A list of checksum types that indicate to clients which hashes the server can use to verify upload integrity. Supported types are 'sha1', 'md5' and 'adler32'. See the Environment Variable Types description for more details.`|[sha1 md5 adler32]|
+|`FRONTEND_CHECKSUMS_PREFERRED_UPLOAD_TYPE`| 1.0.0 |string|`The supported checksum type for uploads that indicates to clients supporting multiple hash algorithms which one is preferred by the server. Must be one out of the defined list of SUPPORTED_TYPES.`|sha1|
+|`FRONTEND_READONLY_USER_ATTRIBUTES`| 1.0.0 |[]string|`A list of user attributes to indicate as read-only. Supported values: 'user.onPremisesSamAccountName' (username), 'user.displayName', 'user.mail', 'user.passwordProfile' (password), 'user.appRoleAssignments' (role), 'user.memberOf' (groups), 'user.accountEnabled' (login allowed), 'drive.quota' (quota). See the Environment Variable Types description for more details.`|[]|
+|`OC_LDAP_SERVER_WRITE_ENABLED`<br/>`FRONTEND_LDAP_SERVER_WRITE_ENABLED`| 1.0.0 |bool|`Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OC_LDAP_USER_SCHEMA_* and 'OC_LDAP_GROUP_SCHEMA_* variables).`|true|
+|`FRONTEND_EDIT_LOGIN_ALLOWED_DISABLED`| 3.4.0 |bool|`Used to set if login is allowed/forbidden for for User.`|false|
+|`FRONTEND_FULL_TEXT_SEARCH_ENABLED`| 1.0.0 |bool|`Set to true to signal the web client that full-text search is enabled.`|false|
+|`FRONTEND_CHECK_FOR_UPDATES`| 3.6.0 |bool|`Enable automatic checking for updates. Defaults to true.`|true|
+|`OC_EVENTS_ENDPOINT`<br/>`FRONTEND_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|127.0.0.1:9233|
+|`OC_EVENTS_CLUSTER`<br/>`FRONTEND_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|opencloud-cluster|
+|`OC_INSECURE`<br/>`OC_EVENTS_TLS_INSECURE`<br/>`FRONTEND_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|false|
+|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`FRONTEND_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`OCS_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.`||
+|`OC_EVENTS_ENABLE_TLS`<br/>`FRONTEND_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|false|
+|`OC_EVENTS_AUTH_USERNAME`<br/>`FRONTEND_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_EVENTS_AUTH_PASSWORD`<br/>`FRONTEND_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`FRONTEND_AUTO_ACCEPT_SHARES`| 1.0.0 |bool|`Defines if shares should be auto accepted by default. Users can change this setting individually in their profile.`|true|
+|`OC_SERVICE_ACCOUNT_ID`<br/>`FRONTEND_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`||
+|`OC_SERVICE_ACCOUNT_SECRET`<br/>`FRONTEND_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`||
+|`OC_PASSWORD_POLICY_DISABLED`<br/>`FRONTEND_PASSWORD_POLICY_DISABLED`| 1.0.0 |bool|`Disable the password policy. Defaults to false if not set.`|false|
+|`OC_PASSWORD_POLICY_MIN_CHARACTERS`<br/>`FRONTEND_PASSWORD_POLICY_MIN_CHARACTERS`| 1.0.0 |int|`Define the minimum password length. Defaults to 8 if not set.`|8|
+|`OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`<br/>`FRONTEND_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`| 1.0.0 |int|`Define the minimum number of uppercase letters. Defaults to 1 if not set.`|1|
+|`OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`<br/>`FRONTEND_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`| 1.0.0 |int|`Define the minimum number of lowercase letters. Defaults to 1 if not set.`|1|
+|`OC_PASSWORD_POLICY_MIN_DIGITS`<br/>`FRONTEND_PASSWORD_POLICY_MIN_DIGITS`| 1.0.0 |int|`Define the minimum number of digits. Defaults to 1 if not set.`|1|
+|`OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`<br/>`FRONTEND_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`| 1.0.0 |int|`Define the minimum number of characters from the special characters list to be present. Defaults to 1 if not set.`|1|
+|`OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`<br/>`FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`| 1.0.0 |string|`Path to the 'banned passwords list' file. This only impacts public link password validation. See the documentation for more details.`||
+|`FRONTEND_CONFIGURABLE_NOTIFICATIONS`| 1.0.0 |bool|`Allow configuring notifications via web client.`|false|
+|`FRONTEND_GROUPWARE_ENABLED`| 3.7.0 |bool|`Enable groupware features. Defaults to false.`|false|
diff --git a/static/env-vars/frontend_readme.md b/static/env-vars/frontend_readme.md
index 578de0bc..d69b5b90 100644
--- a/static/env-vars/frontend_readme.md
+++ b/static/env-vars/frontend_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Frontend
-date: 2025-11-27T22:56:02.332575+01:00
+date: 2026-01-13T10:10:18.222180849+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/frontend
diff --git a/static/env-vars/gateway-config-example.yaml b/static/env-vars/gateway-config-example.yaml
new file mode 100644
index 00000000..90e19fc5
--- /dev/null
+++ b/static/env-vars/gateway-config-example.yaml
@@ -0,0 +1,63 @@
+# Autogenerated
+# Filename: gateway-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9143
+  token: ""
+  pprof: false
+  zpages: false
+grpc:
+  addr: 127.0.0.1:9142
+  tls: null
+  protocol: tcp
+token_manager:
+  jwt_secret: ""
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+skip_user_groups_in_token: false
+commit_share_to_storage_grant: true
+share_folder_name: Shares
+disable_home_creation_on_login: true
+transfer_secret: ""
+transfer_expires: 86400
+cache:
+  provider_cache_store: noop
+  provider_cache_nodes:
+  - 127.0.0.1:9233
+  provider_cache_database: cache-providers
+  provider_cache_ttl: 5m0s
+  provider_cache_disable_persistence: false
+  provider_cache_auth_username: ""
+  provider_cache_auth_password: ""
+  create_home_cache_store: memory
+  create_home_cache_nodes:
+  - 127.0.0.1:9233
+  create_home_cache_database: cache-createhome
+  create_home_cache_ttl: 5m0s
+  create_home_cache_disable_persistence: false
+  create_home_cache_auth_username: ""
+  create_home_cache_auth_password: ""
+frontend_public_url: https://localhost:9200
+users_endpoint: eu.opencloud.api.users
+groups_endpoint: eu.opencloud.api.groups
+permissions_endpoint: eu.opencloud.api.settings
+sharing_endpoint: eu.opencloud.api.sharing
+auth_app_endpoint: eu.opencloud.api.auth-app
+auth_basic_endpoint: eu.opencloud.api.auth-basic
+auth_bearer_endpoint: ""
+auth_machine_endpoint: eu.opencloud.api.auth-machine
+auth_service_endpoint: eu.opencloud.api.auth-service
+storage_public_link_endpoint: eu.opencloud.api.storage-publiclink
+storage_users_endpoint: eu.opencloud.api.storage-users
+storage_shares_endpoint: eu.opencloud.api.storage-shares
+app_registry_endpoint: eu.opencloud.api.app-registry
+ocm_endpoint: eu.opencloud.api.ocm
+storage_registry:
+  driver: spaces
+  rules: []
+  json: ""
+  storage_users_mount_id: ""
diff --git a/static/env-vars/gateway_configvars.md b/static/env-vars/gateway_configvars.md
index c17ecb8a..d1f8d9f6 100644
--- a/static/env-vars/gateway_configvars.md
+++ b/static/env-vars/gateway_configvars.md
@@ -1,57 +1,54 @@
 Environment variables for the **gateway** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`GATEWAY_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`GATEWAY_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`GATEWAY_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`GATEWAY_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`GATEWAY_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9143`|
-|`GATEWAY_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`GATEWAY_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`GATEWAY_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`OC_GATEWAY_GRPC_ADDR`<br/>`GATEWAY_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9142`|
-|`OC_GRPC_PROTOCOL`<br/>`GATEWAY_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`|
-|`OC_JWT_SECRET`<br/>`GATEWAY_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`GATEWAY_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`|
-|`GATEWAY_COMMIT_SHARE_TO_STORAGE_GRANT`| 1.0.0 |bool|`Commit shares to storage grants. This grants access to shared resources for the share receiver directly on the storage.`|`true`|
-|`GATEWAY_SHARE_FOLDER_NAME`| 1.0.0 |string|`Name of the share folder in users' home space.`|`Shares`|
-|`GATEWAY_DISABLE_HOME_CREATION_ON_LOGIN`| 1.0.0 |bool|`Disable creation of the home space on login.`|`true`|
-|`OC_TRANSFER_SECRET`| 1.0.0 |string|`The storage transfer secret.`|``|
-|`GATEWAY_TRANSFER_EXPIRES`| 1.0.0 |int|`Expiry for the gateway tokens.`|`86400`|
-|`OC_CACHE_STORE`<br/>`GATEWAY_PROVIDER_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`noop`|
-|`OC_CACHE_STORE_NODES`<br/>`GATEWAY_PROVIDER_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
-|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`cache-providers`|
-|`OC_CACHE_TTL`<br/>`GATEWAY_PROVIDER_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`5m0s`|
-|`OC_CACHE_DISABLE_PERSISTENCE`<br/>`GATEWAY_PROVIDER_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the provider cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
-|`OC_CACHE_AUTH_USERNAME`<br/>`GATEWAY_PROVIDER_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to use for authentication. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_CACHE_AUTH_PASSWORD`<br/>`GATEWAY_PROVIDER_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to use for authentication. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_CACHE_STORE`<br/>`GATEWAY_CREATE_HOME_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`|
-|`OC_CACHE_STORE_NODES`<br/>`GATEWAY_CREATE_HOME_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
-|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`cache-createhome`|
-|`OC_CACHE_TTL`<br/>`GATEWAY_CREATE_HOME_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`5m0s`|
-|`OC_CACHE_DISABLE_PERSISTENCE`<br/>`GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
-|`OC_CACHE_AUTH_USERNAME`<br/>`GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to use for authentication. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_CACHE_AUTH_PASSWORD`<br/>`GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to use for authentication. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_URL`<br/>`GATEWAY_FRONTEND_PUBLIC_URL`| 1.0.0 |string|`The public facing URL of the OpenCloud frontend.`|`https://localhost:9200`|
-|`GATEWAY_USERS_ENDPOINT`| 1.0.0 |string|`The endpoint of the users service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.users`|
-|`GATEWAY_GROUPS_ENDPOINT`| 1.0.0 |string|`The endpoint of the groups service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.groups`|
-|`GATEWAY_PERMISSIONS_ENDPOINT`| 1.0.0 |string|`The endpoint of the permissions service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.settings`|
-|`GATEWAY_SHARING_ENDPOINT`| 1.0.0 |string|`The endpoint of the shares service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.sharing`|
-|`GATEWAY_AUTH_APP_ENDPOINT`| 1.0.0 |string|`The endpoint of the auth-app service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.auth-app`|
-|`GATEWAY_AUTH_BASIC_ENDPOINT`| 1.0.0 |string|`The endpoint of the auth-basic service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.auth-basic`|
-|`GATEWAY_AUTH_BEARER_ENDPOINT`| 1.0.0 |string|`The endpoint of the auth-bearer service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|``|
-|`GATEWAY_AUTH_MACHINE_ENDPOINT`| 1.0.0 |string|`The endpoint of the auth-machine service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.auth-machine`|
-|`GATEWAY_AUTH_SERVICE_ENDPOINT`| 1.0.0 |string|`The endpoint of the auth-service service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.auth-service`|
-|`GATEWAY_STORAGE_PUBLIC_LINK_ENDPOINT`| 1.0.0 |string|`The endpoint of the storage-publiclink service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.storage-publiclink`|
-|`GATEWAY_STORAGE_USERS_ENDPOINT`| 1.0.0 |string|`The endpoint of the storage-users service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.storage-users`|
-|`GATEWAY_STORAGE_SHARES_ENDPOINT`| 1.0.0 |string|`The endpoint of the storage-shares service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.storage-shares`|
-|`GATEWAY_APP_REGISTRY_ENDPOINT`| 1.0.0 |string|`The endpoint of the app-registry service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.app-registry`|
-|`GATEWAY_OCM_ENDPOINT`| 1.0.0 |string|`The endpoint of the ocm service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.ocm`|
-|`GATEWAY_STORAGE_REGISTRY_DRIVER`| 1.0.0 |string|`The driver name of the storage registry to use.`|`spaces`|
-|`GATEWAY_STORAGE_REGISTRY_RULES`| 1.0.0 |[]string|`The rules for the storage registry. See the Environment Variable Types description for more details.`|`[]`|
-|`GATEWAY_STORAGE_REGISTRY_CONFIG_JSON`| 1.0.0 |string|`Additional configuration for the storage registry in json format.`|``|
-|`GATEWAY_STORAGE_USERS_MOUNT_ID`| 1.0.0 |string|`Mount ID of this storage. Admins can set the ID for the storage in this config option manually which is then used to reference the storage. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`GATEWAY_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`GATEWAY_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9143|
+|`GATEWAY_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`GATEWAY_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`GATEWAY_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`OC_GATEWAY_GRPC_ADDR`<br/>`GATEWAY_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9142|
+|`OC_GRPC_PROTOCOL`<br/>`GATEWAY_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|tcp|
+|`OC_JWT_SECRET`<br/>`GATEWAY_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`GATEWAY_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|false|
+|`GATEWAY_COMMIT_SHARE_TO_STORAGE_GRANT`| 1.0.0 |bool|`Commit shares to storage grants. This grants access to shared resources for the share receiver directly on the storage.`|true|
+|`GATEWAY_SHARE_FOLDER_NAME`| 1.0.0 |string|`Name of the share folder in users' home space.`|Shares|
+|`GATEWAY_DISABLE_HOME_CREATION_ON_LOGIN`| 1.0.0 |bool|`Disable creation of the home space on login.`|true|
+|`OC_TRANSFER_SECRET`| 1.0.0 |string|`The storage transfer secret.`||
+|`GATEWAY_TRANSFER_EXPIRES`| 1.0.0 |int|`Expiry for the gateway tokens.`|86400|
+|`OC_CACHE_STORE`<br/>`GATEWAY_PROVIDER_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|noop|
+|`OC_CACHE_STORE_NODES`<br/>`GATEWAY_PROVIDER_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|[127.0.0.1:9233]|
+|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|cache-providers|
+|`OC_CACHE_TTL`<br/>`GATEWAY_PROVIDER_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|5m0s|
+|`OC_CACHE_DISABLE_PERSISTENCE`<br/>`GATEWAY_PROVIDER_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the provider cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|false|
+|`OC_CACHE_AUTH_USERNAME`<br/>`GATEWAY_PROVIDER_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to use for authentication. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_CACHE_AUTH_PASSWORD`<br/>`GATEWAY_PROVIDER_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to use for authentication. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_CACHE_STORE`<br/>`GATEWAY_CREATE_HOME_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|memory|
+|`OC_CACHE_STORE_NODES`<br/>`GATEWAY_CREATE_HOME_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|[127.0.0.1:9233]|
+|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|cache-createhome|
+|`OC_CACHE_TTL`<br/>`GATEWAY_CREATE_HOME_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|5m0s|
+|`OC_CACHE_DISABLE_PERSISTENCE`<br/>`GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|false|
+|`OC_CACHE_AUTH_USERNAME`<br/>`GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to use for authentication. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_CACHE_AUTH_PASSWORD`<br/>`GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to use for authentication. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_URL`<br/>`GATEWAY_FRONTEND_PUBLIC_URL`| 1.0.0 |string|`The public facing URL of the OpenCloud frontend.`|https://localhost:9200|
+|`GATEWAY_USERS_ENDPOINT`| 1.0.0 |string|`The endpoint of the users service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|eu.opencloud.api.users|
+|`GATEWAY_GROUPS_ENDPOINT`| 1.0.0 |string|`The endpoint of the groups service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|eu.opencloud.api.groups|
+|`GATEWAY_PERMISSIONS_ENDPOINT`| 1.0.0 |string|`The endpoint of the permissions service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|eu.opencloud.api.settings|
+|`GATEWAY_SHARING_ENDPOINT`| 1.0.0 |string|`The endpoint of the shares service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|eu.opencloud.api.sharing|
+|`GATEWAY_AUTH_APP_ENDPOINT`| 1.0.0 |string|`The endpoint of the auth-app service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|eu.opencloud.api.auth-app|
+|`GATEWAY_AUTH_BASIC_ENDPOINT`| 1.0.0 |string|`The endpoint of the auth-basic service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|eu.opencloud.api.auth-basic|
+|`GATEWAY_AUTH_BEARER_ENDPOINT`| 1.0.0 |string|`The endpoint of the auth-bearer service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`||
+|`GATEWAY_AUTH_MACHINE_ENDPOINT`| 1.0.0 |string|`The endpoint of the auth-machine service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|eu.opencloud.api.auth-machine|
+|`GATEWAY_AUTH_SERVICE_ENDPOINT`| 1.0.0 |string|`The endpoint of the auth-service service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|eu.opencloud.api.auth-service|
+|`GATEWAY_STORAGE_PUBLIC_LINK_ENDPOINT`| 1.0.0 |string|`The endpoint of the storage-publiclink service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|eu.opencloud.api.storage-publiclink|
+|`GATEWAY_STORAGE_USERS_ENDPOINT`| 1.0.0 |string|`The endpoint of the storage-users service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|eu.opencloud.api.storage-users|
+|`GATEWAY_STORAGE_SHARES_ENDPOINT`| 1.0.0 |string|`The endpoint of the storage-shares service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|eu.opencloud.api.storage-shares|
+|`GATEWAY_APP_REGISTRY_ENDPOINT`| 1.0.0 |string|`The endpoint of the app-registry service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|eu.opencloud.api.app-registry|
+|`GATEWAY_OCM_ENDPOINT`| 1.0.0 |string|`The endpoint of the ocm service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|eu.opencloud.api.ocm|
+|`GATEWAY_STORAGE_REGISTRY_DRIVER`| 1.0.0 |string|`The driver name of the storage registry to use.`|spaces|
+|`GATEWAY_STORAGE_REGISTRY_RULES`| 1.0.0 |[]string|`The rules for the storage registry. See the Environment Variable Types description for more details.`|[]|
+|`GATEWAY_STORAGE_REGISTRY_CONFIG_JSON`| 1.0.0 |string|`Additional configuration for the storage registry in json format.`||
+|`GATEWAY_STORAGE_USERS_MOUNT_ID`| 1.0.0 |string|`Mount ID of this storage. Admins can set the ID for the storage in this config option manually which is then used to reference the storage. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`||
diff --git a/static/env-vars/gateway_readme.md b/static/env-vars/gateway_readme.md
index 31af233e..6132b40f 100644
--- a/static/env-vars/gateway_readme.md
+++ b/static/env-vars/gateway_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Gateway
-date: 2025-11-27T22:56:02.332732+01:00
+date: 2026-01-13T10:10:18.222269646+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/gateway
diff --git a/static/env-vars/global_configvars.md b/static/env-vars/global_configvars.md
index b2d2d2ea..680dddd5 100644
--- a/static/env-vars/global_configvars.md
+++ b/static/env-vars/global_configvars.md
@@ -2,58 +2,58 @@
 
 | Name | Introduction Version | Type | Description | Default Value |
 |---|---|---|---|---|
-`IDM_CREATE_DEMO_USERS` | 1.0.0 | bool | The default role assignments the demo users should be setup. | false |
+`IDM_CREATE_DEMO_USERS` | 1.0.0 | bool | Flag to enable or disable the creation of the demo users. | false |
 `OC_ADMIN_USER_ID` | 1.0.0 | string | ID of the user who collects all necessary information for deletion. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand. |  |
 `OC_ASYNC_UPLOADS` | 1.0.0 | bool | Enable asynchronous file uploads. | true |
-`OC_CACHE_AUTH_PASSWORD` | 1.0.0 | string | The password to use for authentication. Only applies when store type 'nats-js-kv' is configured. |  |
-`OC_CACHE_AUTH_USERNAME` | 1.0.0 | string | The username to use for authentication. Only applies when store type 'nats-js-kv' is configured. |  |
-`OC_CACHE_DATABASE` | 1.0.0 | string | The database name the configured store should use. | cache-providers |
-`OC_CACHE_DISABLE_PERSISTENCE` | 1.0.0 | bool | Disables persistence of the provider cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false. | false |
-`OC_CACHE_STORE` | 1.0.0 | string | The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details. | noop |
+`OC_CACHE_AUTH_PASSWORD` | 1.0.0 | string | The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured. |  |
+`OC_CACHE_AUTH_USERNAME` | 1.0.0 | string | The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured. |  |
+`OC_CACHE_DATABASE` | 1.0.0 | string | The database name the configured store should use. | storage-users |
+`OC_CACHE_DISABLE_PERSISTENCE` | 1.0.0 | bool | Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false. | false |
+`OC_CACHE_STORE` | 1.0.0 | string | The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details. | memory |
 `OC_CACHE_STORE_NODES` | 1.0.0 | []string | A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | [127.0.0.1:9233] |
-`OC_CACHE_TTL` | 1.0.0 | Duration | Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details. | 5m0s |
-`OC_CORS_ALLOW_CREDENTIALS` | 1.0.0 | bool | Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials. | true |
-`OC_CORS_ALLOW_HEADERS` | 1.0.0 | []string | A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details. | [Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Cache-Control] |
-`OC_CORS_ALLOW_METHODS` | 1.0.0 | []string | A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details. | [GET POST PUT PATCH DELETE OPTIONS] |
-`OC_CORS_ALLOW_ORIGINS` | 1.0.0 | []string | A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details. | [*] |
+`OC_CACHE_TTL` | 1.0.0 | Duration | Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details. | 24m0s |
+`OC_CORS_ALLOW_CREDENTIALS` | 1.0.0 | bool | Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials. | false |
+`OC_CORS_ALLOW_HEADERS` | 1.0.0 | []string | A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details. | [Authorization Origin X-Requested-With X-Request-Id X-HTTP-Method-Override Content-Type Upload-Length Upload-Offset Tus-Resumable Upload-Metadata Upload-Defer-Length Upload-Concat Upload-Incomplete Upload-Draft-Interop-Version] |
+`OC_CORS_ALLOW_METHODS` | 1.0.0 | []string | A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details. | [POST HEAD PATCH OPTIONS GET DELETE] |
+`OC_CORS_ALLOW_ORIGINS` | 1.0.0 | []string | A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details. | [https://localhost:9200] |
 `OC_DECOMPOSEDFS_PROPAGATOR` | 1.0.0 | string | The propagator used for decomposedfs. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option. | sync |
 `OC_DEFAULT_LANGUAGE` | 1.0.0 | string | The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details. |  |
 `OC_DISABLE_VERSIONING` | 1.0.0 | bool | Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version. | false |
-`OC_EDITION` | 1.0.0 | string | Edition of OpenCloud. Used for branding purposes. |  |
 `OC_ENABLE_OCM` | 1.0.0 | bool | Changing this value is NOT supported. Enables support for incoming federated sharing for clients. The backend behaviour is not changed. | false |
 `OC_EVENTS_AUTH_PASSWORD` | 1.0.0 | string | The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. |  |
 `OC_EVENTS_AUTH_USERNAME` | 1.0.0 | string | The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. |  |
 `OC_EVENTS_CLUSTER` | 1.0.0 | string | The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system. | opencloud-cluster |
 `OC_EVENTS_ENABLE_TLS` | 1.0.0 | bool | Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. | false |
 `OC_EVENTS_ENDPOINT` | 1.0.0 | string | The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. | 127.0.0.1:9233 |
-`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE` | 1.0.0 | string | The root CA certificate used to validate the server's TLS certificate. If provided POLICIES_EVENTS_TLS_INSECURE will be seen as false. |  |
-`OC_GATEWAY_GRPC_ADDR` | 1.0.0 | string | The bind address of the GRPC service. | 127.0.0.1:9142 |
+`OC_EVENTS_TLS_INSECURE` | 1.0.0 | bool | Whether to verify the server TLS certificates. | false |
+`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE` | 1.0.0 | string | The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_EVENTS_TLS_INSECURE will be seen as false. |  |
+`OC_GATEWAY_GRPC_ADDR` | 1.0.0 | string | The bind address of the gateway GRPC address. | 127.0.0.1:9142 |
 `OC_GRPC_CLIENT_TLS_CACERT` | 1.0.0 | string | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services. |  |
 `OC_GRPC_CLIENT_TLS_MODE` | 1.0.0 | string | TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification. |  |
-`OC_GRPC_PROTOCOL` | 1.0.0 | string | The transport protocol of the GRPC service. | tcp |
+`OC_GRPC_PROTOCOL` | 1.0.0 | string | The transport protocol of the GPRC service. | tcp |
 `OC_HTTP_TLS_CERTIFICATE` | 1.0.0 | string | Path/File name of the TLS server certificate (in PEM format) for the http services. |  |
 `OC_HTTP_TLS_ENABLED` | 1.0.0 | bool | Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true. | false |
 `OC_HTTP_TLS_KEY` | 1.0.0 | string | Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services. |  |
-`OC_INSECURE` | 1.0.0 | bool | Whether the server should skip the client certificate verification during the TLS handshake. | false |
+`OC_INSECURE` | 1.0.0 | bool | Whether to verify the server TLS certificates. | false |
 `OC_JWT_SECRET` | 1.0.0 | string | The secret to mint and validate jwt tokens. |  |
 `OC_KEYCLOAK_BASE_PATH` | 1.0.0 | string | The URL to access keycloak. |  |
-`OC_KEYCLOAK_CLIENT_ID` | 1.0.0 | string | The client ID to authenticate with keycloak. |  |
+`OC_KEYCLOAK_CLIENT_ID` | 1.0.0 | string | The client id to authenticate with keycloak. |  |
 `OC_KEYCLOAK_CLIENT_REALM` | 1.0.0 | string | The realm the client is defined in. |  |
 `OC_KEYCLOAK_CLIENT_SECRET` | 1.0.0 | string | The client secret to use in authentication. |  |
 `OC_KEYCLOAK_INSECURE_SKIP_VERIFY` | 1.0.0 | bool | Disable TLS certificate validation for Keycloak connections. Do not set this in production environments. | false |
 `OC_KEYCLOAK_USER_REALM` | 1.0.0 | string | The realm users are defined. |  |
 `OC_LDAP_BIND_DN` | 1.0.0 | string | LDAP DN to use for simple bind authentication with the target LDAP server. | uid=reva,ou=sysusers,o=libregraph-idm |
 `OC_LDAP_BIND_PASSWORD` | 1.0.0 | string | Password to use for authenticating the 'bind_dn'. |  |
-`OC_LDAP_CACERT` | 1.0.0 | string | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm. | /var/lib/opencloud/idm/ldap.crt |
+`OC_LDAP_CACERT` | 1.0.0 | string | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm. | /home/chaser/.opencloud/idm/ldap.crt |
 `OC_LDAP_DISABLED_USERS_GROUP_DN` | 1.0.0 | string | The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'. | cn=DisabledUsersGroup,ou=groups,o=libregraph-idm |
 `OC_LDAP_DISABLE_USER_MECHANISM` | 1.0.0 | string | An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. | attribute |
 `OC_LDAP_GROUP_BASE_DN` | 1.0.0 | string | Search base DN for looking up LDAP groups. | ou=groups,o=libregraph-idm |
 `OC_LDAP_GROUP_FILTER` | 1.0.0 | string | LDAP filter to add to the default filters for group searches. |  |
-`OC_LDAP_GROUP_OBJECTCLASS` | 1.0.0 | string | The object class to use for groups in the default group search filter ('groupOfNames'). | groupOfNames |
+`OC_LDAP_GROUP_OBJECTCLASS` | 1.0.0 | string | The object class to use for groups in the default group search filter like 'groupOfNames'. | groupOfNames |
 `OC_LDAP_GROUP_SCHEMA_DISPLAYNAME` | 1.0.0 | string | LDAP Attribute to use for the displayname of groups (often the same as groupname attribute). | cn |
 `OC_LDAP_GROUP_SCHEMA_GROUPNAME` | 1.0.0 | string | LDAP Attribute to use for the name of groups. | cn |
-`OC_LDAP_GROUP_SCHEMA_ID` | 1.0.0 | string | LDAP Attribute to use as the unique id for groups. This should be a stable globally unique id (e.g. a UUID). | openCloudUUID |
-`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group IDs. | false |
+`OC_LDAP_GROUP_SCHEMA_ID` | 1.0.0 | string | LDAP Attribute to use as the unique ID for groups. This should be a stable globally unique ID like a UUID. | openclouduuid |
+`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID's. | false |
 `OC_LDAP_GROUP_SCHEMA_MAIL` | 1.0.0 | string | LDAP Attribute to use for the email address of groups (can be empty). | mail |
 `OC_LDAP_GROUP_SCHEMA_MEMBER` | 1.0.0 | string | LDAP Attribute that is used for group members. | member |
 `OC_LDAP_GROUP_SCOPE` | 1.0.0 | string | LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'. | sub |
@@ -61,23 +61,20 @@
 `OC_LDAP_SERVER_WRITE_ENABLED` | 1.0.0 | bool | Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OC_LDAP_USER_SCHEMA_* and 'OC_LDAP_GROUP_SCHEMA_* variables). | true |
 `OC_LDAP_URI` | 1.0.0 | string | URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://' | ldaps://localhost:9235 |
 `OC_LDAP_USER_BASE_DN` | 1.0.0 | string | Search base DN for looking up LDAP users. | ou=users,o=libregraph-idm |
-`OC_LDAP_USER_ENABLED_ATTRIBUTE` | 1.0.0 | string | LDAP attribute to use as a flag telling if the user is enabled or disabled. | openCloudUserEnabled |
+`OC_LDAP_USER_ENABLED_ATTRIBUTE` | 1.0.0 | string | LDAP attribute to use as a flag telling if the user is enabled or disabled. | openclouduserenabled |
 `OC_LDAP_USER_FILTER` | 1.0.0 | string | LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'. |  |
-`OC_LDAP_USER_OBJECTCLASS` | 1.0.0 | string | The object class to use for users in the default user search filter ('inetOrgPerson'). | inetOrgPerson |
+`OC_LDAP_USER_OBJECTCLASS` | 1.0.0 | string | The object class to use for users in the default user search filter like 'inetOrgPerson'. | inetOrgPerson |
 `OC_LDAP_USER_SCHEMA_DISPLAYNAME` | 1.0.0 | string | LDAP Attribute to use for the displayname of users. | displayname |
-`OC_LDAP_USER_SCHEMA_ID` | 1.0.0 | string | LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID. | openCloudUUID |
-`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user IDs. | false |
+`OC_LDAP_USER_SCHEMA_ID` | 1.0.0 | string | LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID. | openclouduuid |
+`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID's. | false |
 `OC_LDAP_USER_SCHEMA_MAIL` | 1.0.0 | string | LDAP Attribute to use for the email address of users. | mail |
 `OC_LDAP_USER_SCHEMA_TENANT_ID` | 4.0.0 | string | LDAP Attribute to use for the tenant ID of users. This is used to identify the tenant of a user in a multi-tenant environment. |  |
 `OC_LDAP_USER_SCHEMA_USERNAME` | 1.0.0 | string | LDAP Attribute to use for username of users. | uid |
 `OC_LDAP_USER_SCHEMA_USER_TYPE` | 1.0.0 | string | LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'. | openCloudUserType |
 `OC_LDAP_USER_SCOPE` | 1.0.0 | string | LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'. | sub |
-`OC_LOG_COLOR` | 1.0.0 | bool | Activates colorized log output. | false |
-`OC_LOG_FILE` | 1.0.0 | string | The path to the log file. Activates logging to this file if set. |  |
-`OC_LOG_LEVEL` | 1.0.0 | string | The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'. |  |
-`OC_LOG_PRETTY` | 1.0.0 | bool | Activates pretty log output. | false |
-`OC_MACHINE_AUTH_API_KEY` | 1.0.0 | string | Machine auth API key used to validate internal requests necessary to access resources from other services. |  |
-`OC_MAX_CONCURRENCY` | 1.0.0 | int | Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used. | 1 |
+`OC_LOG_LEVEL` | 1.0.0 | string | The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'. | error |
+`OC_MACHINE_AUTH_API_KEY` | 1.0.0 | string | Machine auth API key used to validate internal requests necessary for the access to resources from other services. |  |
+`OC_MAX_CONCURRENCY` | 1.0.0 | int | Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used. | 5 |
 `OC_OIDC_ISSUER` | 1.0.0 | string | The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider. | https://localhost:9200 |
 `OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST` | 1.0.0 | string | Path to the 'banned passwords list' file. This only impacts public link password validation. See the documentation for more details. |  |
 `OC_PASSWORD_POLICY_DISABLED` | 1.0.0 | bool | Disable the password policy. Defaults to false if not set. | false |
@@ -86,28 +83,28 @@
 `OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS` | 1.0.0 | int | Define the minimum number of uppercase letters. Defaults to 1 if not set. | 1 |
 `OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS` | 1.0.0 | int | Define the minimum number of characters from the special characters list to be present. Defaults to 1 if not set. | 1 |
 `OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS` | 1.0.0 | int | Define the minimum number of lowercase letters. Defaults to 1 if not set. | 1 |
-`OC_PERSISTENT_STORE` | 1.0.0 | string | The type of the store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details. | nats-js-kv |
+`OC_PERSISTENT_STORE` | 1.0.0 | string | The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details. | nats-js-kv |
 `OC_PERSISTENT_STORE_AUTH_PASSWORD` | 1.0.0 | string | The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. |  |
 `OC_PERSISTENT_STORE_AUTH_USERNAME` | 1.0.0 | string | The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. |  |
 `OC_PERSISTENT_STORE_NODES` | 1.0.0 | []string | A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | [127.0.0.1:9233] |
-`OC_PERSISTENT_STORE_TTL` | 1.0.0 | Duration | Time to live for events in the store. See the Environment Variable Types description for more details. | 0s |
-`OC_REVA_GATEWAY` | 1.0.0 | string | CS3 gateway used to look up user metadata | eu.opencloud.api.gateway |
+`OC_PERSISTENT_STORE_TTL` | 1.0.0 | Duration | Time to live for notifications in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details. | 336h0m0s |
+`OC_REVA_GATEWAY` | 1.0.0 | string | The CS3 gateway endpoint. | eu.opencloud.api.gateway |
 `OC_SERVICE_ACCOUNT_ID` | 1.0.0 | string | The ID of the service account the service should use. See the 'auth-service' service description for more details. |  |
 `OC_SERVICE_ACCOUNT_SECRET` | 1.0.0 | string | The service account secret. |  |
 `OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD` | 1.0.0 | bool | Set this to true if you want to enforce passwords on all public shares. | true |
-`OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD` | 1.0.0 | bool | Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares. If not using the global OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD, you must define the FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD (deprecated) in the frontend service. | false |
+`OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD` | 1.0.0 | bool | Set this to true if you want to enforce passwords for writable shares. Only effective if the setting for 'passwords on all public shares' is set to false. | false |
 `OC_SHOW_USER_EMAIL_IN_RESULTS` | 1.0.0 | bool | Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses. | false |
 `OC_SPACES_MAX_QUOTA` | 1.0.0 | uint64 | Set a global max quota for spaces in bytes. A value of 0 equals unlimited. If not using the global OC_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA in the frontend service. | 0 |
 `OC_SYSTEM_USER_API_KEY` | 1.0.0 | string | API key for the STORAGE-SYSTEM system user. |  |
 `OC_SYSTEM_USER_ID` | 1.0.0 | string | ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format. |  |
 `OC_SYSTEM_USER_IDP` | 1.0.0 | string | IDP of the OpenCloud STORAGE-SYSTEM system user. | internal |
-`OC_TRANSFER_SECRET` | 1.0.0 | string | The storage transfer secret. |  |
+`OC_TRANSFER_SECRET` | 1.0.0 | string | Transfer secret for signing file up- and download requests. |  |
 `OC_TRANSLATION_PATH` | 1.0.0 | string | (optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details. |  |
-`OC_URL` | 1.0.0 | string | The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider. | https://localhost:9200 |
-`OC_WOPI_DISABLE_CHAT` | 1.0.0 | bool | Disable chat in the office web frontend. This feature applies to OnlyOffice and Microsoft. | false |
+`OC_URL` | 1.0.0 | string | The public facing URL of the OpenCloud Web UI, used e.g. when sending notification eMails | https://localhost:9200 |
+`OC_WOPI_DISABLE_CHAT` | 1.0.0 | bool | Disable the chat functionality of the office app. | false |
 `SEARCH_EVENTS_ACK_WAIT` | 4.0.0 | Duration | The time to wait for an ack before the message is redelivered. This is used to ensure that messages are not lost if the consumer crashes. | 1m0s |
-`SEARCH_EVENTS_MAX_ACK_PENDING` | 4.0.0 | int | The maximum number of unacknowledged messages. This is used to limit the number of messages that can be in flight at the same time. | 10000 |
-`STORAGE_GATEWAY_GRPC_ADDR` | 1.0.0 | string | GRPC address of the STORAGE-SYSTEM service. | eu.opencloud.api.storage-system |
-`STORAGE_GRPC_ADDR` | 1.0.0 | string | GRPC address of the STORAGE-SYSTEM service. | eu.opencloud.api.storage-system |
+`SEARCH_EVENTS_MAX_ACK_PENDING` | 4.0.0 | int | The maximum number of unacknowledged messages. This is used to limit the number of messages that can be in flight at the same time. | 1000 |
+`STORAGE_GATEWAY_GRPC_ADDR` | 4.0.0 | string | GRPC address of the STORAGE-SYSTEM service. | eu.opencloud.api.storage-system |
+`STORAGE_GRPC_ADDR` | 4.0.0 | string | GRPC address of the STORAGE-SYSTEM service. | eu.opencloud.api.storage-system |
 `STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY` | 1.0.0 | Duration | The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details. | 0s |
 `STORAGE_USERS_PERMISSION_ENDPOINT` | 1.0.0 | string | Endpoint of the permissions service. The endpoints can differ for 'decomposed' and 'decomposeds3'. | eu.opencloud.api.settings |
\ No newline at end of file
diff --git a/static/env-vars/graph-config-example.yaml b/static/env-vars/graph-config-example.yaml
new file mode 100644
index 00000000..38a2991a
--- /dev/null
+++ b/static/env-vars/graph-config-example.yaml
@@ -0,0 +1,160 @@
+# Autogenerated
+# Filename: graph-config-example.yaml
+
+loglevel: error
+cache:
+  store: memory
+  nodes:
+  - 127.0.0.1:9233
+  database: cache-roles
+  table: ""
+  ttl: 336h0m0s
+  disable_persistence: false
+  username: ""
+  password: ""
+debug:
+  addr: 127.0.0.1:9124
+  token: ""
+  pprof: false
+  zpages: false
+http:
+  addr: 127.0.0.1:9120
+  root: /graph
+  tls:
+    enabled: false
+    cert: ""
+    key: ""
+  apitoken: ""
+  cors:
+    allow_origins:
+    - '*'
+    allow_methods:
+    - GET
+    - POST
+    - PUT
+    - PATCH
+    - DELETE
+    - OPTIONS
+    allow_headers:
+    - Authorization
+    - Origin
+    - Content-Type
+    - Accept
+    - X-Requested-With
+    - X-Request-Id
+    - Purge
+    - Restore
+    allow_credentials: true
+api:
+  group_members_patch_limit: 20
+  graph_username_match: default
+  graph_assign_default_user_role: true
+  graph_identity_search_min_length: 3
+  show_email_in_results: false
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+token_manager:
+  jwt_secret: ""
+grpc_client_tls: null
+application:
+  id: ""
+  displayname: OpenCloud
+spaces:
+  webdav_base: https://localhost:9200
+  webdav_path: /dav/spaces/
+  default_quota: "1000000000"
+  extended_space_properties_cache_ttl: 60000000000
+  users_cache_ttl: 60000000000
+  groups_cache_ttl: 60000000000
+  storage_users_address: eu.opencloud.api.storage-users
+  default_language: ""
+  translation_path: ""
+identity:
+  backend: ldap
+  ldap:
+    uri: ldaps://localhost:9235
+    cacert: /home/chaser/.opencloud/idm/ldap.crt
+    insecure: false
+    bind_dn: uid=libregraph,ou=sysusers,o=libregraph-idm
+    bind_password: ""
+    use_server_uuid: false
+    use_password_modify_exop: true
+    write_enabled: true
+    refint_enabled: false
+    user_base_dn: ou=users,o=libregraph-idm
+    user_search_scope: sub
+    user_filter: ""
+    user_objectclass: inetOrgPerson
+    user_mail_attribute: mail
+    user_displayname_attribute: displayName
+    user_name_attribute: uid
+    user_id_attribute: openCloudUUID
+    user_id_is_octet_string: false
+    user_type_attribute: openCloudUserType
+    user_enabled_attribute: openCloudUserEnabled
+    disable_user_mechanism: attribute
+    ldap_disabled_users_group_dn: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm
+    group_base_dn: ou=groups,o=libregraph-idm
+    group_create_base_dn: ou=groups,o=libregraph-idm
+    group_search_scope: sub
+    group_filter: ""
+    group_objectclass: groupOfNames
+    group_name_attribute: cn
+    group_member_attribute: member
+    group_id_attribute: openCloudUUID
+    group_id_is_octet_string: false
+    education_resources_enabled: false
+    educationconfig:
+      school_base_dn: ""
+      school_search_scope: ""
+      school_filter: ""
+      school_objectclass: ""
+      school_name_attribute: ""
+      school_number_attribute: ""
+      school_id_attribute: ""
+      school_termination_min_grace_days: 0
+include_ocm_sharees: false
+events:
+  endpoint: 127.0.0.1:9233
+  cluster: opencloud-cluster
+  tls_insecure: false
+  tls_root_ca_certificate: ""
+  enable_tls: false
+  username: ""
+  password: ""
+unified_roles:
+  available_roles:
+  - b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5
+  - a8d5fe5e-96e3-418d-825b-534dbdf22b99
+  - fb6c3e19-e378-47e5-b277-9732f9de6e21
+  - 58c63c02-1d89-4572-916a-870abc5a1b7d
+  - 2d00ce52-1fc2-4dbc-8b95-a73b73395f5a
+  - 1c996275-f1c9-4e71-abdf-a42f6495e960
+  - 312c0871-5ef7-4b3a-85b6-0e4074c64049
+max_concurrency: 20
+keycloak:
+  base_path: ""
+  client_id: ""
+  client_secret: ""
+  client_realm: ""
+  user_realm: ""
+  insecure_skip_verify: false
+service_account:
+  service_account_id: ""
+  service_account_secret: ""
+metadata_config:
+  gateway_addr: eu.opencloud.api.storage-system
+  storage_addr: eu.opencloud.api.storage-system
+  system_user_id: ""
+  system_user_idp: internal
+  system_user_api_key: ""
+user_soft_delete_retention_time: 0s
+store:
+  nodes:
+  - 127.0.0.1:9233
+  database: graph
+  username: ""
+  password: ""
diff --git a/static/env-vars/graph_configvars.md b/static/env-vars/graph_configvars.md
index 6d208dd8..a1d4ab58 100644
--- a/static/env-vars/graph_configvars.md
+++ b/static/env-vars/graph_configvars.md
@@ -1,119 +1,116 @@
 Environment variables for the **graph** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`GRAPH_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`GRAPH_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`GRAPH_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`GRAPH_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`OC_CACHE_STORE`<br/>`GRAPH_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`|
-|`OC_CACHE_STORE_NODES`<br/>`GRAPH_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
-|`GRAPH_CACHE_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`cache-roles`|
-|`GRAPH_CACHE_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``|
-|`OC_CACHE_TTL`<br/>`GRAPH_CACHE_TTL`| 1.0.0 |Duration|`Time to live for cache records in the graph. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|`336h0m0s`|
-|`OC_CACHE_DISABLE_PERSISTENCE`<br/>`GRAPH_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
-|`OC_CACHE_AUTH_USERNAME`<br/>`GRAPH_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_CACHE_AUTH_PASSWORD`<br/>`GRAPH_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`GRAPH_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9124`|
-|`GRAPH_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`GRAPH_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`GRAPH_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`GRAPH_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9120`|
-|`GRAPH_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/graph`|
-|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`|
-|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``|
-|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``|
-|`GRAPH_HTTP_API_TOKEN`| 1.0.0 |string|`An optional API bearer token`|``|
-|`OC_CORS_ALLOW_ORIGINS`<br/>`GRAPH_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`|
-|`OC_CORS_ALLOW_METHODS`<br/>`GRAPH_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET POST PUT PATCH DELETE OPTIONS]`|
-|`OC_CORS_ALLOW_HEADERS`<br/>`GRAPH_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Purge Restore]`|
-|`OC_CORS_ALLOW_CREDENTIALS`<br/>`GRAPH_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`|
-|`GRAPH_GROUP_MEMBERS_PATCH_LIMIT`| 1.0.0 |int|`The amount of group members allowed to be added with a single patch request.`|`20`|
-|`GRAPH_USERNAME_MATCH`| 1.0.0 |string|`Apply restrictions to usernames. Supported values are 'default' and 'none'. When set to 'default', user names must not start with a number and are restricted to ASCII characters. When set to 'none', no restrictions are applied. The default value is 'default'.`|`default`|
-|`GRAPH_ASSIGN_DEFAULT_USER_ROLE`| 1.0.0 |bool|`Whether to assign newly created users the default role 'User'. Set this to 'false' if you want to assign roles manually, or if the role assignment should happen at first login. Set this to 'true' (the default) to assign the role 'User' when creating a new user.`|`true`|
-|`GRAPH_IDENTITY_SEARCH_MIN_LENGTH`| 1.0.0 |int|`The minimum length the search term needs to have for unprivileged users when searching for users or groups.`|`3`|
-|`OC_SHOW_USER_EMAIL_IN_RESULTS`| 1.0.0 |bool|`Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses.`|`false`|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`OC_JWT_SECRET`<br/>`GRAPH_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`GRAPH_APPLICATION_ID`| 1.0.0 |string|`The OpenCloud application ID shown in the graph. All app roles are tied to this ID.`|``|
-|`GRAPH_APPLICATION_DISPLAYNAME`| 1.0.0 |string|`The OpenCloud application name.`|`OpenCloud`|
-|`OC_URL`<br/>`GRAPH_SPACES_WEBDAV_BASE`| 1.0.0 |string|`The public facing URL of WebDAV.`|`https://localhost:9200`|
-|`GRAPH_SPACES_WEBDAV_PATH`| 1.0.0 |string|`The WebDAV sub-path for spaces.`|`/dav/spaces/`|
-|`GRAPH_SPACES_DEFAULT_QUOTA`| 1.0.0 |string|`The default quota in bytes.`|`1000000000`|
-|`GRAPH_SPACES_EXTENDED_SPACE_PROPERTIES_CACHE_TTL`| 1.0.0 |int|`Max TTL in seconds for the spaces property cache.`|`60000000000`|
-|`GRAPH_SPACES_USERS_CACHE_TTL`| 1.0.0 |int|`Max TTL in seconds for the spaces users cache.`|`60000000000`|
-|`GRAPH_SPACES_GROUPS_CACHE_TTL`| 1.0.0 |int|`Max TTL in seconds for the spaces groups cache.`|`60000000000`|
-|`GRAPH_SPACES_STORAGE_USERS_ADDRESS`| 1.0.0 |string|`The address of the storage-users service.`|`eu.opencloud.api.storage-users`|
-|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|`The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.`|``|
-|`OC_TRANSLATION_PATH`<br/>`GRAPH_TRANSLATION_PATH`| 1.0.0 |string|`(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.`|``|
-|`GRAPH_IDENTITY_BACKEND`| 1.0.0 |string|`The user identity backend to use. Supported backend types are 'ldap' and 'cs3'.`|`ldap`|
-|`OC_LDAP_URI`<br/>`GRAPH_LDAP_URI`| 1.0.0 |string|`URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'`|`ldaps://localhost:9235`|
-|`OC_LDAP_CACERT`<br/>`GRAPH_LDAP_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|`/var/lib/opencloud/idm/ldap.crt`|
-|`OC_LDAP_INSECURE`<br/>`GRAPH_LDAP_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.`|`false`|
-|`OC_LDAP_BIND_DN`<br/>`GRAPH_LDAP_BIND_DN`| 1.0.0 |string|`LDAP DN to use for simple bind authentication with the target LDAP server.`|`uid=libregraph,ou=sysusers,o=libregraph-idm`|
-|`OC_LDAP_BIND_PASSWORD`<br/>`GRAPH_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`|``|
-|`GRAPH_LDAP_SERVER_UUID`| 1.0.0 |bool|`If set to true, rely on the LDAP Server to generate a unique ID for users and groups, like when using 'entryUUID' as the user ID attribute.`|`false`|
-|`GRAPH_LDAP_SERVER_USE_PASSWORD_MODIFY_EXOP`| 1.0.0 |bool|`Use the 'Password Modify Extended Operation' for updating user passwords.`|`true`|
-|`OC_LDAP_SERVER_WRITE_ENABLED`<br/>`GRAPH_LDAP_SERVER_WRITE_ENABLED`| 1.0.0 |bool|`Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OC_LDAP_USER_SCHEMA_* and 'OC_LDAP_GROUP_SCHEMA_* variables).`|`true`|
-|`GRAPH_LDAP_REFINT_ENABLED`| 1.0.0 |bool|`Signals that the server has the refint plugin enabled, which makes some actions not needed.`|`false`|
-|`OC_LDAP_USER_BASE_DN`<br/>`GRAPH_LDAP_USER_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|`ou=users,o=libregraph-idm`|
-|`OC_LDAP_USER_SCOPE`<br/>`GRAPH_LDAP_USER_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.`|`sub`|
-|`OC_LDAP_USER_FILTER`<br/>`GRAPH_LDAP_USER_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.`|``|
-|`OC_LDAP_USER_OBJECTCLASS`<br/>`GRAPH_LDAP_USER_OBJECTCLASS`| 1.0.0 |string|`The object class to use for users in the default user search filter ('inetOrgPerson').`|`inetOrgPerson`|
-|`OC_LDAP_USER_SCHEMA_MAIL`<br/>`GRAPH_LDAP_USER_EMAIL_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for the email address of users.`|`mail`|
-|`OC_LDAP_USER_SCHEMA_DISPLAYNAME`<br/>`GRAPH_LDAP_USER_DISPLAYNAME_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for the display name of users.`|`displayName`|
-|`OC_LDAP_USER_SCHEMA_USERNAME`<br/>`GRAPH_LDAP_USER_NAME_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for username of users.`|`uid`|
-|`OC_LDAP_USER_SCHEMA_ID`<br/>`GRAPH_LDAP_USER_UID_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.`|`openCloudUUID`|
-|`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`<br/>`GRAPH_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the user ID's.`|`false`|
-|`OC_LDAP_USER_SCHEMA_USER_TYPE`<br/>`GRAPH_LDAP_USER_TYPE_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'.`|`openCloudUserType`|
-|`OC_LDAP_USER_ENABLED_ATTRIBUTE`<br/>`GRAPH_USER_ENABLED_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use as a flag telling if the user is enabled or disabled.`|`openCloudUserEnabled`|
-|`OC_LDAP_DISABLE_USER_MECHANISM`<br/>`GRAPH_DISABLE_USER_MECHANISM`| 1.0.0 |string|`An option to control the behavior for disabling users. Supported options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. Default is 'attribute'.`|`attribute`|
-|`OC_LDAP_DISABLED_USERS_GROUP_DN`<br/>`GRAPH_DISABLED_USERS_GROUP_DN`| 1.0.0 |string|`The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'.`|`cn=DisabledUsersGroup,ou=groups,o=libregraph-idm`|
-|`OC_LDAP_GROUP_BASE_DN`<br/>`GRAPH_LDAP_GROUP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP groups.`|`ou=groups,o=libregraph-idm`|
-|`GRAPH_LDAP_GROUP_CREATE_BASE_DN`| 1.0.0 |string|`Parent DN under which new groups are created. This DN needs to be subordinate to the 'GRAPH_LDAP_GROUP_BASE_DN'. This setting is only relevant when 'GRAPH_LDAP_SERVER_WRITE_ENABLED' is 'true'. It defaults to the value of 'GRAPH_LDAP_GROUP_BASE_DN'. All groups outside of this subtree are treated as readonly groups and cannot be updated.`|`ou=groups,o=libregraph-idm`|
-|`OC_LDAP_GROUP_SCOPE`<br/>`GRAPH_LDAP_GROUP_SEARCH_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'.`|`sub`|
-|`OC_LDAP_GROUP_FILTER`<br/>`GRAPH_LDAP_GROUP_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for group searches.`|``|
-|`OC_LDAP_GROUP_OBJECTCLASS`<br/>`GRAPH_LDAP_GROUP_OBJECTCLASS`| 1.0.0 |string|`The object class to use for groups in the default group search filter ('groupOfNames').`|`groupOfNames`|
-|`OC_LDAP_GROUP_SCHEMA_GROUPNAME`<br/>`GRAPH_LDAP_GROUP_NAME_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for the name of groups.`|`cn`|
-|`OC_LDAP_GROUP_SCHEMA_MEMBER`<br/>`GRAPH_LDAP_GROUP_MEMBER_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute that is used for group members.`|`member`|
-|`OC_LDAP_GROUP_SCHEMA_ID`<br/>`GRAPH_LDAP_GROUP_ID_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.`|`openCloudUUID`|
-|`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`<br/>`GRAPH_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'ID' attribute for groups is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the group ID's.`|`false`|
-|`GRAPH_LDAP_EDUCATION_RESOURCES_ENABLED`| 1.0.0 |bool|`Enable LDAP support for managing education related resources.`|`false`|
-|`GRAPH_LDAP_SCHOOL_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP schools.`|``|
-|`GRAPH_LDAP_SCHOOL_SEARCH_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up schools. Supported scopes are 'base', 'one' and 'sub'.`|``|
-|`GRAPH_LDAP_SCHOOL_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for school searches.`|``|
-|`GRAPH_LDAP_SCHOOL_OBJECTCLASS`| 1.0.0 |string|`The object class to use for schools in the default school search filter.`|``|
-|`GRAPH_LDAP_SCHOOL_NAME_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for the name of a school.`|``|
-|`GRAPH_LDAP_SCHOOL_NUMBER_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for the number of a school.`|``|
-|`GRAPH_LDAP_SCHOOL_ID_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use as the unique id for schools. This should be a stable globally unique ID like a UUID.`|``|
-|`GRAPH_LDAP_SCHOOL_TERMINATION_MIN_GRACE_DAYS`| 1.0.0 |int|`When setting a 'terminationDate' for a school, require the date to be at least this number of days in the future.`|`0`|
-|`OC_ENABLE_OCM`<br/>`GRAPH_INCLUDE_OCM_SHAREES`| 1.0.0 |bool|`Include OCM sharees when listing users.`|`false`|
-|`OC_EVENTS_ENDPOINT`<br/>`GRAPH_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events.`|`127.0.0.1:9233`|
-|`OC_EVENTS_CLUSTER`<br/>`GRAPH_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`opencloud-cluster`|
-|`OC_INSECURE`<br/>`GRAPH_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`|
-|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`GRAPH_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false.`|``|
-|`OC_EVENTS_ENABLE_TLS`<br/>`GRAPH_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`|
-|`OC_EVENTS_AUTH_USERNAME`<br/>`GRAPH_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_EVENTS_AUTH_PASSWORD`<br/>`GRAPH_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`GRAPH_AVAILABLE_ROLES`| 1.0.0 |[]string|`A comma separated list of roles that are available for assignment.`|`[b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5 a8d5fe5e-96e3-418d-825b-534dbdf22b99 fb6c3e19-e378-47e5-b277-9732f9de6e21 58c63c02-1d89-4572-916a-870abc5a1b7d 2d00ce52-1fc2-4dbc-8b95-a73b73395f5a 1c996275-f1c9-4e71-abdf-a42f6495e960 312c0871-5ef7-4b3a-85b6-0e4074c64049]`|
-|`OC_MAX_CONCURRENCY`<br/>`GRAPH_MAX_CONCURRENCY`| 1.0.0 |int|`The maximum number of concurrent requests the service will handle.`|`20`|
-|`OC_KEYCLOAK_BASE_PATH`<br/>`GRAPH_KEYCLOAK_BASE_PATH`| 1.0.0 |string|`The URL to access keycloak.`|``|
-|`OC_KEYCLOAK_CLIENT_ID`<br/>`GRAPH_KEYCLOAK_CLIENT_ID`| 1.0.0 |string|`The client id to authenticate with keycloak.`|``|
-|`OC_KEYCLOAK_CLIENT_SECRET`<br/>`GRAPH_KEYCLOAK_CLIENT_SECRET`| 1.0.0 |string|`The client secret to use in authentication.`|``|
-|`OC_KEYCLOAK_CLIENT_REALM`<br/>`GRAPH_KEYCLOAK_CLIENT_REALM`| 1.0.0 |string|`The realm the client is defined in.`|``|
-|`OC_KEYCLOAK_USER_REALM`<br/>`GRAPH_KEYCLOAK_USER_REALM`| 1.0.0 |string|`The realm users are defined.`|``|
-|`OC_KEYCLOAK_INSECURE_SKIP_VERIFY`<br/>`GRAPH_KEYCLOAK_INSECURE_SKIP_VERIFY`| 1.0.0 |bool|`Disable TLS certificate validation for Keycloak connections. Do not set this in production environments.`|`false`|
-|`OC_SERVICE_ACCOUNT_ID`<br/>`GRAPH_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``|
-|`OC_SERVICE_ACCOUNT_SECRET`<br/>`GRAPH_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``|
-|`GRAPH_STORAGE_GATEWAY_GRPC_ADDR`<br/>`STORAGE_GATEWAY_GRPC_ADDR`| 4.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`|
-|`GRAPH_STORAGE_GRPC_ADDR`<br/>`STORAGE_GRPC_ADDR`| 4.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`|
-|`OC_SYSTEM_USER_ID`<br/>`GRAPH_SYSTEM_USER_ID`| 4.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``|
-|`OC_SYSTEM_USER_IDP`<br/>`GRAPH_SYSTEM_USER_IDP`| 4.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`|
-|`OC_SYSTEM_USER_API_KEY`| 4.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``|
-|`GRAPH_USER_SOFT_DELETE_RETENTION_TIME`| 4.0.0 |Duration|`The time after which a soft-deleted user is permanently deleted. If set to 0 (default), there is no soft delete retention time and users are deleted immediately after being soft-deleted. If set to a positive value, the user will be kept in the system for that duration before being permanently deleted.`|`0s`|
-|`OC_PERSISTENT_STORE_NODES`<br/>`GRAPH_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
-|`GRAPH_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`graph`|
-|`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`GRAPH_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`GRAPH_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`GRAPH_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`OC_CACHE_STORE`<br/>`GRAPH_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|memory|
+|`OC_CACHE_STORE_NODES`<br/>`GRAPH_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|[127.0.0.1:9233]|
+|`GRAPH_CACHE_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|cache-roles|
+|`GRAPH_CACHE_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`||
+|`OC_CACHE_TTL`<br/>`GRAPH_CACHE_TTL`| 1.0.0 |Duration|`Time to live for cache records in the graph. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|336h0m0s|
+|`OC_CACHE_DISABLE_PERSISTENCE`<br/>`GRAPH_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|false|
+|`OC_CACHE_AUTH_USERNAME`<br/>`GRAPH_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_CACHE_AUTH_PASSWORD`<br/>`GRAPH_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`||
+|`GRAPH_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9124|
+|`GRAPH_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`GRAPH_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`GRAPH_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`GRAPH_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|127.0.0.1:9120|
+|`GRAPH_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|/graph|
+|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|false|
+|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`||
+|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`||
+|`GRAPH_HTTP_API_TOKEN`| 1.0.0 |string|`An optional API bearer token`||
+|`OC_CORS_ALLOW_ORIGINS`<br/>`GRAPH_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|[*]|
+|`OC_CORS_ALLOW_METHODS`<br/>`GRAPH_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|[GET POST PUT PATCH DELETE OPTIONS]|
+|`OC_CORS_ALLOW_HEADERS`<br/>`GRAPH_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Purge Restore]|
+|`OC_CORS_ALLOW_CREDENTIALS`<br/>`GRAPH_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|true|
+|`GRAPH_GROUP_MEMBERS_PATCH_LIMIT`| 1.0.0 |int|`The amount of group members allowed to be added with a single patch request.`|20|
+|`GRAPH_USERNAME_MATCH`| 1.0.0 |string|`Apply restrictions to usernames. Supported values are 'default' and 'none'. When set to 'default', user names must not start with a number and are restricted to ASCII characters. When set to 'none', no restrictions are applied. The default value is 'default'.`|default|
+|`GRAPH_ASSIGN_DEFAULT_USER_ROLE`| 1.0.0 |bool|`Whether to assign newly created users the default role 'User'. Set this to 'false' if you want to assign roles manually, or if the role assignment should happen at first login. Set this to 'true' (the default) to assign the role 'User' when creating a new user.`|true|
+|`GRAPH_IDENTITY_SEARCH_MIN_LENGTH`| 1.0.0 |int|`The minimum length the search term needs to have for unprivileged users when searching for users or groups.`|3|
+|`OC_SHOW_USER_EMAIL_IN_RESULTS`| 1.0.0 |bool|`Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses.`|false|
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`OC_JWT_SECRET`<br/>`GRAPH_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`GRAPH_APPLICATION_ID`| 1.0.0 |string|`The OpenCloud application ID shown in the graph. All app roles are tied to this ID.`||
+|`GRAPH_APPLICATION_DISPLAYNAME`| 1.0.0 |string|`The OpenCloud application name.`|OpenCloud|
+|`OC_URL`<br/>`GRAPH_SPACES_WEBDAV_BASE`| 1.0.0 |string|`The public facing URL of WebDAV.`|https://localhost:9200|
+|`GRAPH_SPACES_WEBDAV_PATH`| 1.0.0 |string|`The WebDAV sub-path for spaces.`|/dav/spaces/|
+|`GRAPH_SPACES_DEFAULT_QUOTA`| 1.0.0 |string|`The default quota in bytes.`|1000000000|
+|`GRAPH_SPACES_EXTENDED_SPACE_PROPERTIES_CACHE_TTL`| 1.0.0 |int|`Max TTL in seconds for the spaces property cache.`|60000000000|
+|`GRAPH_SPACES_USERS_CACHE_TTL`| 1.0.0 |int|`Max TTL in seconds for the spaces users cache.`|60000000000|
+|`GRAPH_SPACES_GROUPS_CACHE_TTL`| 1.0.0 |int|`Max TTL in seconds for the spaces groups cache.`|60000000000|
+|`GRAPH_SPACES_STORAGE_USERS_ADDRESS`| 1.0.0 |string|`The address of the storage-users service.`|eu.opencloud.api.storage-users|
+|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|`The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.`||
+|`OC_TRANSLATION_PATH`<br/>`GRAPH_TRANSLATION_PATH`| 1.0.0 |string|`(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.`||
+|`GRAPH_IDENTITY_BACKEND`| 1.0.0 |string|`The user identity backend to use. Supported backend types are 'ldap' and 'cs3'.`|ldap|
+|`OC_LDAP_URI`<br/>`GRAPH_LDAP_URI`| 1.0.0 |string|`URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'`|ldaps://localhost:9235|
+|`OC_LDAP_CACERT`<br/>`GRAPH_LDAP_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|/home/chaser/.opencloud/idm/ldap.crt|
+|`OC_LDAP_INSECURE`<br/>`GRAPH_LDAP_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.`|false|
+|`OC_LDAP_BIND_DN`<br/>`GRAPH_LDAP_BIND_DN`| 1.0.0 |string|`LDAP DN to use for simple bind authentication with the target LDAP server.`|uid=libregraph,ou=sysusers,o=libregraph-idm|
+|`OC_LDAP_BIND_PASSWORD`<br/>`GRAPH_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`||
+|`GRAPH_LDAP_SERVER_UUID`| 1.0.0 |bool|`If set to true, rely on the LDAP Server to generate a unique ID for users and groups, like when using 'entryUUID' as the user ID attribute.`|false|
+|`GRAPH_LDAP_SERVER_USE_PASSWORD_MODIFY_EXOP`| 1.0.0 |bool|`Use the 'Password Modify Extended Operation' for updating user passwords.`|true|
+|`OC_LDAP_SERVER_WRITE_ENABLED`<br/>`GRAPH_LDAP_SERVER_WRITE_ENABLED`| 1.0.0 |bool|`Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OC_LDAP_USER_SCHEMA_* and 'OC_LDAP_GROUP_SCHEMA_* variables).`|true|
+|`GRAPH_LDAP_REFINT_ENABLED`| 1.0.0 |bool|`Signals that the server has the refint plugin enabled, which makes some actions not needed.`|false|
+|`OC_LDAP_USER_BASE_DN`<br/>`GRAPH_LDAP_USER_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|ou=users,o=libregraph-idm|
+|`OC_LDAP_USER_SCOPE`<br/>`GRAPH_LDAP_USER_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.`|sub|
+|`OC_LDAP_USER_FILTER`<br/>`GRAPH_LDAP_USER_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.`||
+|`OC_LDAP_USER_OBJECTCLASS`<br/>`GRAPH_LDAP_USER_OBJECTCLASS`| 1.0.0 |string|`The object class to use for users in the default user search filter ('inetOrgPerson').`|inetOrgPerson|
+|`OC_LDAP_USER_SCHEMA_MAIL`<br/>`GRAPH_LDAP_USER_EMAIL_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for the email address of users.`|mail|
+|`OC_LDAP_USER_SCHEMA_DISPLAYNAME`<br/>`GRAPH_LDAP_USER_DISPLAYNAME_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for the display name of users.`|displayName|
+|`OC_LDAP_USER_SCHEMA_USERNAME`<br/>`GRAPH_LDAP_USER_NAME_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for username of users.`|uid|
+|`OC_LDAP_USER_SCHEMA_ID`<br/>`GRAPH_LDAP_USER_UID_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.`|openCloudUUID|
+|`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`<br/>`GRAPH_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the user ID's.`|false|
+|`OC_LDAP_USER_SCHEMA_USER_TYPE`<br/>`GRAPH_LDAP_USER_TYPE_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'.`|openCloudUserType|
+|`OC_LDAP_USER_ENABLED_ATTRIBUTE`<br/>`GRAPH_USER_ENABLED_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use as a flag telling if the user is enabled or disabled.`|openCloudUserEnabled|
+|`OC_LDAP_DISABLE_USER_MECHANISM`<br/>`GRAPH_DISABLE_USER_MECHANISM`| 1.0.0 |string|`An option to control the behavior for disabling users. Supported options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. Default is 'attribute'.`|attribute|
+|`OC_LDAP_DISABLED_USERS_GROUP_DN`<br/>`GRAPH_DISABLED_USERS_GROUP_DN`| 1.0.0 |string|`The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'.`|cn=DisabledUsersGroup,ou=groups,o=libregraph-idm|
+|`OC_LDAP_GROUP_BASE_DN`<br/>`GRAPH_LDAP_GROUP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP groups.`|ou=groups,o=libregraph-idm|
+|`GRAPH_LDAP_GROUP_CREATE_BASE_DN`| 1.0.0 |string|`Parent DN under which new groups are created. This DN needs to be subordinate to the 'GRAPH_LDAP_GROUP_BASE_DN'. This setting is only relevant when 'GRAPH_LDAP_SERVER_WRITE_ENABLED' is 'true'. It defaults to the value of 'GRAPH_LDAP_GROUP_BASE_DN'. All groups outside of this subtree are treated as readonly groups and cannot be updated.`|ou=groups,o=libregraph-idm|
+|`OC_LDAP_GROUP_SCOPE`<br/>`GRAPH_LDAP_GROUP_SEARCH_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'.`|sub|
+|`OC_LDAP_GROUP_FILTER`<br/>`GRAPH_LDAP_GROUP_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for group searches.`||
+|`OC_LDAP_GROUP_OBJECTCLASS`<br/>`GRAPH_LDAP_GROUP_OBJECTCLASS`| 1.0.0 |string|`The object class to use for groups in the default group search filter ('groupOfNames').`|groupOfNames|
+|`OC_LDAP_GROUP_SCHEMA_GROUPNAME`<br/>`GRAPH_LDAP_GROUP_NAME_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for the name of groups.`|cn|
+|`OC_LDAP_GROUP_SCHEMA_MEMBER`<br/>`GRAPH_LDAP_GROUP_MEMBER_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute that is used for group members.`|member|
+|`OC_LDAP_GROUP_SCHEMA_ID`<br/>`GRAPH_LDAP_GROUP_ID_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.`|openCloudUUID|
+|`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`<br/>`GRAPH_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'ID' attribute for groups is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the group ID's.`|false|
+|`GRAPH_LDAP_EDUCATION_RESOURCES_ENABLED`| 1.0.0 |bool|`Enable LDAP support for managing education related resources.`|false|
+|`GRAPH_LDAP_SCHOOL_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP schools.`||
+|`GRAPH_LDAP_SCHOOL_SEARCH_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up schools. Supported scopes are 'base', 'one' and 'sub'.`||
+|`GRAPH_LDAP_SCHOOL_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for school searches.`||
+|`GRAPH_LDAP_SCHOOL_OBJECTCLASS`| 1.0.0 |string|`The object class to use for schools in the default school search filter.`||
+|`GRAPH_LDAP_SCHOOL_NAME_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for the name of a school.`||
+|`GRAPH_LDAP_SCHOOL_NUMBER_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for the number of a school.`||
+|`GRAPH_LDAP_SCHOOL_ID_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use as the unique id for schools. This should be a stable globally unique ID like a UUID.`||
+|`GRAPH_LDAP_SCHOOL_TERMINATION_MIN_GRACE_DAYS`| 1.0.0 |int|`When setting a 'terminationDate' for a school, require the date to be at least this number of days in the future.`|0|
+|`OC_ENABLE_OCM`<br/>`GRAPH_INCLUDE_OCM_SHAREES`| 1.0.0 |bool|`Include OCM sharees when listing users.`|false|
+|`OC_EVENTS_ENDPOINT`<br/>`GRAPH_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events.`|127.0.0.1:9233|
+|`OC_EVENTS_CLUSTER`<br/>`GRAPH_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|opencloud-cluster|
+|`OC_INSECURE`<br/>`OC_EVENTS_TLS_INSECURE`<br/>`GRAPH_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|false|
+|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`GRAPH_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false.`||
+|`OC_EVENTS_ENABLE_TLS`<br/>`GRAPH_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|false|
+|`OC_EVENTS_AUTH_USERNAME`<br/>`GRAPH_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_EVENTS_AUTH_PASSWORD`<br/>`GRAPH_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`GRAPH_AVAILABLE_ROLES`| 1.0.0 |[]string|`A comma separated list of roles that are available for assignment.`|[b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5 a8d5fe5e-96e3-418d-825b-534dbdf22b99 fb6c3e19-e378-47e5-b277-9732f9de6e21 58c63c02-1d89-4572-916a-870abc5a1b7d 2d00ce52-1fc2-4dbc-8b95-a73b73395f5a 1c996275-f1c9-4e71-abdf-a42f6495e960 312c0871-5ef7-4b3a-85b6-0e4074c64049]|
+|`OC_MAX_CONCURRENCY`<br/>`GRAPH_MAX_CONCURRENCY`| 1.0.0 |int|`The maximum number of concurrent requests the service will handle.`|20|
+|`OC_KEYCLOAK_BASE_PATH`<br/>`GRAPH_KEYCLOAK_BASE_PATH`| 1.0.0 |string|`The URL to access keycloak.`||
+|`OC_KEYCLOAK_CLIENT_ID`<br/>`GRAPH_KEYCLOAK_CLIENT_ID`| 1.0.0 |string|`The client id to authenticate with keycloak.`||
+|`OC_KEYCLOAK_CLIENT_SECRET`<br/>`GRAPH_KEYCLOAK_CLIENT_SECRET`| 1.0.0 |string|`The client secret to use in authentication.`||
+|`OC_KEYCLOAK_CLIENT_REALM`<br/>`GRAPH_KEYCLOAK_CLIENT_REALM`| 1.0.0 |string|`The realm the client is defined in.`||
+|`OC_KEYCLOAK_USER_REALM`<br/>`GRAPH_KEYCLOAK_USER_REALM`| 1.0.0 |string|`The realm users are defined.`||
+|`OC_KEYCLOAK_INSECURE_SKIP_VERIFY`<br/>`GRAPH_KEYCLOAK_INSECURE_SKIP_VERIFY`| 1.0.0 |bool|`Disable TLS certificate validation for Keycloak connections. Do not set this in production environments.`|false|
+|`OC_SERVICE_ACCOUNT_ID`<br/>`GRAPH_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`||
+|`OC_SERVICE_ACCOUNT_SECRET`<br/>`GRAPH_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`||
+|`GRAPH_STORAGE_GATEWAY_GRPC_ADDR`<br/>`STORAGE_GATEWAY_GRPC_ADDR`| 4.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|eu.opencloud.api.storage-system|
+|`GRAPH_STORAGE_GRPC_ADDR`<br/>`STORAGE_GRPC_ADDR`| 4.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|eu.opencloud.api.storage-system|
+|`OC_SYSTEM_USER_ID`<br/>`GRAPH_SYSTEM_USER_ID`| 4.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`||
+|`OC_SYSTEM_USER_IDP`<br/>`GRAPH_SYSTEM_USER_IDP`| 4.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|internal|
+|`OC_SYSTEM_USER_API_KEY`| 4.0.0 |string|`API key for the STORAGE-SYSTEM system user.`||
+|`GRAPH_USER_SOFT_DELETE_RETENTION_TIME`| 4.0.0 |Duration|`The time after which a soft-deleted user is permanently deleted. If set to 0 (default), there is no soft delete retention time and users are deleted immediately after being soft-deleted. If set to a positive value, the user will be kept in the system for that duration before being permanently deleted.`|0s|
+|`OC_PERSISTENT_STORE_NODES`<br/>`GRAPH_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|[127.0.0.1:9233]|
+|`GRAPH_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|graph|
+|`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`GRAPH_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`GRAPH_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`||
diff --git a/static/env-vars/graph_readme.md b/static/env-vars/graph_readme.md
index e0ce237e..6c24fbc3 100644
--- a/static/env-vars/graph_readme.md
+++ b/static/env-vars/graph_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Graph
-date: 2025-11-27T22:56:02.332815+01:00
+date: 2026-01-13T10:10:18.222342223+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/graph
diff --git a/static/env-vars/groups-config-example.yaml b/static/env-vars/groups-config-example.yaml
new file mode 100644
index 00000000..ddcb8791
--- /dev/null
+++ b/static/env-vars/groups-config-example.yaml
@@ -0,0 +1,63 @@
+# Autogenerated
+# Filename: groups-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9161
+  token: ""
+  pprof: false
+  zpages: false
+grpc:
+  addr: 127.0.0.1:9160
+  tls: null
+  protocol: tcp
+token_manager:
+  jwt_secret: ""
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+skip_user_groups_in_token: false
+driver: ldap
+drivers:
+  ldap:
+    uri: ldaps://localhost:9235
+    ca_cert: /home/chaser/.opencloud/idm/ldap.crt
+    insecure: false
+    bind_dn: uid=reva,ou=sysusers,o=libregraph-idm
+    bind_password: ""
+    user_base_dn: ou=users,o=libregraph-idm
+    group_base_dn: ou=groups,o=libregraph-idm
+    user_scope: sub
+    group_scope: sub
+    group_substring_filter_type: any
+    user_filter: ""
+    group_filter: ""
+    user_object_class: inetOrgPerson
+    group_object_class: groupOfNames
+    idp: https://localhost:9200
+    user_schema:
+      id: openCloudUUID
+      id_is_octet_string: false
+      mail: mail
+      display_name: displayname
+      user_name: uid
+    group_schema:
+      id: openCloudUUID
+      id_is_octet_string: false
+      mail: mail
+      display_name: cn
+      group_name: cn
+      member: member
+  owncloudsql:
+    db_username: owncloud
+    db_password: ""
+    db_host: mysql
+    db_port: 3306
+    db_name: owncloud
+    idp: https://localhost:9200
+    nobody: 90
+    join_username: false
+    join_owncloud_uuid: false
+    enable_medial_search: false
diff --git a/static/env-vars/groups_configvars.md b/static/env-vars/groups_configvars.md
index 5b889d21..a626090f 100644
--- a/static/env-vars/groups_configvars.md
+++ b/static/env-vars/groups_configvars.md
@@ -1,56 +1,53 @@
 Environment variables for the **groups** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`GROUPS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`GROUPS_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`GROUPS_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`GROUPS_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`GROUPS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9161`|
-|`GROUPS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`GROUPS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`GROUPS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`GROUPS_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9160`|
-|`OC_GRPC_PROTOCOL`<br/>`GROUPS_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`|
-|`OC_JWT_SECRET`<br/>`GROUPS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`GROUPS_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`|
-|`GROUPS_DRIVER`| 1.0.0 |string|`The driver which should be used by the groups service. Supported values are 'ldap' and 'owncloudsql'.`|`ldap`|
-|`OC_LDAP_URI`<br/>`GROUPS_LDAP_URI`| 1.0.0 |string|`URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'`|`ldaps://localhost:9235`|
-|`OC_LDAP_CACERT`<br/>`GROUPS_LDAP_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|`/var/lib/opencloud/idm/ldap.crt`|
-|`OC_LDAP_INSECURE`<br/>`GROUPS_LDAP_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.`|`false`|
-|`OC_LDAP_BIND_DN`<br/>`GROUPS_LDAP_BIND_DN`| 1.0.0 |string|`LDAP DN to use for simple bind authentication with the target LDAP server.`|`uid=reva,ou=sysusers,o=libregraph-idm`|
-|`OC_LDAP_BIND_PASSWORD`<br/>`GROUPS_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`|``|
-|`OC_LDAP_USER_BASE_DN`<br/>`GROUPS_LDAP_USER_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|`ou=users,o=libregraph-idm`|
-|`OC_LDAP_GROUP_BASE_DN`<br/>`GROUPS_LDAP_GROUP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP groups.`|`ou=groups,o=libregraph-idm`|
-|`OC_LDAP_USER_SCOPE`<br/>`GROUPS_LDAP_USER_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.`|`sub`|
-|`OC_LDAP_GROUP_SCOPE`<br/>`GROUPS_LDAP_GROUP_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'.`|`sub`|
-|`LDAP_GROUP_SUBSTRING_FILTER_TYPE`<br/>`GROUPS_LDAP_GROUP_SUBSTRING_FILTER_TYPE`| 1.0.0 |string|`Type of substring search filter to use for substring searches for groups. Supported values are 'initial', 'final' and 'any'. The value 'initial' is used for doing prefix only searches, 'final' for doing suffix only searches or 'any' for doing full substring searches`|`any`|
-|`OC_LDAP_USER_FILTER`<br/>`GROUPS_LDAP_USER_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.`|``|
-|`OC_LDAP_GROUP_FILTER`<br/>`GROUPS_LDAP_GROUP_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for group searches.`|``|
-|`OC_LDAP_USER_OBJECTCLASS`<br/>`GROUPS_LDAP_USER_OBJECTCLASS`| 1.0.0 |string|`The object class to use for users in the default user search filter ('inetOrgPerson').`|`inetOrgPerson`|
-|`OC_LDAP_GROUP_OBJECTCLASS`<br/>`GROUPS_LDAP_GROUP_OBJECTCLASS`| 1.0.0 |string|`The object class to use for groups in the default group search filter ('groupOfNames').`|`groupOfNames`|
-|`OC_URL`<br/>`OC_OIDC_ISSUER`<br/>`GROUPS_IDP_URL`| 1.0.0 |string|`The identity provider value to set in the group IDs of the CS3 group objects for groups returned by this group provider.`|`https://localhost:9200`|
-|`OC_LDAP_USER_SCHEMA_ID`<br/>`GROUPS_LDAP_USER_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID.`|`openCloudUUID`|
-|`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`<br/>`GROUPS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID's.`|`false`|
-|`OC_LDAP_USER_SCHEMA_MAIL`<br/>`GROUPS_LDAP_USER_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of users.`|`mail`|
-|`OC_LDAP_USER_SCHEMA_DISPLAYNAME`<br/>`GROUPS_LDAP_USER_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of users.`|`displayname`|
-|`OC_LDAP_USER_SCHEMA_USERNAME`<br/>`GROUPS_LDAP_USER_SCHEMA_USERNAME`| 1.0.0 |string|`LDAP Attribute to use for username of users.`|`uid`|
-|`OC_LDAP_GROUP_SCHEMA_ID`<br/>`GROUPS_LDAP_GROUP_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.`|`openCloudUUID`|
-|`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`<br/>`GROUPS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID's.`|`false`|
-|`OC_LDAP_GROUP_SCHEMA_MAIL`<br/>`GROUPS_LDAP_GROUP_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of groups (can be empty).`|`mail`|
-|`OC_LDAP_GROUP_SCHEMA_DISPLAYNAME`<br/>`GROUPS_LDAP_GROUP_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).`|`cn`|
-|`OC_LDAP_GROUP_SCHEMA_GROUPNAME`<br/>`GROUPS_LDAP_GROUP_SCHEMA_GROUPNAME`| 1.0.0 |string|`LDAP Attribute to use for the name of groups.`|`cn`|
-|`OC_LDAP_GROUP_SCHEMA_MEMBER`<br/>`GROUPS_LDAP_GROUP_SCHEMA_MEMBER`| 1.0.0 |string|`LDAP Attribute that is used for group members.`|`member`|
-|`GROUPS_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|`Database user to use for authenticating with the owncloud database.`|`owncloud`|
-|`GROUPS_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|`Password for the database user.`|``|
-|`GROUPS_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|`Hostname of the database server.`|`mysql`|
-|`GROUPS_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|`Network port to use for the database connection.`|`3306`|
-|`GROUPS_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|`Name of the owncloud database.`|`owncloud`|
-|`GROUPS_OWNCLOUDSQL_IDP`| 1.0.0 |string|`The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.`|`https://localhost:9200`|
-|`GROUPS_OWNCLOUDSQL_NOBODY`| 1.0.0 |int64|`Fallback number if no numeric UID and GID properties are provided.`|`90`|
-|`GROUPS_OWNCLOUDSQL_JOIN_USERNAME`| 1.0.0 |bool|`Join the user properties table to read usernames.`|`false`|
-|`GROUPS_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID`| 1.0.0 |bool|`Join the user properties table to read user IDs.`|`false`|
-|`GROUPS_OWNCLOUDSQL_ENABLE_MEDIAL_SEARCH`| 1.0.0 |bool|`Allow 'medial search' when searching for users instead of just doing a prefix search. This allows finding 'Alice' when searching for 'lic'.`|`false`|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`GROUPS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`GROUPS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9161|
+|`GROUPS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`GROUPS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`GROUPS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`GROUPS_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9160|
+|`OC_GRPC_PROTOCOL`<br/>`GROUPS_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|tcp|
+|`OC_JWT_SECRET`<br/>`GROUPS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`GROUPS_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|false|
+|`GROUPS_DRIVER`| 1.0.0 |string|`The driver which should be used by the groups service. Supported values are 'ldap' and 'owncloudsql'.`|ldap|
+|`OC_LDAP_URI`<br/>`GROUPS_LDAP_URI`| 1.0.0 |string|`URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'`|ldaps://localhost:9235|
+|`OC_LDAP_CACERT`<br/>`GROUPS_LDAP_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|/home/chaser/.opencloud/idm/ldap.crt|
+|`OC_LDAP_INSECURE`<br/>`GROUPS_LDAP_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.`|false|
+|`OC_LDAP_BIND_DN`<br/>`GROUPS_LDAP_BIND_DN`| 1.0.0 |string|`LDAP DN to use for simple bind authentication with the target LDAP server.`|uid=reva,ou=sysusers,o=libregraph-idm|
+|`OC_LDAP_BIND_PASSWORD`<br/>`GROUPS_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`||
+|`OC_LDAP_USER_BASE_DN`<br/>`GROUPS_LDAP_USER_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|ou=users,o=libregraph-idm|
+|`OC_LDAP_GROUP_BASE_DN`<br/>`GROUPS_LDAP_GROUP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP groups.`|ou=groups,o=libregraph-idm|
+|`OC_LDAP_USER_SCOPE`<br/>`GROUPS_LDAP_USER_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.`|sub|
+|`OC_LDAP_GROUP_SCOPE`<br/>`GROUPS_LDAP_GROUP_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'.`|sub|
+|`LDAP_GROUP_SUBSTRING_FILTER_TYPE`<br/>`GROUPS_LDAP_GROUP_SUBSTRING_FILTER_TYPE`| 1.0.0 |string|`Type of substring search filter to use for substring searches for groups. Supported values are 'initial', 'final' and 'any'. The value 'initial' is used for doing prefix only searches, 'final' for doing suffix only searches or 'any' for doing full substring searches`|any|
+|`OC_LDAP_USER_FILTER`<br/>`GROUPS_LDAP_USER_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.`||
+|`OC_LDAP_GROUP_FILTER`<br/>`GROUPS_LDAP_GROUP_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for group searches.`||
+|`OC_LDAP_USER_OBJECTCLASS`<br/>`GROUPS_LDAP_USER_OBJECTCLASS`| 1.0.0 |string|`The object class to use for users in the default user search filter ('inetOrgPerson').`|inetOrgPerson|
+|`OC_LDAP_GROUP_OBJECTCLASS`<br/>`GROUPS_LDAP_GROUP_OBJECTCLASS`| 1.0.0 |string|`The object class to use for groups in the default group search filter ('groupOfNames').`|groupOfNames|
+|`OC_URL`<br/>`OC_OIDC_ISSUER`<br/>`GROUPS_IDP_URL`| 1.0.0 |string|`The identity provider value to set in the group IDs of the CS3 group objects for groups returned by this group provider.`|https://localhost:9200|
+|`OC_LDAP_USER_SCHEMA_ID`<br/>`GROUPS_LDAP_USER_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID.`|openCloudUUID|
+|`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`<br/>`GROUPS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID's.`|false|
+|`OC_LDAP_USER_SCHEMA_MAIL`<br/>`GROUPS_LDAP_USER_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of users.`|mail|
+|`OC_LDAP_USER_SCHEMA_DISPLAYNAME`<br/>`GROUPS_LDAP_USER_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of users.`|displayname|
+|`OC_LDAP_USER_SCHEMA_USERNAME`<br/>`GROUPS_LDAP_USER_SCHEMA_USERNAME`| 1.0.0 |string|`LDAP Attribute to use for username of users.`|uid|
+|`OC_LDAP_GROUP_SCHEMA_ID`<br/>`GROUPS_LDAP_GROUP_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.`|openCloudUUID|
+|`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`<br/>`GROUPS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID's.`|false|
+|`OC_LDAP_GROUP_SCHEMA_MAIL`<br/>`GROUPS_LDAP_GROUP_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of groups (can be empty).`|mail|
+|`OC_LDAP_GROUP_SCHEMA_DISPLAYNAME`<br/>`GROUPS_LDAP_GROUP_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).`|cn|
+|`OC_LDAP_GROUP_SCHEMA_GROUPNAME`<br/>`GROUPS_LDAP_GROUP_SCHEMA_GROUPNAME`| 1.0.0 |string|`LDAP Attribute to use for the name of groups.`|cn|
+|`OC_LDAP_GROUP_SCHEMA_MEMBER`<br/>`GROUPS_LDAP_GROUP_SCHEMA_MEMBER`| 1.0.0 |string|`LDAP Attribute that is used for group members.`|member|
+|`GROUPS_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|`Database user to use for authenticating with the owncloud database.`|owncloud|
+|`GROUPS_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|`Password for the database user.`||
+|`GROUPS_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|`Hostname of the database server.`|mysql|
+|`GROUPS_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|`Network port to use for the database connection.`|3306|
+|`GROUPS_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|`Name of the owncloud database.`|owncloud|
+|`GROUPS_OWNCLOUDSQL_IDP`| 1.0.0 |string|`The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.`|https://localhost:9200|
+|`GROUPS_OWNCLOUDSQL_NOBODY`| 1.0.0 |int64|`Fallback number if no numeric UID and GID properties are provided.`|90|
+|`GROUPS_OWNCLOUDSQL_JOIN_USERNAME`| 1.0.0 |bool|`Join the user properties table to read usernames.`|false|
+|`GROUPS_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID`| 1.0.0 |bool|`Join the user properties table to read user IDs.`|false|
+|`GROUPS_OWNCLOUDSQL_ENABLE_MEDIAL_SEARCH`| 1.0.0 |bool|`Allow 'medial search' when searching for users instead of just doing a prefix search. This allows finding 'Alice' when searching for 'lic'.`|false|
diff --git a/static/env-vars/groups_readme.md b/static/env-vars/groups_readme.md
index 4c092d6b..acad314d 100644
--- a/static/env-vars/groups_readme.md
+++ b/static/env-vars/groups_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Groups
-date: 2025-11-27T22:56:02.332899+01:00
+date: 2026-01-13T10:10:18.222424958+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/groups
diff --git a/static/env-vars/idm-config-example.yaml b/static/env-vars/idm-config-example.yaml
new file mode 100644
index 00000000..b0df3da7
--- /dev/null
+++ b/static/env-vars/idm-config-example.yaml
@@ -0,0 +1,22 @@
+# Autogenerated
+# Filename: idm-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9239
+  token: ""
+  pprof: false
+  zpages: false
+idm:
+  ldaps_addr: 127.0.0.1:9235
+  cert: /home/chaser/.opencloud/idm/ldap.crt
+  key: /home/chaser/.opencloud/idm/ldap.key
+  database: /home/chaser/.opencloud/idm/idm.boltdb
+create_demo_users: false
+demo_users_issuer_url: https://localhost:9200
+service_user_passwords:
+  admin_password: ""
+  idm_password: ""
+  reva_password: ""
+  idp_password: ""
+admin_user_id: ""
diff --git a/static/env-vars/idm_configvars.md b/static/env-vars/idm_configvars.md
index af0e5596..68274f01 100644
--- a/static/env-vars/idm_configvars.md
+++ b/static/env-vars/idm_configvars.md
@@ -1,23 +1,20 @@
 Environment variables for the **idm** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`IDM_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`IDM_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`IDM_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`IDM_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`IDM_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9239`|
-|`IDM_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`IDM_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`IDM_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`IDM_LDAPS_ADDR`| 1.0.0 |string|`Listen address for the LDAPS listener (ip-addr:port).`|`127.0.0.1:9235`|
-|`IDM_LDAPS_CERT`| 1.0.0 |string|`File name of the TLS server certificate for the LDAPS listener. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|`/var/lib/opencloud/idm/ldap.crt`|
-|`IDM_LDAPS_KEY`| 1.0.0 |string|`File name for the TLS certificate key for the server certificate. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|`/var/lib/opencloud/idm/ldap.key`|
-|`IDM_DATABASE_PATH`| 1.0.0 |string|`Full path to the IDM backend database. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|`/var/lib/opencloud/idm/idm.boltdb`|
-|`IDM_CREATE_DEMO_USERS`| 1.0.0 |bool|`Flag to enable or disable the creation of the demo users.`|`false`|
-|`OC_URL`<br/>`OC_OIDC_ISSUER`| 1.0.0 |string|`The OIDC issuer URL to assign to the demo users.`|`https://localhost:9200`|
-|`IDM_ADMIN_PASSWORD`| 1.0.0 |string|`Password to set for the OpenCloud 'admin' user. Either cleartext or an argon2id hash.`|``|
-|`IDM_SVC_PASSWORD`| 1.0.0 |string|`Password to set for the 'idm' service user. Either cleartext or an argon2id hash.`|``|
-|`IDM_REVASVC_PASSWORD`| 1.0.0 |string|`Password to set for the 'reva' service user. Either cleartext or an argon2id hash.`|``|
-|`IDM_IDPSVC_PASSWORD`| 1.0.0 |string|`Password to set for the 'idp' service user. Either cleartext or an argon2id hash.`|``|
-|`OC_ADMIN_USER_ID`<br/>`IDM_ADMIN_USER_ID`| 1.0.0 |string|`ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.`|``|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`IDM_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`IDM_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9239|
+|`IDM_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`IDM_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`IDM_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`IDM_LDAPS_ADDR`| 1.0.0 |string|`Listen address for the LDAPS listener (ip-addr:port).`|127.0.0.1:9235|
+|`IDM_LDAPS_CERT`| 1.0.0 |string|`File name of the TLS server certificate for the LDAPS listener. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|/home/chaser/.opencloud/idm/ldap.crt|
+|`IDM_LDAPS_KEY`| 1.0.0 |string|`File name for the TLS certificate key for the server certificate. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|/home/chaser/.opencloud/idm/ldap.key|
+|`IDM_DATABASE_PATH`| 1.0.0 |string|`Full path to the IDM backend database. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|/home/chaser/.opencloud/idm/idm.boltdb|
+|`IDM_CREATE_DEMO_USERS`| 1.0.0 |bool|`Flag to enable or disable the creation of the demo users.`|false|
+|`OC_URL`<br/>`OC_OIDC_ISSUER`| 1.0.0 |string|`The OIDC issuer URL to assign to the demo users.`|https://localhost:9200|
+|`IDM_ADMIN_PASSWORD`| 1.0.0 |string|`Password to set for the OpenCloud 'admin' user. Either cleartext or an argon2id hash.`||
+|`IDM_SVC_PASSWORD`| 1.0.0 |string|`Password to set for the 'idm' service user. Either cleartext or an argon2id hash.`||
+|`IDM_REVASVC_PASSWORD`| 1.0.0 |string|`Password to set for the 'reva' service user. Either cleartext or an argon2id hash.`||
+|`IDM_IDPSVC_PASSWORD`| 1.0.0 |string|`Password to set for the 'idp' service user. Either cleartext or an argon2id hash.`||
+|`OC_ADMIN_USER_ID`<br/>`IDM_ADMIN_USER_ID`| 1.0.0 |string|`ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.`||
diff --git a/static/env-vars/idm_readme.md b/static/env-vars/idm_readme.md
index 684e0f20..aaa559f1 100644
--- a/static/env-vars/idm_readme.md
+++ b/static/env-vars/idm_readme.md
@@ -1,6 +1,6 @@
 ---
 title: IDM
-date: 2025-11-27T22:56:02.333155+01:00
+date: 2026-01-13T10:10:18.222487396+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/idm
diff --git a/static/env-vars/idp-config-example.yaml b/static/env-vars/idp-config-example.yaml
new file mode 100644
index 00000000..02687369
--- /dev/null
+++ b/static/env-vars/idp-config-example.yaml
@@ -0,0 +1,113 @@
+# Autogenerated
+# Filename: idp-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9134
+  token: ""
+  pprof: false
+  zpages: false
+http:
+  addr: 127.0.0.1:9130
+  root: /
+  tls_cert: /home/chaser/.opencloud/idp/server.crt
+  tls_key: /home/chaser/.opencloud/idp/server.key
+  tls: false
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+machine_auth_api_key: ""
+asset:
+  asset: ""
+  login-background-url: ""
+idp:
+  iss: https://localhost:9200
+  identity_manager: ldap
+  uri_base_path: ""
+  sign_in_uri: ""
+  signed_out_uri: ""
+  authorization_endpoint_uri: ""
+  ldap_insecure: false
+  trusted_proxy: []
+  allow_scope: []
+  allow_client_guests: false
+  allow_dynamic_client_registration: false
+  encrypt_secret_file: /home/chaser/.opencloud/idp/encryption.key
+  listen: ""
+  identifierdefaultbannerlogo: ""
+  default_sign_in_page_text: ""
+  default_logo_target_uri: https://opencloud.eu
+  identifierdefaultusernamehinttext: ""
+  identifieruilocales: []
+  signing_kid: private-key
+  signing_method: PS256
+  signing_private_key_files:
+  - /home/chaser/.opencloud/idp/private-key.pem
+  validation_keys_path: ""
+  cookiebackenduri: ""
+  cookienames: []
+  cookiesamesite: 3
+  access_token_duration_seconds: 300
+  id_token_duration_seconds: 300
+  refresh_token_duration_seconds: 2592000
+  dynamic_client_secret_duration_seconds: 0
+clients:
+- id: web
+  name: OpenCloud Web App
+  trusted: true
+  secret: ""
+  redirect_uris:
+  - '{{OC_URL}}/'
+  - '{{OC_URL}}/oidc-callback.html'
+  - '{{OC_URL}}/oidc-silent-redirect.html'
+  post_logout_redirect_uris: []
+  origins:
+  - '{{OC_URL}}'
+  application_type: ""
+- id: OpenCloudDesktop
+  name: OpenCloud Desktop Client
+  trusted: false
+  secret: ""
+  redirect_uris:
+  - http://127.0.0.1
+  - http://localhost
+  post_logout_redirect_uris: []
+  origins: []
+  application_type: native
+- id: OpenCloudAndroid
+  name: OpenCloud Android App
+  trusted: false
+  secret: ""
+  redirect_uris:
+  - oc://android.opencloud.eu
+  post_logout_redirect_uris:
+  - oc://android.opencloud.eu
+  origins: []
+  application_type: native
+- id: OpenCloudIOS
+  name: OpenCloud iOS App
+  trusted: false
+  secret: ""
+  redirect_uris:
+  - oc://ios.opencloud.eu
+  post_logout_redirect_uris:
+  - oc://ios.opencloud.eu
+  origins: []
+  application_type: native
+ldap:
+  uri: ldaps://localhost:9235
+  cacert: /home/chaser/.opencloud/idm/ldap.crt
+  bind_dn: uid=idp,ou=sysusers,o=libregraph-idm
+  bind_password: ""
+  base_dn: ou=users,o=libregraph-idm
+  scope: sub
+  login_attribute: uid
+  email_attribute: mail
+  name_attribute: displayName
+  uuid_attribute: openCloudUUID
+  uuid_attribute_type: text
+  user_enabled_attribute: openCloudUserEnabled
+  filter: ""
+  objectclass: inetOrgPerson
diff --git a/static/env-vars/idp_configvars.md b/static/env-vars/idp_configvars.md
index 053268ad..85ec8580 100644
--- a/static/env-vars/idp_configvars.md
+++ b/static/env-vars/idp_configvars.md
@@ -1,58 +1,55 @@
 Environment variables for the **idp** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`IDP_PASSWORD_RESET_URI`| 1.0.0 |string|`The URI where a user can reset their password.`|``|
-|`OC_LOG_LEVEL`<br/>`IDP_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`IDP_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`IDP_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`IDP_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`IDP_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9134`|
-|`IDP_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`IDP_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`IDP_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`IDP_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9130`|
-|`IDP_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`|
-|`IDP_TRANSPORT_TLS_CERT`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the IDP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp.`|`/var/lib/opencloud/idp/server.crt`|
-|`IDP_TRANSPORT_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the IDP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp.`|`/var/lib/opencloud/idp/server.key`|
-|`IDP_TLS`| 1.0.0 |bool|`Disable or Enable HTTPS for the communication between the Proxy service and the IDP service. If set to 'true', the key and cert files need to be configured and present.`|`false`|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`OC_MACHINE_AUTH_API_KEY`<br/>`IDP_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`|``|
-|`IDP_ASSET_PATH`| 1.0.0 |string|`Serve IDP assets from a path on the filesystem instead of the builtin assets.`|``|
-|`IDP_LOGIN_BACKGROUND_URL`| 1.0.0 |string|`Configure an alternative URL to the background image for the login page.`|``|
-|`OC_URL`<br/>`OC_OIDC_ISSUER`<br/>`IDP_ISS`| 1.0.0 |string|`The OIDC issuer URL to use.`|`https://localhost:9200`|
-|`IDP_IDENTITY_MANAGER`| 1.0.0 |string|`The identity manager implementation to use. Supported identity managers are 'ldap', 'cs3', 'libregraph' and 'guest'.`|`ldap`|
-|`IDP_URI_BASE_PATH`| 1.0.0 |string|`IDP uri base path (defaults to '').`|``|
-|`IDP_SIGN_IN_URI`| 1.0.0 |string|`IDP sign-in url.`|``|
-|`IDP_SIGN_OUT_URI`| 1.0.0 |string|`IDP sign-out url.`|``|
-|`IDP_ENDPOINT_URI`| 1.0.0 |string|`URL of the IDP endpoint.`|``|
-|`OC_LDAP_INSECURE`<br/>`IDP_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.`|`false`|
-|`IDP_ALLOW_CLIENT_GUESTS`| 1.0.0 |bool|`Allow guest clients to access OpenCloud.`|`false`|
-|`IDP_ALLOW_DYNAMIC_CLIENT_REGISTRATION`| 1.0.0 |bool|`Allow dynamic client registration.`|`false`|
-|`IDP_ENCRYPTION_SECRET_FILE`| 1.0.0 |string|`Path to the encryption secret file, if unset, a new certificate will be autogenerated upon each restart, thus invalidating all existing sessions. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp.`|`/var/lib/opencloud/idp/encryption.key`|
-|`IDP_DEFAULT_SIGNIN_PAGE_TEXT`| 2.0.0 |string|``|``|
-|`IDP_DEFAULT_LOGO_TARGET_URI`| 4.0.0 |string|`Default logo target URI.`|`https://opencloud.eu`|
-|`IDP_SIGNING_KID`| 1.0.0 |string|`Value of the KID (Key ID) field which is used in created tokens to uniquely identify the signing-private-key.`|`private-key`|
-|`IDP_SIGNING_METHOD`| 1.0.0 |string|`Signing method of IDP requests like 'PS256'`|`PS256`|
-|`IDP_SIGNING_PRIVATE_KEY_FILES`| 1.0.0 |[]string|`A list of private key files for signing IDP requests. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp. See the Environment Variable Types description for more details.`|`[/var/lib/opencloud/idp/private-key.pem]`|
-|`IDP_VALIDATION_KEYS_PATH`| 1.0.0 |string|`Path to validation keys for IDP requests.`|``|
-|`IDP_ACCESS_TOKEN_EXPIRATION`| 1.0.0 |uint64|`'Access token lifespan in seconds (time before an access token is expired).'`|`300`|
-|`IDP_ID_TOKEN_EXPIRATION`| 1.0.0 |uint64|`ID token lifespan in seconds (time before an ID token is expired).`|`300`|
-|`IDP_REFRESH_TOKEN_EXPIRATION`| 1.0.0 |uint64|`Refresh token lifespan in seconds (time before an refresh token is expired). This also limits the duration of an idle offline session.`|`2592000`|
-|`IDP_DYNAMIC_CLIENT_SECRET_DURATION`| 1.0.0 |uint64|`Lifespan in seconds of a dynamically registered OIDC client.`|`0`|
-|`OC_LDAP_URI`<br/>`IDP_LDAP_URI`| 1.0.0 |string|`Url of the LDAP service to use as IDP.`|`ldaps://localhost:9235`|
-|`OC_LDAP_CACERT`<br/>`IDP_LDAP_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp.`|`/var/lib/opencloud/idm/ldap.crt`|
-|`OC_LDAP_BIND_DN`<br/>`IDP_LDAP_BIND_DN`| 1.0.0 |string|`LDAP DN to use for simple bind authentication with the target LDAP server.`|`uid=idp,ou=sysusers,o=libregraph-idm`|
-|`OC_LDAP_BIND_PASSWORD`<br/>`IDP_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`|``|
-|`OC_LDAP_USER_BASE_DN`<br/>`IDP_LDAP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|`ou=users,o=libregraph-idm`|
-|`OC_LDAP_USER_SCOPE`<br/>`IDP_LDAP_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.`|`sub`|
-|`IDP_LDAP_LOGIN_ATTRIBUTE`| 1.0.0 |string|`LDAP User attribute to use for login like 'uid'.`|`uid`|
-|`OC_LDAP_USER_SCHEMA_MAIL`<br/>`IDP_LDAP_EMAIL_ATTRIBUTE`| 1.0.0 |string|`LDAP User email attribute like 'mail'.`|`mail`|
-|`OC_LDAP_USER_SCHEMA_USERNAME`<br/>`IDP_LDAP_NAME_ATTRIBUTE`| 1.0.0 |string|`LDAP User name attribute like 'displayName'.`|`displayName`|
-|`OC_LDAP_USER_SCHEMA_ID`<br/>`IDP_LDAP_UUID_ATTRIBUTE`| 1.0.0 |string|`LDAP User UUID attribute like 'uid'.`|`openCloudUUID`|
-|`IDP_LDAP_UUID_ATTRIBUTE_TYPE`| 1.0.0 |string|`LDAP User uuid attribute type like 'text'.`|`text`|
-|`OC_LDAP_USER_ENABLED_ATTRIBUTE`<br/>`IDP_USER_ENABLED_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use as a flag telling if the user is enabled or disabled.`|`openCloudUserEnabled`|
-|`OC_LDAP_USER_FILTER`<br/>`IDP_LDAP_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.`|``|
-|`OC_LDAP_USER_OBJECTCLASS`<br/>`IDP_LDAP_OBJECTCLASS`| 1.0.0 |string|`LDAP User ObjectClass like 'inetOrgPerson'.`|`inetOrgPerson`|
+|---|---|---|---|---|
+|`IDP_PASSWORD_RESET_URI`| 1.0.0 |string|`The URI where a user can reset their password.`||
+|`OC_LOG_LEVEL`<br/>`IDP_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`IDP_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9134|
+|`IDP_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`IDP_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`IDP_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`IDP_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|127.0.0.1:9130|
+|`IDP_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|/|
+|`IDP_TRANSPORT_TLS_CERT`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the IDP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp.`|/home/chaser/.opencloud/idp/server.crt|
+|`IDP_TRANSPORT_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the IDP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp.`|/home/chaser/.opencloud/idp/server.key|
+|`IDP_TLS`| 1.0.0 |bool|`Disable or Enable HTTPS for the communication between the Proxy service and the IDP service. If set to 'true', the key and cert files need to be configured and present.`|false|
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`OC_MACHINE_AUTH_API_KEY`<br/>`IDP_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`||
+|`IDP_ASSET_PATH`| 1.0.0 |string|`Serve IDP assets from a path on the filesystem instead of the builtin assets.`||
+|`IDP_LOGIN_BACKGROUND_URL`| 1.0.0 |string|`Configure an alternative URL to the background image for the login page.`||
+|`OC_URL`<br/>`OC_OIDC_ISSUER`<br/>`IDP_ISS`| 1.0.0 |string|`The OIDC issuer URL to use.`|https://localhost:9200|
+|`IDP_IDENTITY_MANAGER`| 1.0.0 |string|`The identity manager implementation to use. Supported identity managers are 'ldap', 'cs3', 'libregraph' and 'guest'.`|ldap|
+|`IDP_URI_BASE_PATH`| 1.0.0 |string|`IDP uri base path (defaults to '').`||
+|`IDP_SIGN_IN_URI`| 1.0.0 |string|`IDP sign-in url.`||
+|`IDP_SIGN_OUT_URI`| 1.0.0 |string|`IDP sign-out url.`||
+|`IDP_ENDPOINT_URI`| 1.0.0 |string|`URL of the IDP endpoint.`||
+|`OC_LDAP_INSECURE`<br/>`IDP_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.`|false|
+|`IDP_ALLOW_CLIENT_GUESTS`| 1.0.0 |bool|`Allow guest clients to access OpenCloud.`|false|
+|`IDP_ALLOW_DYNAMIC_CLIENT_REGISTRATION`| 1.0.0 |bool|`Allow dynamic client registration.`|false|
+|`IDP_ENCRYPTION_SECRET_FILE`| 1.0.0 |string|`Path to the encryption secret file, if unset, a new certificate will be autogenerated upon each restart, thus invalidating all existing sessions. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp.`|/home/chaser/.opencloud/idp/encryption.key|
+|`IDP_DEFAULT_SIGNIN_PAGE_TEXT`| 2.0.0 |string|``||
+|`IDP_DEFAULT_LOGO_TARGET_URI`| 4.0.0 |string|`Default logo target URI.`|https://opencloud.eu|
+|`IDP_SIGNING_KID`| 1.0.0 |string|`Value of the KID (Key ID) field which is used in created tokens to uniquely identify the signing-private-key.`|private-key|
+|`IDP_SIGNING_METHOD`| 1.0.0 |string|`Signing method of IDP requests like 'PS256'`|PS256|
+|`IDP_SIGNING_PRIVATE_KEY_FILES`| 1.0.0 |[]string|`A list of private key files for signing IDP requests. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp. See the Environment Variable Types description for more details.`|[/home/chaser/.opencloud/idp/private-key.pem]|
+|`IDP_VALIDATION_KEYS_PATH`| 1.0.0 |string|`Path to validation keys for IDP requests.`||
+|`IDP_ACCESS_TOKEN_EXPIRATION`| 1.0.0 |uint64|`'Access token lifespan in seconds (time before an access token is expired).'`|300|
+|`IDP_ID_TOKEN_EXPIRATION`| 1.0.0 |uint64|`ID token lifespan in seconds (time before an ID token is expired).`|300|
+|`IDP_REFRESH_TOKEN_EXPIRATION`| 1.0.0 |uint64|`Refresh token lifespan in seconds (time before an refresh token is expired). This also limits the duration of an idle offline session.`|2592000|
+|`IDP_DYNAMIC_CLIENT_SECRET_DURATION`| 1.0.0 |uint64|`Lifespan in seconds of a dynamically registered OIDC client.`|0|
+|`OC_LDAP_URI`<br/>`IDP_LDAP_URI`| 1.0.0 |string|`Url of the LDAP service to use as IDP.`|ldaps://localhost:9235|
+|`OC_LDAP_CACERT`<br/>`IDP_LDAP_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp.`|/home/chaser/.opencloud/idm/ldap.crt|
+|`OC_LDAP_BIND_DN`<br/>`IDP_LDAP_BIND_DN`| 1.0.0 |string|`LDAP DN to use for simple bind authentication with the target LDAP server.`|uid=idp,ou=sysusers,o=libregraph-idm|
+|`OC_LDAP_BIND_PASSWORD`<br/>`IDP_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`||
+|`OC_LDAP_USER_BASE_DN`<br/>`IDP_LDAP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|ou=users,o=libregraph-idm|
+|`OC_LDAP_USER_SCOPE`<br/>`IDP_LDAP_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.`|sub|
+|`IDP_LDAP_LOGIN_ATTRIBUTE`| 1.0.0 |string|`LDAP User attribute to use for login like 'uid'.`|uid|
+|`OC_LDAP_USER_SCHEMA_MAIL`<br/>`IDP_LDAP_EMAIL_ATTRIBUTE`| 1.0.0 |string|`LDAP User email attribute like 'mail'.`|mail|
+|`OC_LDAP_USER_SCHEMA_USERNAME`<br/>`IDP_LDAP_NAME_ATTRIBUTE`| 1.0.0 |string|`LDAP User name attribute like 'displayName'.`|displayName|
+|`OC_LDAP_USER_SCHEMA_ID`<br/>`IDP_LDAP_UUID_ATTRIBUTE`| 1.0.0 |string|`LDAP User UUID attribute like 'uid'.`|openCloudUUID|
+|`IDP_LDAP_UUID_ATTRIBUTE_TYPE`| 1.0.0 |string|`LDAP User uuid attribute type like 'text'.`|text|
+|`OC_LDAP_USER_ENABLED_ATTRIBUTE`<br/>`IDP_USER_ENABLED_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use as a flag telling if the user is enabled or disabled.`|openCloudUserEnabled|
+|`OC_LDAP_USER_FILTER`<br/>`IDP_LDAP_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.`||
+|`OC_LDAP_USER_OBJECTCLASS`<br/>`IDP_LDAP_OBJECTCLASS`| 1.0.0 |string|`LDAP User ObjectClass like 'inetOrgPerson'.`|inetOrgPerson|
diff --git a/static/env-vars/idp_readme.md b/static/env-vars/idp_readme.md
index d174da2c..5101bd21 100644
--- a/static/env-vars/idp_readme.md
+++ b/static/env-vars/idp_readme.md
@@ -1,6 +1,6 @@
 ---
 title: IDP
-date: 2025-11-27T22:56:02.333271+01:00
+date: 2026-01-13T10:10:18.222546877+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/idp
diff --git a/static/env-vars/invitations-config-example.yaml b/static/env-vars/invitations-config-example.yaml
new file mode 100644
index 00000000..85264d87
--- /dev/null
+++ b/static/env-vars/invitations-config-example.yaml
@@ -0,0 +1,31 @@
+# Autogenerated
+# Filename: invitations-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9269
+  token: ""
+  pprof: false
+  zpages: false
+http:
+  addr: 127.0.0.1:9265
+  root: /graph/v1.0
+  cors:
+    allow_origins:
+    - https://localhost:9200
+    allow_methods: []
+    allow_headers: []
+    allow_credentials: false
+  tls:
+    enabled: false
+    cert: ""
+    key: ""
+keycloak:
+  base_path: ""
+  client_id: ""
+  client_secret: ""
+  client_realm: ""
+  user_realm: ""
+  insecure_skip_verify: false
+token_manager:
+  jwt_secret: ""
diff --git a/static/env-vars/invitations_configvars.md b/static/env-vars/invitations_configvars.md
index 6933fe38..34906594 100644
--- a/static/env-vars/invitations_configvars.md
+++ b/static/env-vars/invitations_configvars.md
@@ -1,28 +1,25 @@
 Environment variables for the **invitations** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`INVITATIONS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`INVITATIONS_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`INVITATIONS_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`INVITATIONS_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`INVITATIONS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9269`|
-|`INVITATIONS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`INVITATIONS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`INVITATIONS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`INVITATIONS_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9265`|
-|`INVITATIONS_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/graph/v1.0`|
-|`OC_CORS_ALLOW_ORIGINS`<br/>`INVITATIONS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[https://localhost:9200]`|
-|`OC_CORS_ALLOW_METHODS`<br/>`INVITATIONS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[]`|
-|`OC_CORS_ALLOW_HEADERS`<br/>`INVITATIONS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[]`|
-|`OC_CORS_ALLOW_CREDENTIALS`<br/>`INVITATIONS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`false`|
-|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`|
-|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``|
-|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``|
-|`OC_KEYCLOAK_BASE_PATH`<br/>`INVITATIONS_KEYCLOAK_BASE_PATH`| 1.0.0 |string|`The URL to access keycloak.`|``|
-|`OC_KEYCLOAK_CLIENT_ID`<br/>`INVITATIONS_KEYCLOAK_CLIENT_ID`| 1.0.0 |string|`The client ID to authenticate with keycloak.`|``|
-|`OC_KEYCLOAK_CLIENT_SECRET`<br/>`INVITATIONS_KEYCLOAK_CLIENT_SECRET`| 1.0.0 |string|`The client secret to use in authentication.`|``|
-|`OC_KEYCLOAK_CLIENT_REALM`<br/>`INVITATIONS_KEYCLOAK_CLIENT_REALM`| 1.0.0 |string|`The realm the client is defined in.`|``|
-|`OC_KEYCLOAK_USER_REALM`<br/>`INVITATIONS_KEYCLOAK_USER_REALM`| 1.0.0 |string|`The realm users are defined.`|``|
-|`OC_KEYCLOAK_INSECURE_SKIP_VERIFY`<br/>`INVITATIONS_KEYCLOAK_INSECURE_SKIP_VERIFY`| 1.0.0 |bool|`Disable TLS certificate validation for Keycloak connections. Do not set this in production environments.`|`false`|
-|`OC_JWT_SECRET`<br/>`INVITATIONS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`INVITATIONS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`INVITATIONS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9269|
+|`INVITATIONS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`INVITATIONS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`INVITATIONS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`INVITATIONS_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|127.0.0.1:9265|
+|`INVITATIONS_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|/graph/v1.0|
+|`OC_CORS_ALLOW_ORIGINS`<br/>`INVITATIONS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|[https://localhost:9200]|
+|`OC_CORS_ALLOW_METHODS`<br/>`INVITATIONS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|[]|
+|`OC_CORS_ALLOW_HEADERS`<br/>`INVITATIONS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|[]|
+|`OC_CORS_ALLOW_CREDENTIALS`<br/>`INVITATIONS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|false|
+|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|false|
+|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`||
+|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`||
+|`OC_KEYCLOAK_BASE_PATH`<br/>`INVITATIONS_KEYCLOAK_BASE_PATH`| 1.0.0 |string|`The URL to access keycloak.`||
+|`OC_KEYCLOAK_CLIENT_ID`<br/>`INVITATIONS_KEYCLOAK_CLIENT_ID`| 1.0.0 |string|`The client ID to authenticate with keycloak.`||
+|`OC_KEYCLOAK_CLIENT_SECRET`<br/>`INVITATIONS_KEYCLOAK_CLIENT_SECRET`| 1.0.0 |string|`The client secret to use in authentication.`||
+|`OC_KEYCLOAK_CLIENT_REALM`<br/>`INVITATIONS_KEYCLOAK_CLIENT_REALM`| 1.0.0 |string|`The realm the client is defined in.`||
+|`OC_KEYCLOAK_USER_REALM`<br/>`INVITATIONS_KEYCLOAK_USER_REALM`| 1.0.0 |string|`The realm users are defined.`||
+|`OC_KEYCLOAK_INSECURE_SKIP_VERIFY`<br/>`INVITATIONS_KEYCLOAK_INSECURE_SKIP_VERIFY`| 1.0.0 |bool|`Disable TLS certificate validation for Keycloak connections. Do not set this in production environments.`|false|
+|`OC_JWT_SECRET`<br/>`INVITATIONS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
diff --git a/static/env-vars/invitations_readme.md b/static/env-vars/invitations_readme.md
index cd90e794..f2be21c3 100644
--- a/static/env-vars/invitations_readme.md
+++ b/static/env-vars/invitations_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Invitations
-date: 2025-11-27T22:56:02.333362+01:00
+date: 2026-01-13T10:10:18.222599847+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/invitations
diff --git a/static/env-vars/nats-config-example.yaml b/static/env-vars/nats-config-example.yaml
new file mode 100644
index 00000000..8038ba69
--- /dev/null
+++ b/static/env-vars/nats-config-example.yaml
@@ -0,0 +1,18 @@
+# Autogenerated
+# Filename: nats-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9234
+  token: ""
+  pprof: false
+  zpages: false
+nats:
+  host: 127.0.0.1
+  port: 9233
+  clusterid: opencloud-cluster
+  store_dir: /home/chaser/.opencloud/nats
+  tls_cert: /home/chaser/.opencloud/nats/tls.crt
+  tls_key: /home/chaser/.opencloud/nats/tls.key
+  tls_skip_verify_client_cert: false
+  enable_tls: false
diff --git a/static/env-vars/nats_configvars.md b/static/env-vars/nats_configvars.md
index c792bf41..6296e262 100644
--- a/static/env-vars/nats_configvars.md
+++ b/static/env-vars/nats_configvars.md
@@ -1,20 +1,17 @@
 Environment variables for the **nats** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`NATS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`NATS_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`NATS_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`NATS_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`NATS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9234`|
-|`NATS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`NATS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`NATS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`NATS_NATS_HOST`| 1.0.0 |string|`Bind address.`|`127.0.0.1`|
-|`NATS_NATS_PORT`| 1.0.0 |int|`Bind port.`|`9233`|
-|`NATS_NATS_CLUSTER_ID`| 1.0.0 |string|`ID of the NATS cluster.`|`opencloud-cluster`|
-|`NATS_NATS_STORE_DIR`| 1.0.0 |string|`The directory where the filesystem storage will store NATS JetStream data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/nats.`|`/var/lib/opencloud/nats`|
-|`NATS_TLS_CERT`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the NATS listener. If not defined, the root directory derives from $OC_BASE_DATA_PATH/nats.`|`/var/lib/opencloud/nats/tls.crt`|
-|`NATS_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the NATS listener. If not defined, the root directory derives from $OC_BASE_DATA_PATH/nats.`|`/var/lib/opencloud/nats/tls.key`|
-|`OC_INSECURE`<br/>`NATS_TLS_SKIP_VERIFY_CLIENT_CERT`| 1.0.0 |bool|`Whether the NATS server should skip the client certificate verification during the TLS handshake.`|`false`|
-|`OC_EVENTS_ENABLE_TLS`<br/>`NATS_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`NATS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`NATS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9234|
+|`NATS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`NATS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`NATS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`NATS_NATS_HOST`| 1.0.0 |string|`Bind address.`|127.0.0.1|
+|`NATS_NATS_PORT`| 1.0.0 |int|`Bind port.`|9233|
+|`NATS_NATS_CLUSTER_ID`| 1.0.0 |string|`ID of the NATS cluster.`|opencloud-cluster|
+|`NATS_NATS_STORE_DIR`| 1.0.0 |string|`The directory where the filesystem storage will store NATS JetStream data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/nats.`|/home/chaser/.opencloud/nats|
+|`NATS_TLS_CERT`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the NATS listener. If not defined, the root directory derives from $OC_BASE_DATA_PATH/nats.`|/home/chaser/.opencloud/nats/tls.crt|
+|`NATS_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the NATS listener. If not defined, the root directory derives from $OC_BASE_DATA_PATH/nats.`|/home/chaser/.opencloud/nats/tls.key|
+|`OC_INSECURE`<br/>`NATS_TLS_SKIP_VERIFY_CLIENT_CERT`| 1.0.0 |bool|`Whether the NATS server should skip the client certificate verification during the TLS handshake.`|false|
+|`OC_EVENTS_ENABLE_TLS`<br/>`NATS_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|false|
diff --git a/static/env-vars/nats_readme.md b/static/env-vars/nats_readme.md
index 045b5608..b5487d64 100644
--- a/static/env-vars/nats_readme.md
+++ b/static/env-vars/nats_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Nats
-date: 2025-11-27T22:56:02.333443+01:00
+date: 2026-01-13T10:10:18.222650873+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/nats
diff --git a/static/env-vars/notifications-config-example.yaml b/static/env-vars/notifications-config-example.yaml
new file mode 100644
index 00000000..e2a86b0f
--- /dev/null
+++ b/static/env-vars/notifications-config-example.yaml
@@ -0,0 +1,48 @@
+# Autogenerated
+# Filename: notifications-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9174
+  token: ""
+  pprof: false
+  zpages: false
+opencloud_url: https://localhost:9200
+notifications:
+  SMTP:
+    smtp_host: ""
+    smtp_port: 0
+    smtp_sender: ""
+    smtp_username: ""
+    smtp_password: ""
+    insecure: false
+    smtp_authentication: ""
+    smtp_encryption: none
+  events:
+    endpoint: 127.0.0.1:9233
+    cluster: opencloud-cluster
+    tls_insecure: false
+    tls_root_ca_certificate: ""
+    enable_tls: false
+    username: ""
+    password: ""
+  email_template_path: ""
+  translation_path: ""
+  default_language: ""
+  reva_gateway: eu.opencloud.api.gateway
+  grpc_client_tls: null
+grpc_client_tls:
+  mode: ""
+  cacert: ""
+service_account:
+  service_account_id: ""
+  service_account_secret: ""
+store:
+  store: nats-js-kv
+  nodes:
+  - 127.0.0.1:9233
+  database: notifications
+  table: ""
+  ttl: 336h0m0s
+  username: ""
+  password: ""
diff --git a/static/env-vars/notifications_configvars.md b/static/env-vars/notifications_configvars.md
index bf8ab298..f6140b61 100644
--- a/static/env-vars/notifications_configvars.md
+++ b/static/env-vars/notifications_configvars.md
@@ -1,43 +1,40 @@
 Environment variables for the **notifications** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`NOTIFICATIONS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`NOTIFICATIONS_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`NOTIFICATIONS_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`NOTIFICATIONS_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`NOTIFICATIONS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9174`|
-|`NOTIFICATIONS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`NOTIFICATIONS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`NOTIFICATIONS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`OC_URL`<br/>`NOTIFICATIONS_WEB_UI_URL`| 1.0.0 |string|`The public facing URL of the OpenCloud Web UI, used e.g. when sending notification eMails`|`https://localhost:9200`|
-|`NOTIFICATIONS_SMTP_HOST`| 1.0.0 |string|`SMTP host to connect to.`|``|
-|`NOTIFICATIONS_SMTP_PORT`| 1.0.0 |int|`Port of the SMTP host to connect to.`|`0`|
-|`NOTIFICATIONS_SMTP_SENDER`| 1.0.0 |string|`Sender address of emails that will be sent (e.g. 'OpenCloud <noreply@example.com>'.`|``|
-|`NOTIFICATIONS_SMTP_USERNAME`| 1.0.0 |string|`Username for the SMTP host to connect to.`|``|
-|`NOTIFICATIONS_SMTP_PASSWORD`| 1.0.0 |string|`Password for the SMTP host to connect to.`|``|
-|`NOTIFICATIONS_SMTP_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the SMTP server.`|`false`|
-|`NOTIFICATIONS_SMTP_AUTHENTICATION`| 1.0.0 |string|`Authentication method for the SMTP communication. Possible values are 'login', 'plain', 'crammd5', 'none' or 'auto'. If set to 'auto' or unset, the authentication method is automatically negotiated with the server.`|``|
-|`NOTIFICATIONS_SMTP_ENCRYPTION`| 1.0.0 |string|`Encryption method for the SMTP communication. Possible values are 'starttls', 'ssltls' and 'none'.`|`none`|
-|`OC_EVENTS_ENDPOINT`<br/>`NOTIFICATIONS_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`|
-|`OC_EVENTS_CLUSTER`<br/>`NOTIFICATIONS_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`|
-|`OC_INSECURE`<br/>`NOTIFICATIONS_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`|
-|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`NOTIFICATIONS_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.`|``|
-|`OC_EVENTS_ENABLE_TLS`<br/>`NOTIFICATIONS_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`|
-|`OC_EVENTS_AUTH_USERNAME`<br/>`NOTIFICATIONS_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_EVENTS_AUTH_PASSWORD`<br/>`NOTIFICATIONS_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_EMAIL_TEMPLATE_PATH`<br/>`NOTIFICATIONS_EMAIL_TEMPLATE_PATH`| 1.0.0 |string|`Path to Email notification templates overriding embedded ones.`|``|
-|`OC_TRANSLATION_PATH`<br/>`NOTIFICATIONS_TRANSLATION_PATH`| 1.0.0 |string|`(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.`|``|
-|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|`The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`OC_SERVICE_ACCOUNT_ID`<br/>`NOTIFICATIONS_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``|
-|`OC_SERVICE_ACCOUNT_SECRET`<br/>`NOTIFICATIONS_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``|
-|`OC_PERSISTENT_STORE`<br/>`NOTIFICATIONS_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|`nats-js-kv`|
-|`OC_PERSISTENT_STORE_NODES`<br/>`NOTIFICATIONS_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
-|`NOTIFICATIONS_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`notifications`|
-|`NOTIFICATIONS_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``|
-|`OC_PERSISTENT_STORE_TTL`<br/>`NOTIFICATIONS_STORE_TTL`| 1.0.0 |Duration|`Time to live for notifications in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|`336h0m0s`|
-|`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`NOTIFICATIONS_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`NOTIFICATIONS_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`NOTIFICATIONS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`NOTIFICATIONS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9174|
+|`NOTIFICATIONS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`NOTIFICATIONS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`NOTIFICATIONS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`OC_URL`<br/>`NOTIFICATIONS_WEB_UI_URL`| 1.0.0 |string|`The public facing URL of the OpenCloud Web UI, used e.g. when sending notification eMails`|https://localhost:9200|
+|`NOTIFICATIONS_SMTP_HOST`| 1.0.0 |string|`SMTP host to connect to.`||
+|`NOTIFICATIONS_SMTP_PORT`| 1.0.0 |int|`Port of the SMTP host to connect to.`|0|
+|`NOTIFICATIONS_SMTP_SENDER`| 1.0.0 |string|`Sender address of emails that will be sent (e.g. 'OpenCloud <noreply@example.com>'.`||
+|`NOTIFICATIONS_SMTP_USERNAME`| 1.0.0 |string|`Username for the SMTP host to connect to.`||
+|`NOTIFICATIONS_SMTP_PASSWORD`| 1.0.0 |string|`Password for the SMTP host to connect to.`||
+|`NOTIFICATIONS_SMTP_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the SMTP server.`|false|
+|`NOTIFICATIONS_SMTP_AUTHENTICATION`| 1.0.0 |string|`Authentication method for the SMTP communication. Possible values are 'login', 'plain', 'crammd5', 'none' or 'auto'. If set to 'auto' or unset, the authentication method is automatically negotiated with the server.`||
+|`NOTIFICATIONS_SMTP_ENCRYPTION`| 1.0.0 |string|`Encryption method for the SMTP communication. Possible values are 'starttls', 'ssltls' and 'none'.`|none|
+|`OC_EVENTS_ENDPOINT`<br/>`NOTIFICATIONS_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|127.0.0.1:9233|
+|`OC_EVENTS_CLUSTER`<br/>`NOTIFICATIONS_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|opencloud-cluster|
+|`OC_INSECURE`<br/>`OC_EVENTS_TLS_INSECURE`<br/>`NOTIFICATIONS_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|false|
+|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`NOTIFICATIONS_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.`||
+|`OC_EVENTS_ENABLE_TLS`<br/>`NOTIFICATIONS_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|false|
+|`OC_EVENTS_AUTH_USERNAME`<br/>`NOTIFICATIONS_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_EVENTS_AUTH_PASSWORD`<br/>`NOTIFICATIONS_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_EMAIL_TEMPLATE_PATH`<br/>`NOTIFICATIONS_EMAIL_TEMPLATE_PATH`| 1.0.0 |string|`Path to Email notification templates overriding embedded ones.`||
+|`OC_TRANSLATION_PATH`<br/>`NOTIFICATIONS_TRANSLATION_PATH`| 1.0.0 |string|`(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.`||
+|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|`The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`OC_SERVICE_ACCOUNT_ID`<br/>`NOTIFICATIONS_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`||
+|`OC_SERVICE_ACCOUNT_SECRET`<br/>`NOTIFICATIONS_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`||
+|`OC_PERSISTENT_STORE`<br/>`NOTIFICATIONS_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|nats-js-kv|
+|`OC_PERSISTENT_STORE_NODES`<br/>`NOTIFICATIONS_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|[127.0.0.1:9233]|
+|`NOTIFICATIONS_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|notifications|
+|`NOTIFICATIONS_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`||
+|`OC_PERSISTENT_STORE_TTL`<br/>`NOTIFICATIONS_STORE_TTL`| 1.0.0 |Duration|`Time to live for notifications in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|336h0m0s|
+|`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`NOTIFICATIONS_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`NOTIFICATIONS_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`||
diff --git a/static/env-vars/notifications_readme.md b/static/env-vars/notifications_readme.md
index 80953feb..8fb9dad6 100644
--- a/static/env-vars/notifications_readme.md
+++ b/static/env-vars/notifications_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Notification
-date: 2025-11-27T22:56:02.33353+01:00
+date: 2026-01-13T10:10:18.222705867+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/notifications
diff --git a/static/env-vars/ocdav-config-example.yaml b/static/env-vars/ocdav-config-example.yaml
new file mode 100644
index 00000000..797e9ba6
--- /dev/null
+++ b/static/env-vars/ocdav-config-example.yaml
@@ -0,0 +1,81 @@
+# Autogenerated
+# Filename: ocdav-config-example.yaml
+
+tracing:
+  enabled: false
+  type: ""
+  endpoint: ""
+  collector: ""
+log:
+  level: ""
+  pretty: false
+  color: false
+  file: ""
+debug:
+  addr: 127.0.0.1:9163
+  token: ""
+  pprof: false
+  zpages: false
+http:
+  addr: 127.0.0.1:9350
+  protocol: tcp
+  prefix: ""
+  cors:
+    allow_origins:
+    - https://localhost:9200
+    allow_methods:
+    - OPTIONS
+    - HEAD
+    - GET
+    - PUT
+    - POST
+    - DELETE
+    - MKCOL
+    - PROPFIND
+    - PROPPATCH
+    - MOVE
+    - COPY
+    - REPORT
+    - SEARCH
+    allow_headers:
+    - Origin
+    - Accept
+    - Content-Type
+    - Depth
+    - Authorization
+    - Ocs-Apirequest
+    - If-None-Match
+    - If-Match
+    - Destination
+    - Overwrite
+    - X-Request-Id
+    - X-Requested-With
+    - Tus-Resumable
+    - Tus-Checksum-Algorithm
+    - Upload-Concat
+    - Upload-Length
+    - Upload-Metadata
+    - Upload-Defer-Length
+    - Upload-Expires
+    - Upload-Checksum
+    - Upload-Offset
+    - X-HTTP-Method-Override
+    - Cache-Control
+    allow_credentials: false
+token_manager:
+  jwt_secret: ""
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+skip_user_groups_in_token: false
+webdav_namespace: /users/{{.Id.OpaqueId}}
+files_namespace: /users/{{.Id.OpaqueId}}
+shares_namespace: /Shares
+ocm_namespace: /public
+public_url: https://localhost:9200
+insecure: false
+gateway_request_timeout: 84300
+machine_auth_api_key: ""
+allow_propfind_depth_infinity: false
diff --git a/static/env-vars/ocdav_configvars.md b/static/env-vars/ocdav_configvars.md
index 3a94a26f..75eb3295 100644
--- a/static/env-vars/ocdav_configvars.md
+++ b/static/env-vars/ocdav_configvars.md
@@ -1,34 +1,38 @@
 Environment variables for the **ocdav** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`OCDAV_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`OCDAV_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`OCDAV_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`OCDAV_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`OCDAV_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9163`|
-|`OCDAV_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`OCDAV_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`OCDAV_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`OCDAV_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9350`|
-|`OCDAV_HTTP_PROTOCOL`| 1.0.0 |string|`The transport protocol of the HTTP service.`|`tcp`|
-|`OCDAV_HTTP_PREFIX`| 1.0.0 |string|`A URL path prefix for the handler.`|``|
-|`OC_CORS_ALLOW_ORIGINS`<br/>`OCDAV_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[https://localhost:9200]`|
-|`OC_CORS_ALLOW_METHODS`<br/>`OCDAV_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[OPTIONS HEAD GET PUT POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH]`|
-|`OC_CORS_ALLOW_HEADERS`<br/>`OCDAV_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control]`|
-|`OC_CORS_ALLOW_CREDENTIALS`<br/>`OCDAV_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`false`|
-|`OC_JWT_SECRET`<br/>`OCDAV_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`OCDAV_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`|
-|`OCDAV_WEBDAV_NAMESPACE`| 1.0.0 |string|`Jail requests to /dav/webdav into this CS3 namespace. Supports template layouting with CS3 User properties.`|`/users/{{.Id.OpaqueId}}`|
-|`OCDAV_FILES_NAMESPACE`| 1.0.0 |string|`Jail requests to /dav/files/{username} into this CS3 namespace. Supports template layouting with CS3 User properties.`|`/users/{{.Id.OpaqueId}}`|
-|`OCDAV_SHARES_NAMESPACE`| 1.0.0 |string|`The human readable path for the share jail. Relative to a users personal space root. Upcased intentionally.`|`/Shares`|
-|`OCDAV_OCM_NAMESPACE`| 1.0.0 |string|`The human readable path prefix for the ocm shares.`|`/public`|
-|`OC_URL`<br/>`OCDAV_PUBLIC_URL`| 1.0.0 |string|`URL where OpenCloud is reachable for users.`|`https://localhost:9200`|
-|`OC_INSECURE`<br/>`OCDAV_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the GATEWAY service.`|`false`|
-|`OCDAV_GATEWAY_REQUEST_TIMEOUT`| 1.0.0 |int64|`Request timeout in seconds for requests from the oCDAV service to the GATEWAY service.`|`84300`|
-|`OC_MACHINE_AUTH_API_KEY`<br/>`OCDAV_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`|``|
-|`OC_EDITION`<br/>`OCDAV_EDITION`| 1.0.0 |string|`Edition of OpenCloud. Used for branding purposes.`|``|
-|`OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY`| 1.0.0 |bool|`Allow the use of depth infinity in PROPFINDS. When enabled, a propfind will traverse through all subfolders. If many subfolders are expected, depth infinity can cause heavy server load and/or delayed response times.`|`false`|
+|---|---|---|---|---|
+|`OC_TRACING_ENABLED`<br/>`OCDAV_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|false|
+|`OC_TRACING_TYPE`<br/>`OCDAV_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`||
+|`OC_TRACING_ENDPOINT`<br/>`OCDAV_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`||
+|`OC_TRACING_COLLECTOR`<br/>`OCDAV_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`||
+|`OC_LOG_LEVEL`<br/>`OCDAV_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`||
+|`OC_LOG_PRETTY`<br/>`OCDAV_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|false|
+|`OC_LOG_COLOR`<br/>`OCDAV_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|false|
+|`OC_LOG_FILE`<br/>`OCDAV_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`||
+|`OCDAV_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9163|
+|`OCDAV_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`OCDAV_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`OCDAV_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`OCDAV_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|127.0.0.1:9350|
+|`OCDAV_HTTP_PROTOCOL`| 1.0.0 |string|`The transport protocol of the HTTP service.`|tcp|
+|`OCDAV_HTTP_PREFIX`| 1.0.0 |string|`A URL path prefix for the handler.`||
+|`OC_CORS_ALLOW_ORIGINS`<br/>`OCDAV_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|[https://localhost:9200]|
+|`OC_CORS_ALLOW_METHODS`<br/>`OCDAV_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|[OPTIONS HEAD GET PUT POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH]|
+|`OC_CORS_ALLOW_HEADERS`<br/>`OCDAV_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control]|
+|`OC_CORS_ALLOW_CREDENTIALS`<br/>`OCDAV_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|false|
+|`OC_JWT_SECRET`<br/>`OCDAV_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`OCDAV_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|false|
+|`OCDAV_WEBDAV_NAMESPACE`| 1.0.0 |string|`Jail requests to /dav/webdav into this CS3 namespace. Supports template layouting with CS3 User properties.`|/users/{{.Id.OpaqueId}}|
+|`OCDAV_FILES_NAMESPACE`| 1.0.0 |string|`Jail requests to /dav/files/{username} into this CS3 namespace. Supports template layouting with CS3 User properties.`|/users/{{.Id.OpaqueId}}|
+|`OCDAV_SHARES_NAMESPACE`| 1.0.0 |string|`The human readable path for the share jail. Relative to a users personal space root. Upcased intentionally.`|/Shares|
+|`OCDAV_OCM_NAMESPACE`| 1.0.0 |string|`The human readable path prefix for the ocm shares.`|/public|
+|`OC_URL`<br/>`OCDAV_PUBLIC_URL`| 1.0.0 |string|`URL where OpenCloud is reachable for users.`|https://localhost:9200|
+|`OC_INSECURE`<br/>`OCDAV_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the GATEWAY service.`|false|
+|`OCDAV_GATEWAY_REQUEST_TIMEOUT`| 1.0.0 |int64|`Request timeout in seconds for requests from the oCDAV service to the GATEWAY service.`|84300|
+|`OC_MACHINE_AUTH_API_KEY`<br/>`OCDAV_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`||
+|`OC_EDITION`<br/>`OCDAV_EDITION`| 1.0.0 |string|`Edition of OpenCloud. Used for branding purposes.`||
+|`OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY`| 1.0.0 |bool|`Allow the use of depth infinity in PROPFINDS. When enabled, a propfind will traverse through all subfolders. If many subfolders are expected, depth infinity can cause heavy server load and/or delayed response times.`|false|
diff --git a/static/env-vars/ocdav_readme.md b/static/env-vars/ocdav_readme.md
index 5b67c5f5..3afabcfd 100644
--- a/static/env-vars/ocdav_readme.md
+++ b/static/env-vars/ocdav_readme.md
@@ -1,6 +1,6 @@
 ---
 title: ocDAV
-date: 2025-11-27T22:56:02.333616+01:00
+date: 2025-11-11T09:16:41.111916459+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/ocdav
diff --git a/static/env-vars/ocm-config-example.yaml b/static/env-vars/ocm-config-example.yaml
new file mode 100644
index 00000000..8b553337
--- /dev/null
+++ b/static/env-vars/ocm-config-example.yaml
@@ -0,0 +1,109 @@
+# Autogenerated
+# Filename: ocm-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9281
+  token: ""
+  pprof: false
+  zpages: false
+http:
+  addr: 127.0.0.1:9280
+  protocol: tcp
+  prefix: ""
+  cors:
+    allow_origins:
+    - https://localhost:9200
+    allow_methods:
+    - OPTIONS
+    - HEAD
+    - GET
+    - PUT
+    - POST
+    - DELETE
+    - MKCOL
+    - PROPFIND
+    - PROPPATCH
+    - MOVE
+    - COPY
+    - REPORT
+    - SEARCH
+    allow_headers:
+    - Origin
+    - Accept
+    - Content-Type
+    - Depth
+    - Authorization
+    - Ocs-Apirequest
+    - If-None-Match
+    - If-Match
+    - Destination
+    - Overwrite
+    - X-Request-Id
+    - X-Requested-With
+    - Tus-Resumable
+    - Tus-Checksum-Algorithm
+    - Upload-Concat
+    - Upload-Length
+    - Upload-Metadata
+    - Upload-Defer-Length
+    - Upload-Expires
+    - Upload-Checksum
+    - Upload-Offset
+    - X-HTTP-Method-Override
+    - Cache-Control
+    allow_credentials: false
+middleware:
+  auth:
+    credentials_by_user_agent: {}
+grpc:
+  addr: 127.0.0.1:9282
+  tls: null
+  protocol: ""
+grpc_client_tls: null
+service_account:
+  service_account_id: ""
+  service_account_secret: ""
+token_manager:
+  jwt_secret: ""
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+ocmd:
+  prefix: ocm
+  expose_recipient_display_name: false
+sciencemesh:
+  prefix: sciencemesh
+  science_mesh_directory_url: ""
+  directory_service_urls: ""
+  invite_accept_dialog: /open-cloud-mesh/accept-invite
+ocm_invite_manager:
+  driver: json
+  drivers:
+    json:
+      file: /home/chaser/.opencloud/storage/ocm/ocminvites.json
+  token_expiration: 24h0m0s
+  timeout: 30s
+  insecure: false
+ocm_provider_authorizer_driver: json
+ocm_provider_authorizer_drivers:
+  json:
+    providers: /home/chaser/.opencloud/config/ocmproviders.json
+ocm_share_provider:
+  driver: json
+  drivers:
+    json:
+      file: /home/chaser/.opencloud/storage/ocm/ocmshares.json
+  insecure: false
+  webapp_template: ""
+ocm_core:
+  driver: json
+  drivers:
+    json:
+      file: /home/chaser/.opencloud/storage/ocm/ocmshares.json
+ocm_storage_provider:
+  insecure: false
+  storage_root: /home/chaser/.opencloud/storage/ocm
+  data_server_url: http://localhost:9280/data
diff --git a/static/env-vars/ocm_configvars.md b/static/env-vars/ocm_configvars.md
index 1d65d444..93ada47c 100644
--- a/static/env-vars/ocm_configvars.md
+++ b/static/env-vars/ocm_configvars.md
@@ -1,56 +1,53 @@
 Environment variables for the **ocm** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`OCM_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`OCM_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`OCM_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`OCM_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`OCM_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9281`|
-|`OCM_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`OCM_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`OCM_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`OCM_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9280`|
-|`OCM_HTTP_PROTOCOL`| 1.0.0 |string|`The transport protocol of the HTTP service.`|`tcp`|
-|`OCM_HTTP_PREFIX`| 1.0.0 |string|`The path prefix where OCM can be accessed (defaults to /).`|``|
-|`OC_CORS_ALLOW_ORIGINS`<br/>`OCM_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[https://localhost:9200]`|
-|`OC_CORS_ALLOW_METHODS`<br/>`OCM_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[OPTIONS HEAD GET PUT POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH]`|
-|`OC_CORS_ALLOW_HEADERS`<br/>`OCM_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control]`|
-|`OC_CORS_ALLOW_CREDENTIALS`<br/>`OCM_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`false`|
-|`OCM_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9282`|
-|`OC_GRPC_PROTOCOL`<br/>`OCM_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|``|
-|`OC_SERVICE_ACCOUNT_ID`<br/>`OCM_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``|
-|`OC_SERVICE_ACCOUNT_SECRET`<br/>`OCM_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``|
-|`OC_EVENTS_ENDPOINT`<br/>`OCM_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`|
-|`OC_EVENTS_CLUSTER`<br/>`OCM_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`|
-|`OC_INSECURE`<br/>`OCM_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`|
-|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`OCM_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided OCM_EVENTS_TLS_INSECURE will be seen as false.`|``|
-|`OC_EVENTS_ENABLE_TLS`<br/>`OCM_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`|
-|`OC_EVENTS_AUTH_USERNAME`<br/>`OCM_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_EVENTS_AUTH_PASSWORD`<br/>`OCM_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_JWT_SECRET`<br/>`OCM_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`OCM_OCMD_PREFIX`| 1.0.0 |string|`URL path prefix for the OCMD service. Note that the string must not start with '/'.`|`ocm`|
-|`OCM_OCMD_EXPOSE_RECIPIENT_DISPLAY_NAME`| 1.0.0 |bool|`Expose the display name of OCM share recipients.`|`false`|
-|`OCM_SCIENCEMESH_PREFIX`| 1.0.0 |string|`URL path prefix for the ScienceMesh service. Note that the string must not start with '/'.`|`sciencemesh`|
-|`OCM_MESH_DIRECTORY_URL`| 1.0.0 |string|`URL of the mesh directory service.`|``|
-|`OCM_DIRECTORY_SERVICE_URLS`| 3.5.0 |string|`Space delimited URLs of the directory services.`|``|
-|`OCM_INVITE_ACCEPT_DIALOG`| 3.5.0 |string|`/open-cloud-mesh/accept-invite;The frontend URL where to land when receiving an invitation`|`/open-cloud-mesh/accept-invite`|
-|`OCM_OCM_INVITE_MANAGER_DRIVER`| 1.0.0 |string|`Driver to be used to persist OCM invites. Supported value is only 'json'.`|`json`|
-|`OCM_OCM_INVITE_MANAGER_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where OCM invite data will be stored. This file is maintained by the instance and must not be changed manually. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/ocm.`|`/var/lib/opencloud/storage/ocm/ocminvites.json`|
-|`OCM_OCM_INVITE_MANAGER_TOKEN_EXPIRATION`| 1.0.0 |Duration|`Expiry duration for invite tokens.`|`24h0m0s`|
-|`OCM_OCM_INVITE_MANAGER_TIMEOUT`| 1.0.0 |Duration|`Timeout specifies a time limit for requests made to OCM endpoints.`|`30s`|
-|`OCM_OCM_INVITE_MANAGER_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the OCM connections. Do not set this in production environments.`|`false`|
-|`SHARING_OCM_PROVIDER_AUTHORIZER_DRIVER`| 1.0.0 |string|`Driver to be used to persist ocm invites. Supported value is only 'json'.`|`json`|
-|`OCM_OCM_PROVIDER_AUTHORIZER_PROVIDERS_FILE`| 1.0.0 |string|`Path to the JSON file where ocm invite data will be stored. Defaults to $OC_CONFIG_DIR/ocmproviders.json.`|`/etc/opencloud/ocmproviders.json`|
-|`OCM_OCM_SHARE_PROVIDER_DRIVER`| 1.0.0 |string|`Driver to be used for the OCM share provider. Supported value is only 'json'.`|`json`|
-|`OCM_OCM_SHAREPROVIDER_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where OCM share data will be stored. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|`/var/lib/opencloud/storage/ocm/ocmshares.json`|
-|`OCM_OCM_SHARE_PROVIDER_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the OCM connections. Do not set this in production environments.`|`false`|
-|`OCM_WEBAPP_TEMPLATE`| 1.0.0 |string|`Template for the webapp url.`|``|
-|`OCM_OCM_CORE_DRIVER`| 1.0.0 |string|`Driver to be used for the OCM core. Supported value is only 'json'.`|`json`|
-|`OCM_OCM_CORE_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where OCM share data will be stored. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|`/var/lib/opencloud/storage/ocm/ocmshares.json`|
-|`OCM_OCM_STORAGE_PROVIDER_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the OCM connections. Do not set this in production environments.`|`false`|
-|`OCM_OCM_STORAGE_PROVIDER_STORAGE_ROOT`| 1.0.0 |string|`Directory where the ocm storage provider persists its data like tus upload info files.`|`/var/lib/opencloud/storage/ocm`|
-|`OCM_OCM_STORAGE_DATA_SERVER_URL`| 1.0.0 |string|`URL of the data server, needs to be reachable by the data gateway provided by the frontend service or the user if directly exposed.`|`http://localhost:9280/data`|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`OCM_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`OCM_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9281|
+|`OCM_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`OCM_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`OCM_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`OCM_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|127.0.0.1:9280|
+|`OCM_HTTP_PROTOCOL`| 1.0.0 |string|`The transport protocol of the HTTP service.`|tcp|
+|`OCM_HTTP_PREFIX`| 1.0.0 |string|`The path prefix where OCM can be accessed (defaults to /).`||
+|`OC_CORS_ALLOW_ORIGINS`<br/>`OCM_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|[https://localhost:9200]|
+|`OC_CORS_ALLOW_METHODS`<br/>`OCM_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|[OPTIONS HEAD GET PUT POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH]|
+|`OC_CORS_ALLOW_HEADERS`<br/>`OCM_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control]|
+|`OC_CORS_ALLOW_CREDENTIALS`<br/>`OCM_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|false|
+|`OCM_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9282|
+|`OC_GRPC_PROTOCOL`<br/>`OCM_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`||
+|`OC_SERVICE_ACCOUNT_ID`<br/>`OCM_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`||
+|`OC_SERVICE_ACCOUNT_SECRET`<br/>`OCM_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`||
+|`OC_EVENTS_ENDPOINT`<br/>`OCM_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|127.0.0.1:9233|
+|`OC_EVENTS_CLUSTER`<br/>`OCM_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|opencloud-cluster|
+|`OC_INSECURE`<br/>`OC_EVENTS_TLS_INSECURE`<br/>`OCM_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|false|
+|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`OCM_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided OCM_EVENTS_TLS_INSECURE will be seen as false.`||
+|`OC_EVENTS_ENABLE_TLS`<br/>`OCM_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|false|
+|`OC_EVENTS_AUTH_USERNAME`<br/>`OCM_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_EVENTS_AUTH_PASSWORD`<br/>`OCM_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_JWT_SECRET`<br/>`OCM_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`OCM_OCMD_PREFIX`| 1.0.0 |string|`URL path prefix for the OCMD service. Note that the string must not start with '/'.`|ocm|
+|`OCM_OCMD_EXPOSE_RECIPIENT_DISPLAY_NAME`| 1.0.0 |bool|`Expose the display name of OCM share recipients.`|false|
+|`OCM_SCIENCEMESH_PREFIX`| 1.0.0 |string|`URL path prefix for the ScienceMesh service. Note that the string must not start with '/'.`|sciencemesh|
+|`OCM_MESH_DIRECTORY_URL`| 1.0.0 |string|`URL of the mesh directory service.`||
+|`OCM_DIRECTORY_SERVICE_URLS`| 3.5.0 |string|`Space delimited URLs of the directory services.`||
+|`OCM_INVITE_ACCEPT_DIALOG`| 3.5.0 |string|`/open-cloud-mesh/accept-invite;The frontend URL where to land when receiving an invitation`|/open-cloud-mesh/accept-invite|
+|`OCM_OCM_INVITE_MANAGER_DRIVER`| 1.0.0 |string|`Driver to be used to persist OCM invites. Supported value is only 'json'.`|json|
+|`OCM_OCM_INVITE_MANAGER_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where OCM invite data will be stored. This file is maintained by the instance and must not be changed manually. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/ocm.`|/home/chaser/.opencloud/storage/ocm/ocminvites.json|
+|`OCM_OCM_INVITE_MANAGER_TOKEN_EXPIRATION`| 1.0.0 |Duration|`Expiry duration for invite tokens.`|24h0m0s|
+|`OCM_OCM_INVITE_MANAGER_TIMEOUT`| 1.0.0 |Duration|`Timeout specifies a time limit for requests made to OCM endpoints.`|30s|
+|`OCM_OCM_INVITE_MANAGER_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the OCM connections. Do not set this in production environments.`|false|
+|`SHARING_OCM_PROVIDER_AUTHORIZER_DRIVER`| 1.0.0 |string|`Driver to be used to persist ocm invites. Supported value is only 'json'.`|json|
+|`OCM_OCM_PROVIDER_AUTHORIZER_PROVIDERS_FILE`| 1.0.0 |string|`Path to the JSON file where ocm invite data will be stored. Defaults to $OC_CONFIG_DIR/ocmproviders.json.`|/home/chaser/.opencloud/config/ocmproviders.json|
+|`OCM_OCM_SHARE_PROVIDER_DRIVER`| 1.0.0 |string|`Driver to be used for the OCM share provider. Supported value is only 'json'.`|json|
+|`OCM_OCM_SHAREPROVIDER_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where OCM share data will be stored. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|/home/chaser/.opencloud/storage/ocm/ocmshares.json|
+|`OCM_OCM_SHARE_PROVIDER_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the OCM connections. Do not set this in production environments.`|false|
+|`OCM_WEBAPP_TEMPLATE`| 1.0.0 |string|`Template for the webapp url.`||
+|`OCM_OCM_CORE_DRIVER`| 1.0.0 |string|`Driver to be used for the OCM core. Supported value is only 'json'.`|json|
+|`OCM_OCM_CORE_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where OCM share data will be stored. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|/home/chaser/.opencloud/storage/ocm/ocmshares.json|
+|`OCM_OCM_STORAGE_PROVIDER_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the OCM connections. Do not set this in production environments.`|false|
+|`OCM_OCM_STORAGE_PROVIDER_STORAGE_ROOT`| 1.0.0 |string|`Directory where the ocm storage provider persists its data like tus upload info files.`|/home/chaser/.opencloud/storage/ocm|
+|`OCM_OCM_STORAGE_DATA_SERVER_URL`| 1.0.0 |string|`URL of the data server, needs to be reachable by the data gateway provided by the frontend service or the user if directly exposed.`|http://localhost:9280/data|
diff --git a/static/env-vars/ocm_readme.md b/static/env-vars/ocm_readme.md
index 4910053b..d0f27331 100644
--- a/static/env-vars/ocm_readme.md
+++ b/static/env-vars/ocm_readme.md
@@ -1,6 +1,6 @@
 ---
 title: OCM
-date: 2025-11-27T22:56:02.333689+01:00
+date: 2026-01-13T10:10:18.222775277+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/ocm
diff --git a/static/env-vars/ocs-config-example.yaml b/static/env-vars/ocs-config-example.yaml
new file mode 100644
index 00000000..2e63bd33
--- /dev/null
+++ b/static/env-vars/ocs-config-example.yaml
@@ -0,0 +1,45 @@
+# Autogenerated
+# Filename: ocs-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9114
+  token: ""
+  pprof: false
+  zpages: false
+http:
+  addr: 127.0.0.1:9110
+  root: /ocs
+  cors:
+    allow_origins:
+    - '*'
+    allow_methods:
+    - GET
+    - POST
+    - PUT
+    - PATCH
+    - DELETE
+    - OPTIONS
+    allow_headers:
+    - Authorization
+    - Origin
+    - Content-Type
+    - Accept
+    - X-Requested-With
+    - X-Request-Id
+    - Cache-Control
+    allow_credentials: true
+  tls:
+    enabled: false
+    cert: ""
+    key: ""
+grpc_client_tls: null
+signing_keys:
+  store: nats-js-kv
+  addresses:
+  - 127.0.0.1:9233
+  ttl: 12h0m0s
+  username: ""
+  password: ""
+token_manager:
+  jwt_secret: ""
diff --git a/static/env-vars/ocs_configvars.md b/static/env-vars/ocs_configvars.md
index acd077d8..51d5c3cb 100644
--- a/static/env-vars/ocs_configvars.md
+++ b/static/env-vars/ocs_configvars.md
@@ -1,27 +1,24 @@
 Environment variables for the **ocs** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`OCS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`OCS_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`OCS_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`OCS_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`OCS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9114`|
-|`OCS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`OCS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`OCS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`OCS_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9110`|
-|`OCS_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/ocs`|
-|`OC_CORS_ALLOW_ORIGINS`<br/>`OCS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`|
-|`OC_CORS_ALLOW_METHODS`<br/>`OCS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET POST PUT PATCH DELETE OPTIONS]`|
-|`OC_CORS_ALLOW_HEADERS`<br/>`OCS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Cache-Control]`|
-|`OC_CORS_ALLOW_CREDENTIALS`<br/>`OCS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`|
-|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`|
-|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``|
-|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``|
-|`OC_CACHE_STORE`<br/>`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE`| 1.0.0 |string|`The type of the signing key store. Supported values are: 'redis-sentinel' and 'nats-js-kv'. See the text description for details.`|`nats-js-kv`|
-|`OC_CACHE_STORE_NODES`<br/>`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
-|`OC_CACHE_TTL`<br/>`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL`| 1.0.0 |Duration|`Default time to live for signing keys. See the Environment Variable Types description for more details.`|`12h0m0s`|
-|`OC_CACHE_AUTH_USERNAME`<br/>`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_CACHE_AUTH_PASSWORD`<br/>`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_JWT_SECRET`<br/>`OCS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`OCS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`OCS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9114|
+|`OCS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`OCS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`OCS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`OCS_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|127.0.0.1:9110|
+|`OCS_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|/ocs|
+|`OC_CORS_ALLOW_ORIGINS`<br/>`OCS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|[*]|
+|`OC_CORS_ALLOW_METHODS`<br/>`OCS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|[GET POST PUT PATCH DELETE OPTIONS]|
+|`OC_CORS_ALLOW_HEADERS`<br/>`OCS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Cache-Control]|
+|`OC_CORS_ALLOW_CREDENTIALS`<br/>`OCS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|true|
+|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|false|
+|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`||
+|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`||
+|`OC_CACHE_STORE`<br/>`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE`| 1.0.0 |string|`The type of the signing key store. Supported values are: 'redis-sentinel' and 'nats-js-kv'. See the text description for details.`|nats-js-kv|
+|`OC_CACHE_STORE_NODES`<br/>`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|[127.0.0.1:9233]|
+|`OC_CACHE_TTL`<br/>`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL`| 1.0.0 |Duration|`Default time to live for signing keys. See the Environment Variable Types description for more details.`|12h0m0s|
+|`OC_CACHE_AUTH_USERNAME`<br/>`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_CACHE_AUTH_PASSWORD`<br/>`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_JWT_SECRET`<br/>`OCS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
diff --git a/static/env-vars/ocs_readme.md b/static/env-vars/ocs_readme.md
index fdb66cea..ce74f69e 100644
--- a/static/env-vars/ocs_readme.md
+++ b/static/env-vars/ocs_readme.md
@@ -1,6 +1,6 @@
 ---
 title: OCS Service
-date: 2025-11-27T22:56:02.333791+01:00
+date: 2026-01-13T10:10:18.222836282+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/ocs
diff --git a/static/env-vars/policies-config-example.yaml b/static/env-vars/policies-config-example.yaml
new file mode 100644
index 00000000..e01fa0b5
--- /dev/null
+++ b/static/env-vars/policies-config-example.yaml
@@ -0,0 +1,27 @@
+# Autogenerated
+# Filename: policies-config-example.yaml
+
+grpc:
+  addr: 127.0.0.1:9125
+  tls: null
+debug:
+  addr: 127.0.0.1:9129
+  token: ""
+  pprof: false
+  zpages: false
+events:
+  endpoint: 127.0.0.1:9233
+  cluster: opencloud-cluster
+  tls_insecure: false
+  tls_root_ca_certificate: ""
+  enable_tls: false
+  username: ""
+  password: ""
+grpc_client_tls: null
+loglevel: error
+engine:
+  timeout: 10s
+  policies: []
+  mimes: ""
+postprocessing:
+  query: ""
diff --git a/static/env-vars/policies_configvars.md b/static/env-vars/policies_configvars.md
index f0cdb8a3..86583d38 100644
--- a/static/env-vars/policies_configvars.md
+++ b/static/env-vars/policies_configvars.md
@@ -1,23 +1,20 @@
 Environment variables for the **policies** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`POLICIES_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9125`|
-|`POLICIES_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9129`|
-|`POLICIES_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`POLICIES_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`POLICIES_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`OC_EVENTS_ENDPOINT`<br/>`POLICIES_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`|
-|`OC_EVENTS_CLUSTER`<br/>`POLICIES_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`|
-|`OC_INSECURE`<br/>`POLICIES_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether the server should skip the client certificate verification during the TLS handshake.`|`false`|
-|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`POLICIES_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided POLICIES_EVENTS_TLS_INSECURE will be seen as false.`|``|
-|`OC_EVENTS_ENABLE_TLS`<br/>`POLICIES_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`|
-|`OC_EVENTS_AUTH_USERNAME`<br/>`POLICIES_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_EVENTS_AUTH_PASSWORD`<br/>`POLICIES_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_LOG_LEVEL`<br/>`POLICIES_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`POLICIES_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`POLICIES_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`POLICIES_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`POLICIES_ENGINE_TIMEOUT`| 1.0.0 |Duration|`Sets the timeout the rego expression evaluation can take. Rules default to deny if the timeout was reached. See the Environment Variable Types description for more details.`|`10s`|
-|`POLICIES_ENGINE_MIMES`| 1.0.0 |string|`Sets the mimes file path which maps mimetypes to associated file extensions. See the text description for details.`|``|
-|`POLICIES_POSTPROCESSING_QUERY`| 1.0.0 |string|`Defines the 'Complete Rules' variable defined in the rego rule set this step uses for its evaluation. Defaults to deny if the variable was not found.`|``|
+|---|---|---|---|---|
+|`POLICIES_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9125|
+|`POLICIES_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9129|
+|`POLICIES_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`POLICIES_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`POLICIES_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`OC_EVENTS_ENDPOINT`<br/>`POLICIES_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|127.0.0.1:9233|
+|`OC_EVENTS_CLUSTER`<br/>`POLICIES_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|opencloud-cluster|
+|`OC_INSECURE`<br/>`OC_EVENTS_TLS_INSECURE`<br/>`POLICIES_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether the server should skip the client certificate verification during the TLS handshake.`|false|
+|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`POLICIES_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided POLICIES_EVENTS_TLS_INSECURE will be seen as false.`||
+|`OC_EVENTS_ENABLE_TLS`<br/>`POLICIES_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|false|
+|`OC_EVENTS_AUTH_USERNAME`<br/>`POLICIES_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_EVENTS_AUTH_PASSWORD`<br/>`POLICIES_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_LOG_LEVEL`<br/>`POLICIES_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`POLICIES_ENGINE_TIMEOUT`| 1.0.0 |Duration|`Sets the timeout the rego expression evaluation can take. Rules default to deny if the timeout was reached. See the Environment Variable Types description for more details.`|10s|
+|`POLICIES_ENGINE_MIMES`| 1.0.0 |string|`Sets the mimes file path which maps mimetypes to associated file extensions. See the text description for details.`||
+|`POLICIES_POSTPROCESSING_QUERY`| 1.0.0 |string|`Defines the 'Complete Rules' variable defined in the rego rule set this step uses for its evaluation. Defaults to deny if the variable was not found.`||
diff --git a/static/env-vars/policies_readme.md b/static/env-vars/policies_readme.md
index 6b35fd49..f58de56a 100644
--- a/static/env-vars/policies_readme.md
+++ b/static/env-vars/policies_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Policies
-date: 2025-11-27T22:56:02.33387+01:00
+date: 2026-01-13T10:10:18.223157206+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/policies
@@ -193,5 +193,5 @@ A good example of how such a file should be formatted can be found in the [Apach
 
 ## Example Policies
 
-The policies service contains a set of preconfigured example policies. See the [deployment examples](https://github.com/opencloud-eu/opencloud/tree/main/deployments/examples) directory for details. The contained policies disallow OpenCloud to create certain file types, both via the proxy middleware and the events service via postprocessing.
+The policies service contains a set of preconfigured example policies. See the [devtools policie](https://github.com/opencloud-eu/opencloud/tree/main/devtools/deployments/service_policies/policies/) directory for details. The contained policies disallow OpenCloud to create certain file types, both via the proxy middleware and the events service via postprocessing.
 
diff --git a/static/env-vars/postprocessing-config-example.yaml b/static/env-vars/postprocessing-config-example.yaml
new file mode 100644
index 00000000..44db5a74
--- /dev/null
+++ b/static/env-vars/postprocessing-config-example.yaml
@@ -0,0 +1,34 @@
+# Autogenerated
+# Filename: postprocessing-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9255
+  token: ""
+  pprof: false
+  zpages: false
+store:
+  store: nats-js-kv
+  nodes:
+  - 127.0.0.1:9233
+  database: postprocessing
+  table: ""
+  ttl: 0s
+  username: ""
+  password: ""
+postprocessing:
+  events:
+    endpoint: 127.0.0.1:9233
+    cluster: opencloud-cluster
+    tls_insecure: false
+    tls_root_ca_certificate: ""
+    enable_tls: false
+    username: ""
+    password: ""
+    max_ack_pending: 10000
+    ack_wait: 1m0s
+  workers: 3
+  steps: []
+  delayprocessing: 0s
+  retry_backoff_duration: 5s
+  max_retries: 14
diff --git a/static/env-vars/postprocessing_configvars.md b/static/env-vars/postprocessing_configvars.md
index aa6a1077..d5d03f7a 100644
--- a/static/env-vars/postprocessing_configvars.md
+++ b/static/env-vars/postprocessing_configvars.md
@@ -1,33 +1,30 @@
 Environment variables for the **postprocessing** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`POSTPROCESSING_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`POSTPROCESSING_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`POSTPROCESSING_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`POSTPROCESSING_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`POSTPROCESSING_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9255`|
-|`POSTPROCESSING_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`POSTPROCESSING_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`POSTPROCESSING_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`OC_PERSISTENT_STORE`<br/>`POSTPROCESSING_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`nats-js-kv`|
-|`OC_PERSISTENT_STORE_NODES`<br/>`POSTPROCESSING_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
-|`POSTPROCESSING_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`postprocessing`|
-|`POSTPROCESSING_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``|
-|`OC_PERSISTENT_STORE_TTL`<br/>`POSTPROCESSING_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. See the Environment Variable Types description for more details.`|`0s`|
-|`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`POSTPROCESSING_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`POSTPROCESSING_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_EVENTS_ENDPOINT`<br/>`POSTPROCESSING_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`|
-|`OC_EVENTS_CLUSTER`<br/>`POSTPROCESSING_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`|
-|`OC_INSECURE`<br/>`POSTPROCESSING_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether the OpenCloud server should skip the client certificate verification during the TLS handshake.`|`false`|
-|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`POSTPROCESSING_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided POSTPROCESSING_EVENTS_TLS_INSECURE will be seen as false.`|``|
-|`OC_EVENTS_ENABLE_TLS`<br/>`POSTPROCESSING_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`|
-|`OC_EVENTS_AUTH_USERNAME`<br/>`POSTPROCESSING_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_EVENTS_AUTH_PASSWORD`<br/>`POSTPROCESSING_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`SEARCH_EVENTS_MAX_ACK_PENDING`| 4.0.0 |int|`The maximum number of unacknowledged messages. This is used to limit the number of messages that can be in flight at the same time.`|`10000`|
-|`SEARCH_EVENTS_ACK_WAIT`| 4.0.0 |Duration|`The time to wait for an ack before the message is redelivered. This is used to ensure that messages are not lost if the consumer crashes.`|`1m0s`|
-|`POSTPROCESSING_WORKERS`| 1.0.0 |int|`The number of concurrent go routines that fetch events from the event queue.`|`3`|
-|`POSTPROCESSING_STEPS`| 1.0.0 |[]string|`A list of postprocessing steps processed in order of their appearance. Currently supported values by the system are: 'virusscan', 'policies' and 'delay'. Custom steps are allowed. See the documentation for instructions. See the Environment Variable Types description for more details.`|`[]`|
-|`POSTPROCESSING_DELAY`| 1.0.0 |Duration|`After uploading a file but before making it available for download, a delay step can be added. Intended for developing purposes only. If a duration is set but the keyword 'delay' is not explicitely added to 'POSTPROCESSING_STEPS', the delay step will be processed as last step. In such a case, a log entry will be written on service startup to remind the admin about that situation. See the Environment Variable Types description for more details.`|`0s`|
-|`POSTPROCESSING_RETRY_BACKOFF_DURATION`| 1.0.0 |Duration|`The base for the exponential backoff duration before retrying a failed postprocessing step. See the Environment Variable Types description for more details.`|`5s`|
-|`POSTPROCESSING_MAX_RETRIES`| 1.0.0 |int|`The maximum number of retries for a failed postprocessing step.`|`14`|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`POSTPROCESSING_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`POSTPROCESSING_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9255|
+|`POSTPROCESSING_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`POSTPROCESSING_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`POSTPROCESSING_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`OC_PERSISTENT_STORE`<br/>`POSTPROCESSING_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|nats-js-kv|
+|`OC_PERSISTENT_STORE_NODES`<br/>`POSTPROCESSING_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|[127.0.0.1:9233]|
+|`POSTPROCESSING_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|postprocessing|
+|`POSTPROCESSING_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`||
+|`OC_PERSISTENT_STORE_TTL`<br/>`POSTPROCESSING_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. See the Environment Variable Types description for more details.`|0s|
+|`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`POSTPROCESSING_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`POSTPROCESSING_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_EVENTS_ENDPOINT`<br/>`POSTPROCESSING_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|127.0.0.1:9233|
+|`OC_EVENTS_CLUSTER`<br/>`POSTPROCESSING_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|opencloud-cluster|
+|`OC_INSECURE`<br/>`OC_EVENTS_TLS_INSECURE`<br/>`POSTPROCESSING_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether the OpenCloud server should skip the client certificate verification during the TLS handshake.`|false|
+|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`POSTPROCESSING_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided POSTPROCESSING_EVENTS_TLS_INSECURE will be seen as false.`||
+|`OC_EVENTS_ENABLE_TLS`<br/>`POSTPROCESSING_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|false|
+|`OC_EVENTS_AUTH_USERNAME`<br/>`POSTPROCESSING_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_EVENTS_AUTH_PASSWORD`<br/>`POSTPROCESSING_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`SEARCH_EVENTS_MAX_ACK_PENDING`| 4.0.0 |int|`The maximum number of unacknowledged messages. This is used to limit the number of messages that can be in flight at the same time.`|10000|
+|`SEARCH_EVENTS_ACK_WAIT`| 4.0.0 |Duration|`The time to wait for an ack before the message is redelivered. This is used to ensure that messages are not lost if the consumer crashes.`|1m0s|
+|`POSTPROCESSING_WORKERS`| 1.0.0 |int|`The number of concurrent go routines that fetch events from the event queue.`|3|
+|`POSTPROCESSING_STEPS`| 1.0.0 |[]string|`A list of postprocessing steps processed in order of their appearance. Currently supported values by the system are: 'virusscan', 'policies' and 'delay'. Custom steps are allowed. See the documentation for instructions. See the Environment Variable Types description for more details.`|[]|
+|`POSTPROCESSING_DELAY`| 1.0.0 |Duration|`After uploading a file but before making it available for download, a delay step can be added. Intended for developing purposes only. If a duration is set but the keyword 'delay' is not explicitely added to 'POSTPROCESSING_STEPS', the delay step will be processed as last step. In such a case, a log entry will be written on service startup to remind the admin about that situation. See the Environment Variable Types description for more details.`|0s|
+|`POSTPROCESSING_RETRY_BACKOFF_DURATION`| 1.0.0 |Duration|`The base for the exponential backoff duration before retrying a failed postprocessing step. See the Environment Variable Types description for more details.`|5s|
+|`POSTPROCESSING_MAX_RETRIES`| 1.0.0 |int|`The maximum number of retries for a failed postprocessing step.`|14|
diff --git a/static/env-vars/postprocessing_readme.md b/static/env-vars/postprocessing_readme.md
index 79e58d02..f62009fc 100644
--- a/static/env-vars/postprocessing_readme.md
+++ b/static/env-vars/postprocessing_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Postprocessing
-date: 2025-11-27T22:56:02.333978+01:00
+date: 2026-01-13T10:10:18.223339839+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/postprocessing
diff --git a/static/env-vars/proxy-config-example.yaml b/static/env-vars/proxy-config-example.yaml
new file mode 100644
index 00000000..d377efdb
--- /dev/null
+++ b/static/env-vars/proxy-config-example.yaml
@@ -0,0 +1,240 @@
+# Autogenerated
+# Filename: proxy-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9205
+  token: ""
+  pprof: false
+  zpages: false
+http:
+  addr: 0.0.0.0:9200
+  root: /
+  tls_cert: /home/chaser/.opencloud/proxy/server.crt
+  tls_key: /home/chaser/.opencloud/proxy/server.key
+  tls: true
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+grpc_client_tls: null
+role_quotas: {}
+policies:
+- name: default
+  routes:
+  - endpoint: /
+    service: eu.opencloud.web.web
+    unprotected: true
+    skip_x_access_token: false
+  - endpoint: /.well-known/ocm
+    service: eu.opencloud.web.ocm
+    unprotected: true
+    skip_x_access_token: false
+  - endpoint: /.well-known/webfinger
+    service: eu.opencloud.web.webfinger
+    unprotected: true
+    skip_x_access_token: false
+  - endpoint: /.well-known/openid-configuration
+    service: eu.opencloud.web.idp
+    unprotected: true
+    skip_x_access_token: false
+  - endpoint: /branding/logo
+    service: eu.opencloud.web.web
+    skip_x_access_token: false
+  - endpoint: /konnect/
+    service: eu.opencloud.web.idp
+    unprotected: true
+    skip_x_access_token: false
+  - endpoint: /signin/
+    service: eu.opencloud.web.idp
+    unprotected: true
+    skip_x_access_token: false
+  - endpoint: /archiver
+    service: eu.opencloud.web.frontend
+    skip_x_access_token: false
+  - endpoint: /ocs/v2.php/apps/notifications/api/v1/notifications/sse
+    service: eu.opencloud.sse.sse
+    skip_x_access_token: false
+  - endpoint: /ocs/v2.php/apps/notifications/api/v1/notifications
+    service: eu.opencloud.web.userlog
+    skip_x_access_token: false
+  - type: regex
+    endpoint: /ocs/v[12].php/cloud/user/signing-key
+    service: eu.opencloud.web.ocs
+    skip_x_access_token: false
+  - type: regex
+    endpoint: /ocs/v[12].php/config
+    service: eu.opencloud.web.frontend
+    unprotected: true
+    skip_x_access_token: false
+  - endpoint: /sciencemesh/federations
+    service: eu.opencloud.web.ocm
+    unprotected: true
+    skip_x_access_token: false
+  - endpoint: /sciencemesh/discover
+    service: eu.opencloud.web.ocm
+    unprotected: true
+    skip_x_access_token: false
+  - endpoint: /sciencemesh/
+    service: eu.opencloud.web.ocm
+    skip_x_access_token: false
+  - endpoint: /ocm/
+    service: eu.opencloud.web.ocm
+    skip_x_access_token: false
+  - endpoint: /ocs/
+    service: eu.opencloud.web.frontend
+    skip_x_access_token: false
+  - type: query
+    endpoint: /remote.php/?preview=1
+    service: eu.opencloud.web.webdav
+    skip_x_access_token: false
+  - type: regex
+    method: REPORT
+    endpoint: (/remote.php)?/(web)?dav
+    service: eu.opencloud.web.webdav
+    skip_x_access_token: false
+  - type: query
+    endpoint: /dav/?preview=1
+    service: eu.opencloud.web.webdav
+    skip_x_access_token: false
+  - type: query
+    endpoint: /webdav/?preview=1
+    service: eu.opencloud.web.webdav
+    skip_x_access_token: false
+  - endpoint: /remote.php/
+    service: eu.opencloud.web.frontend
+    skip_x_access_token: false
+  - endpoint: /dav/
+    service: eu.opencloud.web.frontend
+    skip_x_access_token: false
+  - endpoint: /webdav/
+    service: eu.opencloud.web.frontend
+    skip_x_access_token: false
+  - endpoint: /status
+    service: eu.opencloud.web.frontend
+    unprotected: true
+    skip_x_access_token: false
+  - endpoint: /status.php
+    service: eu.opencloud.web.frontend
+    unprotected: true
+    skip_x_access_token: false
+  - endpoint: /index.php/
+    service: eu.opencloud.web.frontend
+    skip_x_access_token: false
+  - endpoint: /apps/
+    service: eu.opencloud.web.frontend
+    skip_x_access_token: false
+  - endpoint: /data
+    service: eu.opencloud.web.frontend
+    unprotected: true
+    skip_x_access_token: false
+  - endpoint: /app/list
+    service: eu.opencloud.web.frontend
+    unprotected: true
+    skip_x_access_token: false
+  - endpoint: /app/
+    service: eu.opencloud.web.frontend
+    skip_x_access_token: false
+  - endpoint: /graph/v1beta1/extensions/org.libregraph/activities
+    service: eu.opencloud.web.activitylog
+    skip_x_access_token: false
+  - endpoint: /graph/v1.0/invitations
+    service: eu.opencloud.web.invitations
+    skip_x_access_token: false
+  - endpoint: /graph/
+    service: eu.opencloud.web.graph
+    skip_x_access_token: false
+  - endpoint: /api/v0/settings
+    service: eu.opencloud.web.settings
+    skip_x_access_token: false
+  - endpoint: /auth-app/tokens
+    service: eu.opencloud.web.auth-app
+    skip_x_access_token: false
+  - endpoint: /wopi
+    service: eu.opencloud.web.collaboration
+    unprotected: true
+    skip_x_access_token: true
+additional_policies: []
+oidc:
+  issuer: https://localhost:9200
+  insecure: false
+  access_token_verify_method: jwt
+  skip_user_info: false
+  user_info_cache:
+    store: memory
+    addresses:
+    - 127.0.0.1:9233
+    database: cache-userinfo
+    table: ""
+    ttl: 10s
+    disable_persistence: false
+    username: ""
+    password: ""
+  jwks:
+    refresh_interval: 60
+    refresh_timeout: 10
+    refresh_limit: 60
+    refresh_unknown_kid: true
+  rewrite_well_known: false
+service_account:
+  service_account_id: ""
+  service_account_secret: ""
+role_assignment:
+  driver: default
+  oidc_role_mapper:
+    role_claim: roles
+    role_mapping:
+    - role_name: admin
+      claim_value: opencloudAdmin
+    - role_name: spaceadmin
+      claim_value: opencloudSpaceAdmin
+    - role_name: user
+      claim_value: opencloudUser
+    - role_name: user-light
+      claim_value: opencloudGuest
+policy_selector:
+  static:
+    policy: default
+  claims: null
+  regex: null
+pre_signed_url:
+  allowed_http_methods:
+  - GET
+  enabled: true
+  signing_keys:
+    store: nats-js-kv
+    addresses:
+    - 127.0.0.1:9233
+    ttl: 12h0m0s
+    disable_persistence: true
+    username: ""
+    password: ""
+account_backend: cs3
+user_oidc_claim: preferred_username
+user_cs3_claim: username
+machine_auth_api_key: ""
+auto_provision_accounts: false
+auto_provision_claims:
+  username: preferred_username
+  email: email
+  display_name: name
+  groups: groups
+enable_basic_auth: false
+insecure_backends: false
+backend_https_cacert: ""
+auth_middleware:
+  credentials_by_user_agent: {}
+  allow_app_auth: true
+policies_middleware:
+  query: ""
+csp_config_file_location: ""
+csp_config_file_override_location: ""
+events:
+  endpoint: 127.0.0.1:9233
+  cluster: opencloud-cluster
+  tls_insecure: false
+  tls_root_ca_certificate: ""
+  enable_tls: false
+  username: ""
+  password: ""
diff --git a/static/env-vars/proxy_configvars.md b/static/env-vars/proxy_configvars.md
index f55923ef..93077e6d 100644
--- a/static/env-vars/proxy_configvars.md
+++ b/static/env-vars/proxy_configvars.md
@@ -1,71 +1,68 @@
 Environment variables for the **proxy** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`PROXY_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`PROXY_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`PROXY_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`PROXY_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`PROXY_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9205`|
-|`PROXY_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`PROXY_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`PROXY_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`PROXY_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`0.0.0.0:9200`|
-|`PROXY_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`|
-|`PROXY_TRANSPORT_TLS_CERT`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the external http services. If not defined, the root directory derives from $OC_BASE_DATA_PATH/proxy.`|`/var/lib/opencloud/proxy/server.crt`|
-|`PROXY_TRANSPORT_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the external http services. If not defined, the root directory derives from $OC_BASE_DATA_PATH/proxy.`|`/var/lib/opencloud/proxy/server.key`|
-|`PROXY_TLS`| 1.0.0 |bool|`Enable/Disable HTTPS for external HTTP services. Must be set to 'true' if the built-in IDP service an no reverse proxy is used. See the text description for details.`|`true`|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`OC_URL`<br/>`OC_OIDC_ISSUER`<br/>`PROXY_OIDC_ISSUER`| 1.0.0 |string|`URL of the OIDC issuer. It defaults to URL of the builtin IDP.`|`https://localhost:9200`|
-|`OC_INSECURE`<br/>`PROXY_OIDC_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for connections to the IDP. Note that this is not recommended for production environments.`|`false`|
-|`PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD`| 1.0.0 |string|`Sets how OIDC access tokens should be verified. Possible values are 'none' and 'jwt'. When using 'none', no special validation apart from using it for accessing the IDP's userinfo endpoint will be done. When using 'jwt', it tries to parse the access token as a jwt token and verifies the signature using the keys published on the IDP's 'jwks_uri'.`|`jwt`|
-|`PROXY_OIDC_SKIP_USER_INFO`| 1.0.0 |bool|`Do not look up user claims at the userinfo endpoint and directly read them from the access token. Incompatible with 'PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none'.`|`false`|
-|`OC_CACHE_STORE`<br/>`PROXY_OIDC_USERINFO_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`|
-|`OC_CACHE_STORE_NODES`<br/>`PROXY_OIDC_USERINFO_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
-|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`cache-userinfo`|
-|`PROXY_OIDC_USERINFO_CACHE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``|
-|`OC_CACHE_TTL`<br/>`PROXY_OIDC_USERINFO_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`10s`|
-|`OC_CACHE_DISABLE_PERSISTENCE`<br/>`PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
-|`OC_CACHE_AUTH_USERNAME`<br/>`PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_CACHE_AUTH_PASSWORD`<br/>`PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`PROXY_OIDC_JWKS_REFRESH_INTERVAL`| 1.0.0 |uint64|`The interval for refreshing the JWKS (JSON Web Key Set) in minutes in the background via a new HTTP request to the IDP.`|`60`|
-|`PROXY_OIDC_JWKS_REFRESH_TIMEOUT`| 1.0.0 |uint64|`The timeout in seconds for an outgoing JWKS request.`|`10`|
-|`PROXY_OIDC_JWKS_REFRESH_RATE_LIMIT`| 1.0.0 |uint64|`Limits the rate in seconds at which refresh requests are performed for unknown keys. This is used to prevent malicious clients from imposing high network load on the IDP via OpenCloud.`|`60`|
-|`PROXY_OIDC_JWKS_REFRESH_UNKNOWN_KID`| 1.0.0 |bool|`If set to 'true', the JWKS refresh request will occur every time an unknown KEY ID (KID) is seen. Always set a 'refresh_limit' when enabling this.`|`true`|
-|`PROXY_OIDC_REWRITE_WELLKNOWN`| 1.0.0 |bool|`Enables rewriting the /.well-known/openid-configuration to the configured OIDC issuer. Needed by the Desktop Client, Android Client and iOS Client to discover the OIDC provider.`|`false`|
-|`OC_SERVICE_ACCOUNT_ID`<br/>`PROXY_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``|
-|`OC_SERVICE_ACCOUNT_SECRET`<br/>`PROXY_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``|
-|`PROXY_ROLE_ASSIGNMENT_DRIVER`| 1.0.0 |string|`The mechanism that should be used to assign roles to user upon login. Supported values: 'default' or 'oidc'. 'default' will assign the role 'user' to users which don't have a role assigned at the time they login. 'oidc' will assign the role based on the value of a claim (configured via PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM) from the users OIDC claims.`|`default`|
-|`PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM`| 1.0.0 |string|`The OIDC claim used to create the users role assignment.`|`roles`|
-|`PROXY_ENABLE_PRESIGNEDURLS`| 1.0.0 |bool|`Allow OCS to get a signing key to sign requests.`|`true`|
-|`OC_CACHE_STORE`<br/>`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE`| 1.0.0 |string|`The type of the signing key store. Supported values are: 'redis-sentinel', 'nats-js-kv' and 'opencloudstoreservice' (deprecated). See the text description for details.`|`nats-js-kv`|
-|`OC_CACHE_STORE_NODES`<br/>`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
-|`OC_CACHE_TTL`<br/>`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL`| 1.0.0 |Duration|`Default time to live for signing keys. See the Environment Variable Types description for more details.`|`12h0m0s`|
-|`OC_CACHE_DISABLE_PERSISTENCE`<br/>`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true.`|`true`|
-|`OC_CACHE_AUTH_USERNAME`<br/>`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_CACHE_AUTH_PASSWORD`<br/>`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`PROXY_ACCOUNT_BACKEND_TYPE`| 1.0.0 |string|`Account backend the PROXY service should use. Currently only 'cs3' is possible here.`|`cs3`|
-|`PROXY_USER_OIDC_CLAIM`| 1.0.0 |string|`The name of an OpenID Connect claim that is used for resolving users with the account backend. The value of the claim must hold a per user unique, stable and non re-assignable identifier. The availability of claims depends on your Identity Provider. There are common claims available for most Identity providers like 'email' or 'preferred_username' but you can also add your own claim.`|`preferred_username`|
-|`PROXY_USER_CS3_CLAIM`| 1.0.0 |string|`The name of a CS3 user attribute (claim) that should be mapped to the 'user_oidc_claim'. Supported values are 'username', 'mail' and 'userid'.`|`username`|
-|`OC_MACHINE_AUTH_API_KEY`<br/>`PROXY_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary to access resources from other services.`|``|
-|`PROXY_AUTOPROVISION_ACCOUNTS`| 1.0.0 |bool|`Set this to 'true' to automatically provision users that do not yet exist in the users service on-demand upon first sign-in. To use this a write-enabled libregraph user backend needs to be setup an running.`|`false`|
-|`PROXY_AUTOPROVISION_CLAIM_USERNAME`| 1.0.0 |string|`The name of the OIDC claim that holds the username.`|`preferred_username`|
-|`PROXY_AUTOPROVISION_CLAIM_EMAIL`| 1.0.0 |string|`The name of the OIDC claim that holds the email.`|`email`|
-|`PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME`| 1.0.0 |string|`The name of the OIDC claim that holds the display name.`|`name`|
-|`PROXY_AUTOPROVISION_CLAIM_GROUPS`| 1.0.0 |string|`The name of the OIDC claim that holds the groups.`|`groups`|
-|`PROXY_ENABLE_BASIC_AUTH`| 1.0.0 |bool|`Set this to true to enable 'basic authentication' (username/password).`|`false`|
-|`PROXY_INSECURE_BACKENDS`| 1.0.0 |bool|`Disable TLS certificate validation for all HTTP backend connections.`|`false`|
-|`PROXY_HTTPS_CACERT`| 1.0.0 |string|`Path/File for the root CA certificate used to validate the server’s TLS certificate for https enabled backend services.`|``|
-|`PROXY_ENABLE_APP_AUTH`| 1.0.0 |bool|`Allow app authentication. This can be used to authenticate 3rd party applications. Note that auth-app service must be running for this feature to work.`|`true`|
-|`PROXY_POLICIES_QUERY`| 1.0.0 |string|`Defines the 'Complete Rules' variable defined in the rego rule set this step uses for its evaluation. Rules default to deny if the variable was not found.`|``|
-|`PROXY_CSP_CONFIG_FILE_LOCATION`| 1.0.0 |string|`The location of the CSP configuration file.`|``|
-|`PROXY_CSP_CONFIG_FILE_OVERRIDE_LOCATION`| 4.0.0 |string|`The location of the CSP configuration file override.`|``|
-|`OC_EVENTS_ENDPOINT`<br/>`PROXY_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events.`|`127.0.0.1:9233`|
-|`OC_EVENTS_CLUSTER`<br/>`PROXY_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`opencloud-cluster`|
-|`OC_INSECURE`<br/>`PROXY_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`|
-|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`PROXY_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided PROXY_EVENTS_TLS_INSECURE will be seen as false.`|``|
-|`OC_EVENTS_ENABLE_TLS`<br/>`PROXY_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`|
-|`OC_EVENTS_AUTH_USERNAME`<br/>`PROXY_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_EVENTS_AUTH_PASSWORD`<br/>`PROXY_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`PROXY_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`PROXY_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9205|
+|`PROXY_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`PROXY_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`PROXY_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`PROXY_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|0.0.0.0:9200|
+|`PROXY_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|/|
+|`PROXY_TRANSPORT_TLS_CERT`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the external http services. If not defined, the root directory derives from $OC_BASE_DATA_PATH/proxy.`|/home/chaser/.opencloud/proxy/server.crt|
+|`PROXY_TRANSPORT_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the external http services. If not defined, the root directory derives from $OC_BASE_DATA_PATH/proxy.`|/home/chaser/.opencloud/proxy/server.key|
+|`PROXY_TLS`| 1.0.0 |bool|`Enable/Disable HTTPS for external HTTP services. Must be set to 'true' if the built-in IDP service and no reverse proxy is used. See the text description for details.`|true|
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`OC_URL`<br/>`OC_OIDC_ISSUER`<br/>`PROXY_OIDC_ISSUER`| 1.0.0 |string|`URL of the OIDC issuer. It defaults to URL of the builtin IDP.`|https://localhost:9200|
+|`OC_INSECURE`<br/>`PROXY_OIDC_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for connections to the IDP. Note that this is not recommended for production environments.`|false|
+|`PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD`| 1.0.0 |string|`Sets how OIDC access tokens should be verified. Possible values are 'none' and 'jwt'. When using 'none', no special validation apart from using it for accessing the IDP's userinfo endpoint will be done. When using 'jwt', it tries to parse the access token as a jwt token and verifies the signature using the keys published on the IDP's 'jwks_uri'.`|jwt|
+|`PROXY_OIDC_SKIP_USER_INFO`| 1.0.0 |bool|`Do not look up user claims at the userinfo endpoint and directly read them from the access token. Incompatible with 'PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none'.`|false|
+|`OC_CACHE_STORE`<br/>`PROXY_OIDC_USERINFO_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|memory|
+|`OC_CACHE_STORE_NODES`<br/>`PROXY_OIDC_USERINFO_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|[127.0.0.1:9233]|
+|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|cache-userinfo|
+|`PROXY_OIDC_USERINFO_CACHE_TABLE`| 1.0.0 |string|`The database table the store should use.`||
+|`OC_CACHE_TTL`<br/>`PROXY_OIDC_USERINFO_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|10s|
+|`OC_CACHE_DISABLE_PERSISTENCE`<br/>`PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|false|
+|`OC_CACHE_AUTH_USERNAME`<br/>`PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_CACHE_AUTH_PASSWORD`<br/>`PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`||
+|`PROXY_OIDC_JWKS_REFRESH_INTERVAL`| 1.0.0 |uint64|`The interval for refreshing the JWKS (JSON Web Key Set) in minutes in the background via a new HTTP request to the IDP.`|60|
+|`PROXY_OIDC_JWKS_REFRESH_TIMEOUT`| 1.0.0 |uint64|`The timeout in seconds for an outgoing JWKS request.`|10|
+|`PROXY_OIDC_JWKS_REFRESH_RATE_LIMIT`| 1.0.0 |uint64|`Limits the rate in seconds at which refresh requests are performed for unknown keys. This is used to prevent malicious clients from imposing high network load on the IDP via OpenCloud.`|60|
+|`PROXY_OIDC_JWKS_REFRESH_UNKNOWN_KID`| 1.0.0 |bool|`If set to 'true', the JWKS refresh request will occur every time an unknown KEY ID (KID) is seen. Always set a 'refresh_limit' when enabling this.`|true|
+|`PROXY_OIDC_REWRITE_WELLKNOWN`| 1.0.0 |bool|`Enables rewriting the /.well-known/openid-configuration to the configured OIDC issuer. Needed by the Desktop Client, Android Client and iOS Client to discover the OIDC provider.`|false|
+|`OC_SERVICE_ACCOUNT_ID`<br/>`PROXY_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`||
+|`OC_SERVICE_ACCOUNT_SECRET`<br/>`PROXY_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`||
+|`PROXY_ROLE_ASSIGNMENT_DRIVER`| 1.0.0 |string|`The mechanism that should be used to assign roles to user upon login. Supported values: 'default' or 'oidc'. 'default' will assign the role 'user' to users which don't have a role assigned at the time they login. 'oidc' will assign the role based on the value of a claim (configured via PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM) from the users OIDC claims.`|default|
+|`PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM`| 1.0.0 |string|`The OIDC claim used to create the users role assignment.`|roles|
+|`PROXY_ENABLE_PRESIGNEDURLS`| 1.0.0 |bool|`Allow OCS to get a signing key to sign requests.`|true|
+|`OC_CACHE_STORE`<br/>`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE`| 1.0.0 |string|`The type of the signing key store. Supported values are: 'redis-sentinel', 'nats-js-kv' and 'opencloudstoreservice' (deprecated). See the text description for details.`|nats-js-kv|
+|`OC_CACHE_STORE_NODES`<br/>`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|[127.0.0.1:9233]|
+|`OC_CACHE_TTL`<br/>`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL`| 1.0.0 |Duration|`Default time to live for signing keys. See the Environment Variable Types description for more details.`|12h0m0s|
+|`OC_CACHE_DISABLE_PERSISTENCE`<br/>`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true.`|true|
+|`OC_CACHE_AUTH_USERNAME`<br/>`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_CACHE_AUTH_PASSWORD`<br/>`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`||
+|`PROXY_ACCOUNT_BACKEND_TYPE`| 1.0.0 |string|`Account backend the PROXY service should use. Currently only 'cs3' is possible here.`|cs3|
+|`PROXY_USER_OIDC_CLAIM`| 1.0.0 |string|`The name of an OpenID Connect claim that is used for resolving users with the account backend. The value of the claim must hold a per user unique, stable and non re-assignable identifier. The availability of claims depends on your Identity Provider. There are common claims available for most Identity providers like 'email' or 'preferred_username' but you can also add your own claim.`|preferred_username|
+|`PROXY_USER_CS3_CLAIM`| 1.0.0 |string|`The name of a CS3 user attribute (claim) that should be mapped to the 'user_oidc_claim'. Supported values are 'username', 'mail' and 'userid'.`|username|
+|`OC_MACHINE_AUTH_API_KEY`<br/>`PROXY_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary to access resources from other services.`||
+|`PROXY_AUTOPROVISION_ACCOUNTS`| 1.0.0 |bool|`Set this to 'true' to automatically provision users that do not yet exist in the users service on-demand upon first sign-in. To use this a write-enabled libregraph user backend needs to be setup an running.`|false|
+|`PROXY_AUTOPROVISION_CLAIM_USERNAME`| 1.0.0 |string|`The name of the OIDC claim that holds the username.`|preferred_username|
+|`PROXY_AUTOPROVISION_CLAIM_EMAIL`| 1.0.0 |string|`The name of the OIDC claim that holds the email.`|email|
+|`PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME`| 1.0.0 |string|`The name of the OIDC claim that holds the display name.`|name|
+|`PROXY_AUTOPROVISION_CLAIM_GROUPS`| 1.0.0 |string|`The name of the OIDC claim that holds the groups.`|groups|
+|`PROXY_ENABLE_BASIC_AUTH`| 1.0.0 |bool|`Set this to true to enable 'basic authentication' (username/password).`|false|
+|`PROXY_INSECURE_BACKENDS`| 1.0.0 |bool|`Disable TLS certificate validation for all HTTP backend connections.`|false|
+|`PROXY_HTTPS_CACERT`| 1.0.0 |string|`Path/File for the root CA certificate used to validate the server’s TLS certificate for https enabled backend services.`||
+|`PROXY_ENABLE_APP_AUTH`| 1.0.0 |bool|`Allow app authentication. This can be used to authenticate 3rd party applications. Note that auth-app service must be running for this feature to work.`|true|
+|`PROXY_POLICIES_QUERY`| 1.0.0 |string|`Defines the 'Complete Rules' variable defined in the rego rule set this step uses for its evaluation. Rules default to deny if the variable was not found.`||
+|`PROXY_CSP_CONFIG_FILE_LOCATION`| 1.0.0 |string|`The location of the CSP configuration file.`||
+|`PROXY_CSP_CONFIG_FILE_OVERRIDE_LOCATION`| 4.0.0 |string|`The location of the CSP configuration file override.`||
+|`OC_EVENTS_ENDPOINT`<br/>`PROXY_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events.`|127.0.0.1:9233|
+|`OC_EVENTS_CLUSTER`<br/>`PROXY_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|opencloud-cluster|
+|`OC_INSECURE`<br/>`OC_EVENTS_TLS_INSECURE`<br/>`PROXY_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|false|
+|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`PROXY_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided PROXY_EVENTS_TLS_INSECURE will be seen as false.`||
+|`OC_EVENTS_ENABLE_TLS`<br/>`PROXY_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|false|
+|`OC_EVENTS_AUTH_USERNAME`<br/>`PROXY_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_EVENTS_AUTH_PASSWORD`<br/>`PROXY_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
diff --git a/static/env-vars/proxy_readme.md b/static/env-vars/proxy_readme.md
index 0c1101b0..d7718906 100644
--- a/static/env-vars/proxy_readme.md
+++ b/static/env-vars/proxy_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Proxy
-date: 2025-11-27T22:56:02.334185+01:00
+date: 2026-01-13T10:10:18.223518235+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/proxy
@@ -65,7 +65,7 @@ policies:
       - endpoint: /
         service: eu.opencloud.web.web
       - endpoint: /dav/
-        service: eu.opencloud.web.ocdav
+        service: eu.opencloud.web.frontend
 ```
 
 For adding _additional_ routes to the default routes use:
diff --git a/static/env-vars/search-config-example.yaml b/static/env-vars/search-config-example.yaml
new file mode 100644
index 00000000..d18c52da
--- /dev/null
+++ b/static/env-vars/search-config-example.yaml
@@ -0,0 +1,69 @@
+# Autogenerated
+# Filename: search-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9224
+  token: ""
+  pprof: false
+  zpages: false
+grpc:
+  disabled: false
+  addr: 127.0.0.1:9220
+  tls: null
+token_manager:
+  jwt_secret: ""
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+grpc_client_tls: null
+events:
+  disabled: false
+  endpoint: 127.0.0.1:9233
+  cluster: opencloud-cluster
+  async_uploads: true
+  num_consumers: 1
+  debounce_duration: 1000
+  tls_insecure: false
+  tls_root_ca_certificate: ""
+  enable_tls: false
+  username: ""
+  password: ""
+  max_ack_pending: 1000
+  ack_wait: 1m0s
+engine:
+  type: bleve
+  bleve:
+    data_path: /home/chaser/.opencloud/search
+  open_search:
+    client:
+      addresses: []
+      username: ""
+      password: ""
+      header: {}
+      ca_cert: ""
+      retry_on_status: []
+      disable_retry: false
+      enable_retry_on_timeout: false
+      max_retries: 0
+      compress_request_body: false
+      discover_nodes_on_start: false
+      discover_nodes_interval: 0s
+      enable_metrics: false
+      enable_debug_logger: false
+      insecure: false
+    resource_index:
+      name: opencloud-resource
+extractor:
+  type: basic
+  cs3_allow_insecure: false
+  tika:
+    tika_url: http://127.0.0.1:9998
+    clean_stop_words: true
+content_extraction_size_limit: 20971520
+batch_size: 500
+service_account:
+  service_account_id: ""
+  service_account_secret: ""
diff --git a/static/env-vars/search_configvars.md b/static/env-vars/search_configvars.md
index 82af749f..016038b3 100644
--- a/static/env-vars/search_configvars.md
+++ b/static/env-vars/search_configvars.md
@@ -1,57 +1,54 @@
 Environment variables for the **search** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`SEARCH_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`SEARCH_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`SEARCH_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`SEARCH_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`SEARCH_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9224`|
-|`SEARCH_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`SEARCH_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`SEARCH_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`SEARCH_GRPC_DISABLED`| 4.0.0 |bool|`Disables the GRPC service. Set this to true if the service should only handle events.`|`false`|
-|`SEARCH_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9220`|
-|`OC_JWT_SECRET`<br/>`SEARCH_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`SEARCH_EVENTS_DISABLED`| 4.0.0 |bool|`Disables listening for events. Set this to true if the service should only handle GRPC requests.`|`false`|
-|`OC_EVENTS_ENDPOINT`<br/>`SEARCH_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`|
-|`OC_EVENTS_CLUSTER`<br/>`SEARCH_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`|
-|`OC_ASYNC_UPLOADS`<br/>`SEARCH_EVENTS_ASYNC_UPLOADS`| 1.0.0 |bool|`Enable asynchronous file uploads.`|`true`|
-|`SEARCH_EVENTS_NUM_CONSUMERS`| 1.0.0 |int|`The amount of concurrent event consumers to start. Event consumers are used for searching files. Multiple consumers increase parallelisation, but will also increase CPU and memory demands.`|`1`|
-|`SEARCH_EVENTS_REINDEX_DEBOUNCE_DURATION`| 1.0.0 |int|`The duration in milliseconds the reindex debouncer waits before triggering a reindex of a space that was modified.`|`1000`|
-|`OC_INSECURE`<br/>`SEARCH_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`|
-|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`SEARCH_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided SEARCH_EVENTS_TLS_INSECURE will be seen as false.`|``|
-|`OC_EVENTS_ENABLE_TLS`<br/>`SEARCH_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`|
-|`OC_EVENTS_AUTH_USERNAME`<br/>`SEARCH_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_EVENTS_AUTH_PASSWORD`<br/>`SEARCH_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`SEARCH_EVENTS_MAX_ACK_PENDING`| 4.0.0 |int|`The maximum number of unacknowledged messages. This is used to limit the number of messages that can be in flight at the same time.`|`1000`|
-|`SEARCH_EVENTS_ACK_WAIT`| 4.0.0 |Duration|`The time to wait for an ack before the message is redelivered. This is used to ensure that messages are not lost if the consumer crashes.`|`1m0s`|
-|`SEARCH_ENGINE_TYPE`| 1.0.0 |string|`Defines which search engine to use. Defaults to 'bleve'. Supported values are: 'bleve'.`|`bleve`|
-|`SEARCH_ENGINE_BLEVE_DATA_PATH`| 1.0.0 |string|`The directory where the filesystem will store search data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/search.`|`/var/lib/opencloud/search`|
-|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ADDRESSES`| 4.0.0 |[]string|`The addresses of the OpenSearch nodes..`|`[]`|
-|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_USERNAME`| 4.0.0 |string|`Username for HTTP Basic Authentication.`|``|
-|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_PASSWORD`| 4.0.0 |string|`Password for HTTP Basic Authentication.`|``|
-|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_HEADER`| 4.0.0 |Header|`HTTP headers to include in requests.`|`map[]`|
-|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_CA_CERT`| 4.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the opensearch server.`|``|
-|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_RETRY_ON_STATUS`| 4.0.0 |[]int|`HTTP status codes that trigger a retry.`|`[]`|
-|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_DISABLE_RETRY`| 4.0.0 |bool|`Disable retries on errors.`|`false`|
-|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ENABLE_RETRY_ON_TIMEOUT`| 4.0.0 |bool|`Enable retries on timeout.`|`false`|
-|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_MAX_RETRIES`| 4.0.0 |int|`Maximum number of retries for requests.`|`0`|
-|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_COMPRESS_REQUEST_BODY`| 4.0.0 |bool|`Compress request bodies.`|`false`|
-|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_DISCOVER_NODES_ON_START`| 4.0.0 |bool|`Discover nodes on service start.`|`false`|
-|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_DISCOVER_NODES_INTERVAL`| 4.0.0 |Duration|`Interval for discovering nodes.`|`0s`|
-|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ENABLE_METRICS`| 4.0.0 |bool|`Enable metrics collection.`|`false`|
-|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ENABLE_DEBUG_LOGGER`| 4.0.0 |bool|`Enable debug logging.`|`false`|
-|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_INSECURE`| 4.0.0 |bool|`Skip TLS certificate verification.`|`false`|
-|`SEARCH_ENGINE_OPEN_SEARCH_RESOURCE_INDEX_NAME`| 4.0.0 |string|`The name of the OpenSearch index for resources.`|`opencloud-resource`|
-|`SEARCH_EXTRACTOR_TYPE`| 1.0.0 |string|`Defines the content extraction engine. Defaults to 'basic'. Supported values are: 'basic' and 'tika'.`|`basic`|
-|`OC_INSECURE`<br/>`SEARCH_EXTRACTOR_CS3SOURCE_INSECURE`| 1.0.0 |bool|`Ignore untrusted SSL certificates when connecting to the CS3 source.`|`false`|
-|`SEARCH_EXTRACTOR_TIKA_TIKA_URL`| 1.0.0 |string|`URL of the tika server.`|`http://127.0.0.1:9998`|
-|`SEARCH_EXTRACTOR_TIKA_CLEAN_STOP_WORDS`| 1.0.0 |bool|`Defines if stop words should be cleaned or not. See the documentation for more details.`|`true`|
-|`SEARCH_CONTENT_EXTRACTION_SIZE_LIMIT`| 1.0.0 |uint64|`Maximum file size in bytes that is allowed for content extraction.`|`20971520`|
-|`SEARCH_BATCH_SIZE`| 1.0.0 |int|`The number of documents to process in a single batch. Defaults to 500.`|`500`|
-|`OC_SERVICE_ACCOUNT_ID`<br/>`SEARCH_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``|
-|`OC_SERVICE_ACCOUNT_SECRET`<br/>`SEARCH_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`SEARCH_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`SEARCH_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9224|
+|`SEARCH_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`SEARCH_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`SEARCH_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`SEARCH_GRPC_DISABLED`| 4.0.0 |bool|`Disables the GRPC service. Set this to true if the service should only handle events.`|false|
+|`SEARCH_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9220|
+|`OC_JWT_SECRET`<br/>`SEARCH_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`SEARCH_EVENTS_DISABLED`| 4.0.0 |bool|`Disables listening for events. Set this to true if the service should only handle GRPC requests.`|false|
+|`OC_EVENTS_ENDPOINT`<br/>`SEARCH_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|127.0.0.1:9233|
+|`OC_EVENTS_CLUSTER`<br/>`SEARCH_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|opencloud-cluster|
+|`OC_ASYNC_UPLOADS`<br/>`SEARCH_EVENTS_ASYNC_UPLOADS`| 1.0.0 |bool|`Enable asynchronous file uploads.`|true|
+|`SEARCH_EVENTS_NUM_CONSUMERS`| 1.0.0 |int|`The amount of concurrent event consumers to start. Event consumers are used for searching files. Multiple consumers increase parallelisation, but will also increase CPU and memory demands.`|1|
+|`SEARCH_EVENTS_REINDEX_DEBOUNCE_DURATION`| 1.0.0 |int|`The duration in milliseconds the reindex debouncer waits before triggering a reindex of a space that was modified.`|1000|
+|`OC_INSECURE`<br/>`OC_EVENTS_TLS_INSECURE`<br/>`SEARCH_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|false|
+|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`SEARCH_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided SEARCH_EVENTS_TLS_INSECURE will be seen as false.`||
+|`OC_EVENTS_ENABLE_TLS`<br/>`SEARCH_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|false|
+|`OC_EVENTS_AUTH_USERNAME`<br/>`SEARCH_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_EVENTS_AUTH_PASSWORD`<br/>`SEARCH_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`SEARCH_EVENTS_MAX_ACK_PENDING`| 4.0.0 |int|`The maximum number of unacknowledged messages. This is used to limit the number of messages that can be in flight at the same time.`|1000|
+|`SEARCH_EVENTS_ACK_WAIT`| 4.0.0 |Duration|`The time to wait for an ack before the message is redelivered. This is used to ensure that messages are not lost if the consumer crashes.`|1m0s|
+|`SEARCH_ENGINE_TYPE`| 1.0.0 |string|`Defines which search engine to use. Defaults to 'bleve'. Supported values are: 'bleve'.`|bleve|
+|`SEARCH_ENGINE_BLEVE_DATA_PATH`| 1.0.0 |string|`The directory where the filesystem will store search data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/search.`|/home/chaser/.opencloud/search|
+|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ADDRESSES`| 4.0.0 |[]string|`The addresses of the OpenSearch nodes..`|[]|
+|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_USERNAME`| 4.0.0 |string|`Username for HTTP Basic Authentication.`||
+|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_PASSWORD`| 4.0.0 |string|`Password for HTTP Basic Authentication.`||
+|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_HEADER`| 4.0.0 |Header|`HTTP headers to include in requests.`|map[]|
+|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_CA_CERT`| 4.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the opensearch server.`||
+|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_RETRY_ON_STATUS`| 4.0.0 |[]int|`HTTP status codes that trigger a retry.`|[]|
+|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_DISABLE_RETRY`| 4.0.0 |bool|`Disable retries on errors.`|false|
+|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ENABLE_RETRY_ON_TIMEOUT`| 4.0.0 |bool|`Enable retries on timeout.`|false|
+|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_MAX_RETRIES`| 4.0.0 |int|`Maximum number of retries for requests.`|0|
+|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_COMPRESS_REQUEST_BODY`| 4.0.0 |bool|`Compress request bodies.`|false|
+|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_DISCOVER_NODES_ON_START`| 4.0.0 |bool|`Discover nodes on service start.`|false|
+|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_DISCOVER_NODES_INTERVAL`| 4.0.0 |Duration|`Interval for discovering nodes.`|0s|
+|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ENABLE_METRICS`| 4.0.0 |bool|`Enable metrics collection.`|false|
+|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ENABLE_DEBUG_LOGGER`| 4.0.0 |bool|`Enable debug logging.`|false|
+|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_INSECURE`| 4.0.0 |bool|`Skip TLS certificate verification.`|false|
+|`SEARCH_ENGINE_OPEN_SEARCH_RESOURCE_INDEX_NAME`| 4.0.0 |string|`The name of the OpenSearch index for resources.`|opencloud-resource|
+|`SEARCH_EXTRACTOR_TYPE`| 1.0.0 |string|`Defines the content extraction engine. Defaults to 'basic'. Supported values are: 'basic' and 'tika'.`|basic|
+|`OC_INSECURE`<br/>`SEARCH_EXTRACTOR_CS3SOURCE_INSECURE`| 1.0.0 |bool|`Ignore untrusted SSL certificates when connecting to the CS3 source.`|false|
+|`SEARCH_EXTRACTOR_TIKA_TIKA_URL`| 1.0.0 |string|`URL of the tika server.`|http://127.0.0.1:9998|
+|`SEARCH_EXTRACTOR_TIKA_CLEAN_STOP_WORDS`| 1.0.0 |bool|`Defines if stop words should be cleaned or not. See the documentation for more details.`|true|
+|`SEARCH_CONTENT_EXTRACTION_SIZE_LIMIT`| 1.0.0 |uint64|`Maximum file size in bytes that is allowed for content extraction.`|20971520|
+|`SEARCH_BATCH_SIZE`| 1.0.0 |int|`The number of documents to process in a single batch. Defaults to 500.`|500|
+|`OC_SERVICE_ACCOUNT_ID`<br/>`SEARCH_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`||
+|`OC_SERVICE_ACCOUNT_SECRET`<br/>`SEARCH_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`||
diff --git a/static/env-vars/search_readme.md b/static/env-vars/search_readme.md
index c5eb90f8..7a3e7565 100644
--- a/static/env-vars/search_readme.md
+++ b/static/env-vars/search_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Search
-date: 2025-11-27T22:56:02.334322+01:00
+date: 2026-01-13T10:10:18.223662306+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/search
diff --git a/static/env-vars/settings-config-example.yaml b/static/env-vars/settings-config-example.yaml
new file mode 100644
index 00000000..0c46f716
--- /dev/null
+++ b/static/env-vars/settings-config-example.yaml
@@ -0,0 +1,64 @@
+# Autogenerated
+# Filename: settings-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9194
+  token: ""
+  pprof: false
+  zpages: false
+http:
+  addr: 127.0.0.1:9190
+  tls:
+    enabled: false
+    cert: ""
+    key: ""
+  root: /
+  cors:
+    allow_origins:
+    - '*'
+    allow_methods:
+    - GET
+    - POST
+    - PUT
+    - PATCH
+    - DELETE
+    - OPTIONS
+    allow_headers:
+    - Authorization
+    - Origin
+    - Content-Type
+    - Accept
+    - X-Requested-With
+    - X-Request-Id
+    allow_credentials: true
+grpc:
+  addr: 127.0.0.1:9191
+  tls: null
+grpc_client_tls: null
+metadata_config:
+  gateway_addr: eu.opencloud.api.storage-system
+  storage_addr: eu.opencloud.api.storage-system
+  system_user_id: ""
+  system_user_idp: internal
+  system_user_api_key: ""
+  cache:
+    store: memory
+    addresses:
+    - 127.0.0.1:9233
+    database: settings-cache
+    files_table: settings_files
+    directories_table: settings_dirs
+    ttl: 10m0s
+    disable_persistence: false
+    username: ""
+    password: ""
+bundles_path: ""
+admin_user_id: ""
+token_manager:
+  jwt_secret: ""
+set_default_assignments: false
+service_account_ids:
+- service-user-id
+default_language: ""
+translation_path: ""
diff --git a/static/env-vars/settings_configvars.md b/static/env-vars/settings_configvars.md
index 11531d2c..93e73f28 100644
--- a/static/env-vars/settings_configvars.md
+++ b/static/env-vars/settings_configvars.md
@@ -1,43 +1,40 @@
 Environment variables for the **settings** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`SETTINGS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`SETTINGS_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`SETTINGS_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`SETTINGS_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`SETTINGS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9194`|
-|`SETTINGS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`SETTINGS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`SETTINGS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`SETTINGS_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9190`|
-|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`|
-|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``|
-|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``|
-|`SETTINGS_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`|
-|`OC_CORS_ALLOW_ORIGINS`<br/>`SETTINGS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`|
-|`OC_CORS_ALLOW_METHODS`<br/>`SETTINGS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET POST PUT PATCH DELETE OPTIONS]`|
-|`OC_CORS_ALLOW_HEADERS`<br/>`SETTINGS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id]`|
-|`OC_CORS_ALLOW_CREDENTIALS`<br/>`SETTINGS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`|
-|`SETTINGS_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9191`|
-|`SETTINGS_STORAGE_GATEWAY_GRPC_ADDR`<br/>`STORAGE_GATEWAY_GRPC_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`|
-|`SETTINGS_STORAGE_GRPC_ADDR`<br/>`STORAGE_GRPC_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`|
-|`OC_SYSTEM_USER_ID`<br/>`SETTINGS_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``|
-|`OC_SYSTEM_USER_IDP`<br/>`SETTINGS_SYSTEM_USER_IDP`| 1.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`|
-|`OC_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``|
-|`OC_CACHE_STORE`<br/>`SETTINGS_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`|
-|`OC_CACHE_STORE_NODES`<br/>`SETTINGS_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
-|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`settings-cache`|
-|`SETTINGS_FILE_CACHE_TABLE`| 1.0.0 |string|`The database table the store should use for the file cache.`|`settings_files`|
-|`SETTINGS_DIRECTORY_CACHE_TABLE`| 1.0.0 |string|`The database table the store should use for the directory cache.`|`settings_dirs`|
-|`OC_CACHE_TTL`<br/>`SETTINGS_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for entries in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`10m0s`|
-|`OC_CACHE_DISABLE_PERSISTENCE`<br/>`SETTINGS_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
-|`OC_CACHE_AUTH_USERNAME`<br/>`SETTINGS_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_CACHE_AUTH_PASSWORD`<br/>`SETTINGS_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`SETTINGS_BUNDLES_PATH`| 1.0.0 |string|`The path to a JSON file with a list of bundles. If not defined, the default bundles will be loaded.`|``|
-|`OC_ADMIN_USER_ID`<br/>`SETTINGS_ADMIN_USER_ID`| 1.0.0 |string|`ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.`|``|
-|`OC_JWT_SECRET`<br/>`SETTINGS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`IDM_CREATE_DEMO_USERS`<br/>`SETTINGS_SETUP_DEFAULT_ASSIGNMENTS`| 1.0.0 |bool|`The default role assignments the demo users should be setup.`|`false`|
-|`SETTINGS_SERVICE_ACCOUNT_IDS`<br/>`OC_SERVICE_ACCOUNT_ID`| 1.0.0 |[]string|`The list of all service account IDs. These will be assigned the hidden 'service-account' role. Note: When using 'OC_SERVICE_ACCOUNT_ID' this will contain only one value while 'SETTINGS_SERVICE_ACCOUNT_IDS' can have multiple. See the 'auth-service' service description for more details about service accounts.`|`[service-user-id]`|
-|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|`The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.`|``|
-|`OC_TRANSLATION_PATH`<br/>`SETTINGS_TRANSLATION_PATH`| 1.0.0 |string|`(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.`|``|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`SETTINGS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`SETTINGS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9194|
+|`SETTINGS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`SETTINGS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`SETTINGS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`SETTINGS_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|127.0.0.1:9190|
+|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|false|
+|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`||
+|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`||
+|`SETTINGS_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|/|
+|`OC_CORS_ALLOW_ORIGINS`<br/>`SETTINGS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|[*]|
+|`OC_CORS_ALLOW_METHODS`<br/>`SETTINGS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|[GET POST PUT PATCH DELETE OPTIONS]|
+|`OC_CORS_ALLOW_HEADERS`<br/>`SETTINGS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id]|
+|`OC_CORS_ALLOW_CREDENTIALS`<br/>`SETTINGS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|true|
+|`SETTINGS_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9191|
+|`SETTINGS_STORAGE_GATEWAY_GRPC_ADDR`<br/>`STORAGE_GATEWAY_GRPC_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|eu.opencloud.api.storage-system|
+|`SETTINGS_STORAGE_GRPC_ADDR`<br/>`STORAGE_GRPC_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|eu.opencloud.api.storage-system|
+|`OC_SYSTEM_USER_ID`<br/>`SETTINGS_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`||
+|`OC_SYSTEM_USER_IDP`<br/>`SETTINGS_SYSTEM_USER_IDP`| 1.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|internal|
+|`OC_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`||
+|`OC_CACHE_STORE`<br/>`SETTINGS_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|memory|
+|`OC_CACHE_STORE_NODES`<br/>`SETTINGS_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|[127.0.0.1:9233]|
+|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|settings-cache|
+|`SETTINGS_FILE_CACHE_TABLE`| 1.0.0 |string|`The database table the store should use for the file cache.`|settings_files|
+|`SETTINGS_DIRECTORY_CACHE_TABLE`| 1.0.0 |string|`The database table the store should use for the directory cache.`|settings_dirs|
+|`OC_CACHE_TTL`<br/>`SETTINGS_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for entries in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|10m0s|
+|`OC_CACHE_DISABLE_PERSISTENCE`<br/>`SETTINGS_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|false|
+|`OC_CACHE_AUTH_USERNAME`<br/>`SETTINGS_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_CACHE_AUTH_PASSWORD`<br/>`SETTINGS_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`||
+|`SETTINGS_BUNDLES_PATH`| 1.0.0 |string|`The path to a JSON file with a list of bundles. If not defined, the default bundles will be loaded.`||
+|`OC_ADMIN_USER_ID`<br/>`SETTINGS_ADMIN_USER_ID`| 1.0.0 |string|`ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.`||
+|`OC_JWT_SECRET`<br/>`SETTINGS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`IDM_CREATE_DEMO_USERS`<br/>`SETTINGS_SETUP_DEFAULT_ASSIGNMENTS`| 1.0.0 |bool|`The default role assignments the demo users should be setup.`|false|
+|`SETTINGS_SERVICE_ACCOUNT_IDS`<br/>`OC_SERVICE_ACCOUNT_ID`| 1.0.0 |[]string|`The list of all service account IDs. These will be assigned the hidden 'service-account' role. Note: When using 'OC_SERVICE_ACCOUNT_ID' this will contain only one value while 'SETTINGS_SERVICE_ACCOUNT_IDS' can have multiple. See the 'auth-service' service description for more details about service accounts.`|[service-user-id]|
+|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|`The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.`||
+|`OC_TRANSLATION_PATH`<br/>`SETTINGS_TRANSLATION_PATH`| 1.0.0 |string|`(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.`||
diff --git a/static/env-vars/settings_readme.md b/static/env-vars/settings_readme.md
index fca4650e..582b7621 100644
--- a/static/env-vars/settings_readme.md
+++ b/static/env-vars/settings_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Settings
-date: 2025-11-27T22:56:02.334436+01:00
+date: 2026-01-13T10:10:18.223795867+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/settings
diff --git a/static/env-vars/sharing-config-example.yaml b/static/env-vars/sharing-config-example.yaml
new file mode 100644
index 00000000..c674a6ff
--- /dev/null
+++ b/static/env-vars/sharing-config-example.yaml
@@ -0,0 +1,76 @@
+# Autogenerated
+# Filename: sharing-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9151
+  token: ""
+  pprof: false
+  zpages: false
+grpc:
+  addr: 127.0.0.1:9150
+  tls: null
+  protocol: tcp
+token_manager:
+  jwt_secret: ""
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+events:
+  endpoint: 127.0.0.1:9233
+  cluster: opencloud-cluster
+  tls_insecure: false
+  tls_root_ca_cert_path: ""
+  enable_tls: false
+  auth_username: ""
+  auth_password: ""
+skip_user_groups_in_token: false
+user_sharing_driver: jsoncs3
+user_sharing_drivers:
+  jsoncs3:
+    provider_addr: eu.opencloud.api.storage-system
+    system_user_id: ""
+    system_user_idp: internal
+    system_user_api_key: ""
+    cache_ttl: 0
+    max_concurrency: 1
+  json:
+    file: /home/chaser/.opencloud/storage/shares.json
+  cs3:
+    provider_addr: eu.opencloud.api.storage-system
+    system_user_id: ""
+    system_user_idp: internal
+    system_user_api_key: ""
+  owncloudsql:
+    db_username: owncloud
+    db_password: ""
+    db_host: mysql
+    db_port: 3306
+    db_name: owncloud
+    user_storage_mount_id: ""
+public_sharing_driver: jsoncs3
+public_sharing_drivers:
+  json:
+    file: /home/chaser/.opencloud/storage/publicshares.json
+  jsoncs3:
+    provider_addr: eu.opencloud.api.storage-system
+    system_user_id: ""
+    system_user_idp: internal
+    system_user_api_key: ""
+  cs3:
+    provider_addr: eu.opencloud.api.storage-system
+    system_user_id: ""
+    system_user_idp: internal
+    system_user_api_key: ""
+public_sharing_writeableshare_must_have_password: false
+public_sharing_share_must_have_password: true
+enable_expired_shares_cleanup: true
+password_policy:
+  min_characters: 8
+  min_lowercase_characters: 1
+  min_uppercase_characters: 1
+  min_digits: 1
+  min_special_characters: 1
+  banned_passwords_list: ""
diff --git a/static/env-vars/sharing_configvars.md b/static/env-vars/sharing_configvars.md
index c08c3da4..0a7c13ef 100644
--- a/static/env-vars/sharing_configvars.md
+++ b/static/env-vars/sharing_configvars.md
@@ -1,63 +1,60 @@
 Environment variables for the **sharing** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`SHARING_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`SHARING_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`SHARING_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`SHARING_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`SHARING_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9151`|
-|`SHARING_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`SHARING_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`SHARING_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`SHARING_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9150`|
-|`OC_GRPC_PROTOCOL`<br/>`SHARING_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`|
-|`OC_JWT_SECRET`<br/>`SHARING_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`OC_EVENTS_ENDPOINT`<br/>`SHARING_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`|
-|`OC_EVENTS_CLUSTER`<br/>`SHARING_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`|
-|`OC_INSECURE`<br/>`SHARING_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`|
-|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`SHARING_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided SHARING_EVENTS_TLS_INSECURE will be seen as false.`|``|
-|`OC_EVENTS_ENABLE_TLS`<br/>`SHARING_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`|
-|`OC_EVENTS_AUTH_USERNAME`<br/>`SHARING_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`Username for the events broker.`|``|
-|`OC_EVENTS_AUTH_PASSWORD`<br/>`SHARING_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`Password for the events broker.`|``|
-|`SHARING_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`|
-|`SHARING_USER_DRIVER`| 1.0.0 |string|`Driver to be used to persist shares. Supported values are 'jsoncs3', 'json', 'cs3' (deprecated) and 'owncloudsql'.`|`jsoncs3`|
-|`SHARING_USER_JSONCS3_PROVIDER_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`|
-|`OC_SYSTEM_USER_ID`<br/>`SHARING_USER_JSONCS3_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``|
-|`OC_SYSTEM_USER_IDP`<br/>`SHARING_USER_JSONCS3_SYSTEM_USER_IDP`| 1.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`|
-|`OC_SYSTEM_USER_API_KEY`<br/>`SHARING_USER_JSONCS3_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``|
-|`SHARING_USER_JSONCS3_CACHE_TTL`| 1.0.0 |int|`TTL for the internal caches in seconds.`|`0`|
-|`OC_MAX_CONCURRENCY`<br/>`SHARING_USER_JSONCS3_MAX_CONCURRENCY`| 1.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.`|`1`|
-|`SHARING_USER_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where shares will be persisted. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|`/var/lib/opencloud/storage/shares.json`|
-|`SHARING_USER_CS3_PROVIDER_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`|
-|`OC_SYSTEM_USER_ID`<br/>`SHARING_USER_CS3_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``|
-|`OC_SYSTEM_USER_IDP`<br/>`SHARING_USER_CS3_SYSTEM_USER_IDP`| 1.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`|
-|`OC_SYSTEM_USER_API_KEY`<br/>`SHARING_USER_CS3_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``|
-|`SHARING_USER_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|`Username for the database.`|`owncloud`|
-|`SHARING_USER_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|`Password for the database.`|``|
-|`SHARING_USER_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|`Hostname or IP of the database server.`|`mysql`|
-|`SHARING_USER_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|`Port that the database server is listening on.`|`3306`|
-|`SHARING_USER_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|`Name of the database to be used.`|`owncloud`|
-|`SHARING_USER_OWNCLOUDSQL_USER_STORAGE_MOUNT_ID`| 1.0.0 |string|`Mount ID of the ownCloudSQL users storage for mapping ownCloud 10 shares.`|``|
-|`SHARING_PUBLIC_DRIVER`| 1.0.0 |string|`Driver to be used to persist public shares. Supported values are 'jsoncs3', 'json' and 'cs3' (deprecated).`|`jsoncs3`|
-|`SHARING_PUBLIC_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where public share meta-data will be stored. This JSON file contains the information about public shares that have been created. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|`/var/lib/opencloud/storage/publicshares.json`|
-|`SHARING_PUBLIC_JSONCS3_PROVIDER_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`|
-|`OC_SYSTEM_USER_ID`<br/>`SHARING_PUBLIC_JSONCS3_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``|
-|`OC_SYSTEM_USER_IDP`<br/>`SHARING_PUBLIC_JSONCS3_SYSTEM_USER_IDP`| 1.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`|
-|`OC_SYSTEM_USER_API_KEY`<br/>`SHARING_PUBLIC_JSONCS3_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``|
-|`SHARING_PUBLIC_CS3_PROVIDER_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`|
-|`OC_SYSTEM_USER_ID`<br/>`SHARING_PUBLIC_CS3_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``|
-|`OC_SYSTEM_USER_IDP`<br/>`SHARING_PUBLIC_CS3_SYSTEM_USER_IDP`| 1.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`|
-|`OC_SYSTEM_USER_API_KEY`<br/>`SHARING_PUBLIC_CS3_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``|
-|`OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`<br/>`SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`| 1.0.0 |bool|`Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares. If not using the global OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD, you must define the FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD (deprecated) in the frontend service.`|`false`|
-|`OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD`<br/>`SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD`| 1.0.0 |bool|`Set this to true if you want to enforce passwords on all public shares.`|`true`|
-|`OC_PASSWORD_POLICY_DISABLED`<br/>`SHARING_PASSWORD_POLICY_DISABLED`| 1.0.0 |bool|`Disable the password policy. Defaults to false if not set.`|`false`|
-|`OC_PASSWORD_POLICY_MIN_CHARACTERS`<br/>`SHARING_PASSWORD_POLICY_MIN_CHARACTERS`| 1.0.0 |int|`Define the minimum password length. Defaults to 8 if not set.`|`8`|
-|`OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`<br/>`SHARING_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`| 1.0.0 |int|`Define the minimum number of uppercase letters. Defaults to 1 if not set.`|`1`|
-|`OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`<br/>`SHARING_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`| 1.0.0 |int|`Define the minimum number of lowercase letters. Defaults to 1 if not set.`|`1`|
-|`OC_PASSWORD_POLICY_MIN_DIGITS`<br/>`SHARING_PASSWORD_POLICY_MIN_DIGITS`| 1.0.0 |int|`Define the minimum number of digits. Defaults to 1 if not set.`|`1`|
-|`OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`<br/>`SHARING_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`| 1.0.0 |int|`Define the minimum number of characters from the special characters list to be present. Defaults to 1 if not set.`|`1`|
-|`OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`<br/>`SHARING_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`| 1.0.0 |string|`Path to the 'banned passwords list' file. This only impacts public link password validation. See the documentation for more details.`|``|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`SHARING_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`SHARING_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9151|
+|`SHARING_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`SHARING_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`SHARING_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`SHARING_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9150|
+|`OC_GRPC_PROTOCOL`<br/>`SHARING_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|tcp|
+|`OC_JWT_SECRET`<br/>`SHARING_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`OC_EVENTS_ENDPOINT`<br/>`SHARING_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|127.0.0.1:9233|
+|`OC_EVENTS_CLUSTER`<br/>`SHARING_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|opencloud-cluster|
+|`OC_INSECURE`<br/>`OC_EVENTS_TLS_INSECURE`<br/>`SHARING_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|false|
+|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`SHARING_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided SHARING_EVENTS_TLS_INSECURE will be seen as false.`||
+|`OC_EVENTS_ENABLE_TLS`<br/>`SHARING_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|false|
+|`OC_EVENTS_AUTH_USERNAME`<br/>`SHARING_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`Username for the events broker.`||
+|`OC_EVENTS_AUTH_PASSWORD`<br/>`SHARING_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`Password for the events broker.`||
+|`SHARING_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|false|
+|`SHARING_USER_DRIVER`| 1.0.0 |string|`Driver to be used to persist shares. Supported values are 'jsoncs3', 'json', 'cs3' (deprecated) and 'owncloudsql'.`|jsoncs3|
+|`SHARING_USER_JSONCS3_PROVIDER_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|eu.opencloud.api.storage-system|
+|`OC_SYSTEM_USER_ID`<br/>`SHARING_USER_JSONCS3_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`||
+|`OC_SYSTEM_USER_IDP`<br/>`SHARING_USER_JSONCS3_SYSTEM_USER_IDP`| 1.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|internal|
+|`OC_SYSTEM_USER_API_KEY`<br/>`SHARING_USER_JSONCS3_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`||
+|`SHARING_USER_JSONCS3_CACHE_TTL`| 1.0.0 |int|`TTL for the internal caches in seconds.`|0|
+|`OC_MAX_CONCURRENCY`<br/>`SHARING_USER_JSONCS3_MAX_CONCURRENCY`| 1.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.`|1|
+|`SHARING_USER_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where shares will be persisted. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|/home/chaser/.opencloud/storage/shares.json|
+|`SHARING_USER_CS3_PROVIDER_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|eu.opencloud.api.storage-system|
+|`OC_SYSTEM_USER_ID`<br/>`SHARING_USER_CS3_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`||
+|`OC_SYSTEM_USER_IDP`<br/>`SHARING_USER_CS3_SYSTEM_USER_IDP`| 1.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|internal|
+|`OC_SYSTEM_USER_API_KEY`<br/>`SHARING_USER_CS3_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`||
+|`SHARING_USER_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|`Username for the database.`|owncloud|
+|`SHARING_USER_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|`Password for the database.`||
+|`SHARING_USER_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|`Hostname or IP of the database server.`|mysql|
+|`SHARING_USER_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|`Port that the database server is listening on.`|3306|
+|`SHARING_USER_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|`Name of the database to be used.`|owncloud|
+|`SHARING_USER_OWNCLOUDSQL_USER_STORAGE_MOUNT_ID`| 1.0.0 |string|`Mount ID of the ownCloudSQL users storage for mapping ownCloud 10 shares.`||
+|`SHARING_PUBLIC_DRIVER`| 1.0.0 |string|`Driver to be used to persist public shares. Supported values are 'jsoncs3', 'json' and 'cs3' (deprecated).`|jsoncs3|
+|`SHARING_PUBLIC_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where public share meta-data will be stored. This JSON file contains the information about public shares that have been created. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|/home/chaser/.opencloud/storage/publicshares.json|
+|`SHARING_PUBLIC_JSONCS3_PROVIDER_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|eu.opencloud.api.storage-system|
+|`OC_SYSTEM_USER_ID`<br/>`SHARING_PUBLIC_JSONCS3_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`||
+|`OC_SYSTEM_USER_IDP`<br/>`SHARING_PUBLIC_JSONCS3_SYSTEM_USER_IDP`| 1.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|internal|
+|`OC_SYSTEM_USER_API_KEY`<br/>`SHARING_PUBLIC_JSONCS3_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`||
+|`SHARING_PUBLIC_CS3_PROVIDER_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|eu.opencloud.api.storage-system|
+|`OC_SYSTEM_USER_ID`<br/>`SHARING_PUBLIC_CS3_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`||
+|`OC_SYSTEM_USER_IDP`<br/>`SHARING_PUBLIC_CS3_SYSTEM_USER_IDP`| 1.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|internal|
+|`OC_SYSTEM_USER_API_KEY`<br/>`SHARING_PUBLIC_CS3_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`||
+|`OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`<br/>`SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`| 1.0.0 |bool|`Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares. If not using the global OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD, you must define the FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD (deprecated) in the frontend service.`|false|
+|`OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD`<br/>`SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD`| 1.0.0 |bool|`Set this to true if you want to enforce passwords on all public shares.`|true|
+|`OC_PASSWORD_POLICY_DISABLED`<br/>`SHARING_PASSWORD_POLICY_DISABLED`| 1.0.0 |bool|`Disable the password policy. Defaults to false if not set.`|false|
+|`OC_PASSWORD_POLICY_MIN_CHARACTERS`<br/>`SHARING_PASSWORD_POLICY_MIN_CHARACTERS`| 1.0.0 |int|`Define the minimum password length. Defaults to 8 if not set.`|8|
+|`OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`<br/>`SHARING_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`| 1.0.0 |int|`Define the minimum number of uppercase letters. Defaults to 1 if not set.`|1|
+|`OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`<br/>`SHARING_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`| 1.0.0 |int|`Define the minimum number of lowercase letters. Defaults to 1 if not set.`|1|
+|`OC_PASSWORD_POLICY_MIN_DIGITS`<br/>`SHARING_PASSWORD_POLICY_MIN_DIGITS`| 1.0.0 |int|`Define the minimum number of digits. Defaults to 1 if not set.`|1|
+|`OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`<br/>`SHARING_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`| 1.0.0 |int|`Define the minimum number of characters from the special characters list to be present. Defaults to 1 if not set.`|1|
+|`OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`<br/>`SHARING_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`| 1.0.0 |string|`Path to the 'banned passwords list' file. This only impacts public link password validation. See the documentation for more details.`||
diff --git a/static/env-vars/sharing_readme.md b/static/env-vars/sharing_readme.md
index c24134b7..710ef479 100755
--- a/static/env-vars/sharing_readme.md
+++ b/static/env-vars/sharing_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Sharing
-date: 2025-11-27T22:56:02.334524+01:00
+date: 2026-01-13T10:10:18.223922645+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/sharing
diff --git a/static/env-vars/sse-config-example.yaml b/static/env-vars/sse-config-example.yaml
new file mode 100644
index 00000000..32e7fea6
--- /dev/null
+++ b/static/env-vars/sse-config-example.yaml
@@ -0,0 +1,41 @@
+# Autogenerated
+# Filename: sse-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9139
+  token: ""
+  pprof: false
+  zpages: false
+keepalive_interval: 0s
+events:
+  endpoint: 127.0.0.1:9233
+  cluster: opencloud-cluster
+  tls_insecure: false
+  tls_root_ca_certificate: ""
+  enable_tls: false
+  username: ""
+  password: ""
+http:
+  addr: 127.0.0.1:9135
+  root: /
+  cors:
+    allow_origins:
+    - '*'
+    allow_methods:
+    - GET
+    allow_headers:
+    - Authorization
+    - Origin
+    - Content-Type
+    - Accept
+    - X-Requested-With
+    - X-Request-Id
+    - Ocs-Apirequest
+    allow_credentials: true
+  tls:
+    enabled: false
+    cert: ""
+    key: ""
+token_manager:
+  jwt_secret: ""
diff --git a/static/env-vars/sse_configvars.md b/static/env-vars/sse_configvars.md
index 4214aad8..db29b4db 100644
--- a/static/env-vars/sse_configvars.md
+++ b/static/env-vars/sse_configvars.md
@@ -1,30 +1,27 @@
 Environment variables for the **sse** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`SSE_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`SSE_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`SSE_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`SSE_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`SSE_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9139`|
-|`SSE_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`SSE_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`SSE_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`SSE_KEEPALIVE_INTERVAL`| 1.0.0 |Duration|`To prevent intermediate proxies from closing the SSE connection, send periodic SSE comments to keep it open.`|`0s`|
-|`OC_EVENTS_ENDPOINT`<br/>`SSE_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`|
-|`OC_EVENTS_CLUSTER`<br/>`SSE_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`|
-|`OC_INSECURE`<br/>`SSE_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`|
-|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`SSE_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided SSE_EVENTS_TLS_INSECURE will be seen as false.`|``|
-|`OC_EVENTS_ENABLE_TLS`<br/>`SSE_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`|
-|`OC_EVENTS_AUTH_USERNAME`<br/>`SSE_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_EVENTS_AUTH_PASSWORD`<br/>`SSE_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`SSE_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9135`|
-|`SSE_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`|
-|`OC_CORS_ALLOW_ORIGINS`<br/>`SSE_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`|
-|`OC_CORS_ALLOW_METHODS`<br/>`SSE_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET]`|
-|`OC_CORS_ALLOW_HEADERS`<br/>`SSE_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]`|
-|`OC_CORS_ALLOW_CREDENTIALS`<br/>`SSE_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`|
-|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`|
-|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``|
-|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``|
-|`OC_JWT_SECRET`<br/>`SSE_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`SSE_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`SSE_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9139|
+|`SSE_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`SSE_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`SSE_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`SSE_KEEPALIVE_INTERVAL`| 1.0.0 |Duration|`To prevent intermediate proxies from closing the SSE connection, send periodic SSE comments to keep it open.`|0s|
+|`OC_EVENTS_ENDPOINT`<br/>`SSE_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|127.0.0.1:9233|
+|`OC_EVENTS_CLUSTER`<br/>`SSE_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|opencloud-cluster|
+|`OC_INSECURE`<br/>`OC_EVENTS_TLS_INSECURE`<br/>`SSE_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|false|
+|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`SSE_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided SSE_EVENTS_TLS_INSECURE will be seen as false.`||
+|`OC_EVENTS_ENABLE_TLS`<br/>`SSE_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|false|
+|`OC_EVENTS_AUTH_USERNAME`<br/>`SSE_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_EVENTS_AUTH_PASSWORD`<br/>`SSE_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`SSE_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|127.0.0.1:9135|
+|`SSE_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|/|
+|`OC_CORS_ALLOW_ORIGINS`<br/>`SSE_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|[*]|
+|`OC_CORS_ALLOW_METHODS`<br/>`SSE_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|[GET]|
+|`OC_CORS_ALLOW_HEADERS`<br/>`SSE_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]|
+|`OC_CORS_ALLOW_CREDENTIALS`<br/>`SSE_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|true|
+|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|false|
+|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`||
+|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`||
+|`OC_JWT_SECRET`<br/>`SSE_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
diff --git a/static/env-vars/sse_readme.md b/static/env-vars/sse_readme.md
index 49aea22f..bfe31d9a 100644
--- a/static/env-vars/sse_readme.md
+++ b/static/env-vars/sse_readme.md
@@ -1,6 +1,6 @@
 ---
 title: SSE
-date: 2025-11-27T22:56:02.334591+01:00
+date: 2026-01-13T10:10:18.224035518+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/sse
diff --git a/static/env-vars/storage-publiclink-config-example.yaml b/static/env-vars/storage-publiclink-config-example.yaml
new file mode 100644
index 00000000..f985ac2c
--- /dev/null
+++ b/static/env-vars/storage-publiclink-config-example.yaml
@@ -0,0 +1,23 @@
+# Autogenerated
+# Filename: storage-publiclink-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9179
+  token: ""
+  pprof: false
+  zpages: false
+grpc:
+  addr: 127.0.0.1:9178
+  tls: null
+  protocol: tcp
+token_manager:
+  jwt_secret: ""
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+skip_user_groups_in_token: false
+storage_provider:
+  mount_id: 7993447f-687f-490d-875c-ac95e89a62a4
diff --git a/static/env-vars/storage-publiclink_configvars.md b/static/env-vars/storage-publiclink_configvars.md
index e2ba94f3..83c3955a 100644
--- a/static/env-vars/storage-publiclink_configvars.md
+++ b/static/env-vars/storage-publiclink_configvars.md
@@ -1,20 +1,17 @@
 Environment variables for the **storage-publiclink** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`STORAGE_PUBLICLINK_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`STORAGE_PUBLICLINK_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`STORAGE_PUBLICLINK_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`STORAGE_PUBLICLINK_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`STORAGE_PUBLICLINK_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9179`|
-|`STORAGE_PUBLICLINK_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`STORAGE_PUBLICLINK_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`STORAGE_PUBLICLINK_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`STORAGE_PUBLICLINK_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9178`|
-|`OC_GRPC_PROTOCOL`<br/>`STORAGE_PUBLICLINK_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`|
-|`OC_JWT_SECRET`<br/>`STORAGE_PUBLICLINK_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`STORAGE_PUBLICLINK_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`|
-|`STORAGE_PUBLICLINK_STORAGE_PROVIDER_MOUNT_ID`| 1.0.0 |string|`Mount ID of this storage. Admins can set the ID for the storage in this config option manually which is then used to reference the storage. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|`7993447f-687f-490d-875c-ac95e89a62a4`|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`STORAGE_PUBLICLINK_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`STORAGE_PUBLICLINK_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9179|
+|`STORAGE_PUBLICLINK_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`STORAGE_PUBLICLINK_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`STORAGE_PUBLICLINK_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`STORAGE_PUBLICLINK_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9178|
+|`OC_GRPC_PROTOCOL`<br/>`STORAGE_PUBLICLINK_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|tcp|
+|`OC_JWT_SECRET`<br/>`STORAGE_PUBLICLINK_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`STORAGE_PUBLICLINK_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|false|
+|`STORAGE_PUBLICLINK_STORAGE_PROVIDER_MOUNT_ID`| 1.0.0 |string|`Mount ID of this storage. Admins can set the ID for the storage in this config option manually which is then used to reference the storage. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|7993447f-687f-490d-875c-ac95e89a62a4|
diff --git a/static/env-vars/storage-publiclink_readme.md b/static/env-vars/storage-publiclink_readme.md
index e5a03492..2238051d 100644
--- a/static/env-vars/storage-publiclink_readme.md
+++ b/static/env-vars/storage-publiclink_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Storage PublicLink
-date: 2025-11-27T22:56:02.334658+01:00
+date: 2026-01-13T10:10:18.224113004+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/storage-publiclink
@@ -34,7 +34,7 @@ This service is part of the storage services family and is responsible for:
 
 The storage-publiclink service integrates with:
 - `sharing` service - Manages and persists public link shares
-- `frontend` and `ocdav` - Provide HTTP/WebDAV access to public links
+- `frontend` service - Provides HTTP/WebDAV access to public links
 - Storage drivers - Accesses the actual file content
 
 ## Storage Registry
diff --git a/static/env-vars/storage-shares-config-example.yaml b/static/env-vars/storage-shares-config-example.yaml
new file mode 100644
index 00000000..28b4a50b
--- /dev/null
+++ b/static/env-vars/storage-shares-config-example.yaml
@@ -0,0 +1,24 @@
+# Autogenerated
+# Filename: storage-shares-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9156
+  token: ""
+  pprof: false
+  zpages: false
+grpc:
+  addr: 127.0.0.1:9154
+  tls: null
+  protocol: tcp
+token_manager:
+  jwt_secret: ""
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+skip_user_groups_in_token: false
+mount_id: 7639e57c-4433-4a12-8201-722fd0009154
+readonly: false
+user_share_provider_endpoint: eu.opencloud.api.sharing
diff --git a/static/env-vars/storage-shares_configvars.md b/static/env-vars/storage-shares_configvars.md
index ce9b2bf6..8d79824b 100644
--- a/static/env-vars/storage-shares_configvars.md
+++ b/static/env-vars/storage-shares_configvars.md
@@ -1,22 +1,19 @@
 Environment variables for the **storage-shares** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`STORAGE_SHARES_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`STORAGE_SHARES_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`STORAGE_SHARES_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`STORAGE_SHARES_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`STORAGE_SHARES_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9156`|
-|`STORAGE_SHARES_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`STORAGE_SHARES_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`STORAGE_SHARES_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`STORAGE_SHARES_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9154`|
-|`OC_GRPC_PROTOCOL`<br/>`STORAGE_SHARES_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`|
-|`OC_JWT_SECRET`<br/>`STORAGE_SHARES_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`STORAGE_SHARES_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`|
-|`STORAGE_SHARES_MOUNT_ID`| 1.0.0 |string|`Mount ID of this storage. Admins can set the ID for the storage in this config option manually which is then used to reference the storage. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|`7639e57c-4433-4a12-8201-722fd0009154`|
-|`STORAGE_SHARES_READ_ONLY`| 1.0.0 |bool|`Set this storage to be read-only.`|`false`|
-|`STORAGE_SHARES_USER_SHARE_PROVIDER_ENDPOINT`| 1.0.0 |string|`GRPC endpoint of the SHARING service.`|`eu.opencloud.api.sharing`|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`STORAGE_SHARES_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`STORAGE_SHARES_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9156|
+|`STORAGE_SHARES_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`STORAGE_SHARES_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`STORAGE_SHARES_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`STORAGE_SHARES_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9154|
+|`OC_GRPC_PROTOCOL`<br/>`STORAGE_SHARES_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|tcp|
+|`OC_JWT_SECRET`<br/>`STORAGE_SHARES_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`STORAGE_SHARES_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|false|
+|`STORAGE_SHARES_MOUNT_ID`| 1.0.0 |string|`Mount ID of this storage. Admins can set the ID for the storage in this config option manually which is then used to reference the storage. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|7639e57c-4433-4a12-8201-722fd0009154|
+|`STORAGE_SHARES_READ_ONLY`| 1.0.0 |bool|`Set this storage to be read-only.`|false|
+|`STORAGE_SHARES_USER_SHARE_PROVIDER_ENDPOINT`| 1.0.0 |string|`GRPC endpoint of the SHARING service.`|eu.opencloud.api.sharing|
diff --git a/static/env-vars/storage-shares_readme.md b/static/env-vars/storage-shares_readme.md
index 37dfc066..33e1be63 100644
--- a/static/env-vars/storage-shares_readme.md
+++ b/static/env-vars/storage-shares_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Storage Shares
-date: 2025-11-27T22:56:02.334725+01:00
+date: 2026-01-13T10:10:18.224194116+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/storage-shares
@@ -35,7 +35,7 @@ This service is part of the storage services family and is responsible for:
 The storage-shares service integrates with:
 - `sharing` service - Manages and persists shares
 - `storage-users` service - Accesses the underlying file content
-- `frontend` and `ocdav` - Provide HTTP/WebDAV access to shares
+- `frontend` service - Provides HTTP/WebDAV access to shares
 
 ## Virtual Shares Folder
 
diff --git a/static/env-vars/storage-system-config-example.yaml b/static/env-vars/storage-system-config-example.yaml
new file mode 100644
index 00000000..12c7d3cc
--- /dev/null
+++ b/static/env-vars/storage-system-config-example.yaml
@@ -0,0 +1,42 @@
+# Autogenerated
+# Filename: storage-system-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9217
+  token: ""
+  pprof: false
+  zpages: false
+grpc:
+  addr: 127.0.0.1:9215
+  tls: null
+  protocol: tcp
+http:
+  addr: 127.0.0.1:9216
+  protocol: tcp
+token_manager:
+  jwt_secret: ""
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+system_user_id: ""
+system_user_api_key: ""
+skip_user_groups_in_token: false
+cache:
+  store: memory
+  nodes:
+  - 127.0.0.1:9233
+  database: storage-system
+  ttl: 24m0s
+  disable_persistence: false
+  auth_username: ""
+  auth_password: ""
+driver: decomposed
+drivers:
+  decomposed:
+    root: /home/chaser/.opencloud/storage/metadata
+    max_acquire_lock_cycles: 20
+    lock_cycle_duration_factor: 30
+data_server_url: http://localhost:9216/data
diff --git a/static/env-vars/storage-system_configvars.md b/static/env-vars/storage-system_configvars.md
index 2b7ef3ae..a8cbfc2b 100644
--- a/static/env-vars/storage-system_configvars.md
+++ b/static/env-vars/storage-system_configvars.md
@@ -1,35 +1,32 @@
 Environment variables for the **storage-system** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`STORAGE_SYSTEM_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`STORAGE_SYSTEM_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`STORAGE_SYSTEM_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`STORAGE_SYSTEM_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`STORAGE_SYSTEM_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9217`|
-|`STORAGE_SYSTEM_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint`|``|
-|`STORAGE_SYSTEM_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling`|`false`|
-|`STORAGE_SYSTEM_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`STORAGE_SYSTEM_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9215`|
-|`OC_GRPC_PROTOCOL`<br/>`STORAGE_SYSTEM_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GPRC service.`|`tcp`|
-|`STORAGE_SYSTEM_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9216`|
-|`STORAGE_SYSTEM_HTTP_PROTOCOL`| 1.0.0 |string|`The transport protocol of the HTTP service.`|`tcp`|
-|`OC_JWT_SECRET`<br/>`STORAGE_SYSTEM_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`OC_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud storage-system system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``|
-|`OC_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``|
-|`STORAGE_SYSTEM_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`|
-|`OC_CACHE_STORE`<br/>`STORAGE_SYSTEM_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`|
-|`OC_CACHE_STORE_NODES`<br/>`STORAGE_SYSTEM_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
-|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`storage-system`|
-|`OC_CACHE_TTL`<br/>`STORAGE_SYSTEM_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`24m0s`|
-|`OC_CACHE_DISABLE_PERSISTENCE`<br/>`STORAGE_SYSTEM_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
-|`OC_CACHE_AUTH_USERNAME`<br/>`STORAGE_SYSTEM_CACHE_AUTH_USERNAME`| 1.0.0 |string|`Username for the configured store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_CACHE_AUTH_PASSWORD`<br/>`STORAGE_SYSTEM_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`Password for the configured store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`STORAGE_SYSTEM_DRIVER`| 1.0.0 |string|`The driver which should be used by the service. The only supported driver is 'decomposed'. For backwards compatibility reasons it's also possible to use the 'ocis' driver and configure it using the 'decomposed' options. `|`decomposed`|
-|`STORAGE_SYSTEM_OC_ROOT`| 1.0.0 |string|`Path for the directory where the STORAGE-SYSTEM service stores it's persistent data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|`/var/lib/opencloud/storage/metadata`|
-|`STORAGE_SYSTEM_OC_MAX_ACQUIRE_LOCK_CYCLES`| 1.0.0 |int|`When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value of 20 will be used.`|`20`|
-|`STORAGE_SYSTEM_OC_LOCK_CYCLE_DURATION_FACTOR`| 1.0.0 |int|`When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value of 30 will be used.`|`30`|
-|`STORAGE_SYSTEM_DATA_SERVER_URL`| 1.0.0 |string|`URL of the data server, needs to be reachable by other services using this service.`|`http://localhost:9216/data`|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`STORAGE_SYSTEM_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`STORAGE_SYSTEM_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9217|
+|`STORAGE_SYSTEM_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint`||
+|`STORAGE_SYSTEM_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling`|false|
+|`STORAGE_SYSTEM_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`STORAGE_SYSTEM_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9215|
+|`OC_GRPC_PROTOCOL`<br/>`STORAGE_SYSTEM_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GPRC service.`|tcp|
+|`STORAGE_SYSTEM_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|127.0.0.1:9216|
+|`STORAGE_SYSTEM_HTTP_PROTOCOL`| 1.0.0 |string|`The transport protocol of the HTTP service.`|tcp|
+|`OC_JWT_SECRET`<br/>`STORAGE_SYSTEM_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`OC_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud storage-system system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`||
+|`OC_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`||
+|`STORAGE_SYSTEM_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|false|
+|`OC_CACHE_STORE`<br/>`STORAGE_SYSTEM_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|memory|
+|`OC_CACHE_STORE_NODES`<br/>`STORAGE_SYSTEM_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|[127.0.0.1:9233]|
+|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|storage-system|
+|`OC_CACHE_TTL`<br/>`STORAGE_SYSTEM_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|24m0s|
+|`OC_CACHE_DISABLE_PERSISTENCE`<br/>`STORAGE_SYSTEM_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|false|
+|`OC_CACHE_AUTH_USERNAME`<br/>`STORAGE_SYSTEM_CACHE_AUTH_USERNAME`| 1.0.0 |string|`Username for the configured store. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_CACHE_AUTH_PASSWORD`<br/>`STORAGE_SYSTEM_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`Password for the configured store. Only applies when store type 'nats-js-kv' is configured.`||
+|`STORAGE_SYSTEM_DRIVER`| 1.0.0 |string|`The driver which should be used by the service. The only supported driver is 'decomposed'. For backwards compatibility reasons it's also possible to use the 'ocis' driver and configure it using the 'decomposed' options. `|decomposed|
+|`STORAGE_SYSTEM_OC_ROOT`| 1.0.0 |string|`Path for the directory where the STORAGE-SYSTEM service stores it's persistent data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|/home/chaser/.opencloud/storage/metadata|
+|`STORAGE_SYSTEM_OC_MAX_ACQUIRE_LOCK_CYCLES`| 1.0.0 |int|`When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value of 20 will be used.`|20|
+|`STORAGE_SYSTEM_OC_LOCK_CYCLE_DURATION_FACTOR`| 1.0.0 |int|`When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value of 30 will be used.`|30|
+|`STORAGE_SYSTEM_DATA_SERVER_URL`| 1.0.0 |string|`URL of the data server, needs to be reachable by other services using this service.`|http://localhost:9216/data|
diff --git a/static/env-vars/storage-system_readme.md b/static/env-vars/storage-system_readme.md
index 4137d732..22e8e922 100644
--- a/static/env-vars/storage-system_readme.md
+++ b/static/env-vars/storage-system_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Storage-System
-date: 2025-11-27T22:56:02.33479+01:00
+date: 2026-01-13T10:10:18.224263978+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/storage-system
diff --git a/static/env-vars/storage-users-config-example.yaml b/static/env-vars/storage-users-config-example.yaml
new file mode 100644
index 00000000..c664d5f4
--- /dev/null
+++ b/static/env-vars/storage-users-config-example.yaml
@@ -0,0 +1,195 @@
+# Autogenerated
+# Filename: storage-users-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9159
+  token: ""
+  pprof: false
+  zpages: false
+grpc:
+  addr: 127.0.0.1:9157
+  tls: null
+  protocol: tcp
+http:
+  addr: 127.0.0.1:9158
+  protocol: tcp
+  prefix: data
+  cors:
+    allow_origins:
+    - https://localhost:9200
+    allow_methods:
+    - POST
+    - HEAD
+    - PATCH
+    - OPTIONS
+    - GET
+    - DELETE
+    allow_headers:
+    - Authorization
+    - Origin
+    - X-Requested-With
+    - X-Request-Id
+    - X-HTTP-Method-Override
+    - Content-Type
+    - Upload-Length
+    - Upload-Offset
+    - Tus-Resumable
+    - Upload-Metadata
+    - Upload-Defer-Length
+    - Upload-Concat
+    - Upload-Incomplete
+    - Upload-Draft-Interop-Version
+    allow_credentials: false
+    expose_headers:
+    - Upload-Offset
+    - Location
+    - Upload-Length
+    - Tus-Version
+    - Tus-Resumable
+    - Tus-Max-Size
+    - Tus-Extension
+    - Upload-Metadata
+    - Upload-Defer-Length
+    - Upload-Concat
+    - Upload-Incomplete
+    - Upload-Draft-Interop-Version
+    max_age: 86400
+token_manager:
+  jwt_secret: ""
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+skip_user_groups_in_token: false
+graceful_shutdown_timeout: 30
+driver: posix
+drivers:
+  decomposed:
+    propagator: sync
+    async_propagator_options:
+      propagation_delay: 0s
+    root: /home/chaser/.opencloud/storage/users
+    user_layout: '{{.Id.OpaqueId}}'
+    permissions_endpoint: eu.opencloud.api.settings
+    personalspacealias_template: '{{.SpaceType}}/{{.User.Username | lower}}'
+    personalspacepath_template: ""
+    generalspacealias_template: '{{.SpaceType}}/{{.SpaceName | replace " " "-" | lower}}'
+    generalspacepath_template: ""
+    share_folder: /Shares
+    max_acquire_lock_cycles: 20
+    lock_cycle_duration_factor: 30
+    max_concurrency: 5
+    async_uploads: true
+    max_quota: 0
+    disable_versioning: false
+  decomposeds3:
+    propagator: sync
+    async_propagator_options:
+      propagation_delay: 0s
+    root: /home/chaser/.opencloud/storage/users
+    user_layout: '{{.Id.OpaqueId}}'
+    permissions_endpoint: eu.opencloud.api.settings
+    region: default
+    access_key: ""
+    secret_key: ""
+    endpoint: ""
+    bucket: ""
+    put_object_disable_content_sha254: false
+    put_object_disable_multipart: false
+    put_object_send_content_md5: true
+    put_object_concurrent_stream_parts: false
+    put_object_num_threads: 4
+    put_object_part_size: 0
+    personalspacealias_template: '{{.SpaceType}}/{{.User.Username | lower}}'
+    personalspacepath_template: ""
+    generalspacealias_template: '{{.SpaceType}}/{{.SpaceName | replace " " "-" | lower}}'
+    generalspacepath_template: ""
+    share_folder: /Shares
+    max_acquire_lock_cycles: 20
+    lock_cycle_duration_factor: 30
+    max_concurrency: 5
+    async_uploads: true
+    disable_versioning: false
+  owncloudsql:
+    root: /home/chaser/.opencloud/storage/owncloud
+    share_folder: /Shares
+    user_layout: '{{.Username}}'
+    upload_info_dir: /home/chaser/.opencloud/storage/uploadinfo
+    db_username: owncloud
+    db_password: owncloud
+    db_host: ""
+    db_port: 3306
+    db_name: owncloud
+    users_provider_endpoint: eu.opencloud.api.users
+  posix:
+    root: /home/chaser/.opencloud/storage/users
+    propagator: ""
+    async_propagator_options:
+      propagation_delay: 0s
+    personalspacealias_template: '{{.SpaceType}}/{{.User.Username | lower}}'
+    personalspacepath_template: users/{{.User.Id.OpaqueId}}
+    generalspacealias_template: '{{.SpaceType}}/{{.SpaceName | replace " " "-" | lower}}'
+    generalspacepath_template: projects/{{.SpaceId}}
+    permissions_endpoint: eu.opencloud.api.settings
+    async_uploads: true
+    scan_debounce_delay: 1s
+    max_quota: 0
+    max_acquire_lock_cycles: 0
+    lock_cycle_duration_factor: 0
+    max_concurrency: 0
+    disable_versioning: false
+    use_space_groups: false
+    enable_fs_revisions: false
+    watch_fs: false
+    watch_type: ""
+    watch_path: ""
+    watch_notification_brokers: ""
+    watch_root: ""
+    inotify_stats_frequency: 5m0s
+data_server_url: http://localhost:9158/data
+data_gateway_url: http://localhost:9140/data
+transfer_expires: 86400
+events:
+  endpoint: 127.0.0.1:9233
+  cluster: opencloud-cluster
+  tls_insecure: false
+  tls_root_ca_cert_path: ""
+  enable_tls: false
+  num_consumers: 0
+  username: ""
+  password: ""
+filemetadata_cache:
+  store: memory
+  nodes:
+  - 127.0.0.1:9233
+  database: storage-users
+  ttl: 24m0s
+  disable_persistence: false
+  username: ""
+  password: ""
+id_cache:
+  store: nats-js-kv
+  nodes:
+  - 127.0.0.1:9233
+  database: ids-storage-users
+  ttl: 24m0s
+  disable_persistence: false
+  username: ""
+  password: ""
+mount_id: ""
+expose_data_server: false
+readonly: false
+upload_expiration: 86400
+tasks:
+  purge_trash_bin:
+    user_id: ""
+    personal_delete_before: 720h0m0s
+    project_delete_before: 720h0m0s
+service_account:
+  service_account_id: ""
+  service_account_secret: ""
+gateway_addr: 127.0.0.1:9142
+machine_auth_api_key: ""
+max_attempts_rename_file: 0
diff --git a/static/env-vars/storage-users_configvars.md b/static/env-vars/storage-users_configvars.md
index 185cd3b9..c89e89ea 100644
--- a/static/env-vars/storage-users_configvars.md
+++ b/static/env-vars/storage-users_configvars.md
@@ -1,150 +1,147 @@
 
-2025-11-27-22-55-58
+2026-01-13-10-09-59
 
 # Deprecation Notice
 
 | Deprecation Info | Deprecation Version | Removal Version | Deprecation Replacement |
-|---|---|---|:---|
+|---|---|---|---|
 |  | 4.0.0 |  |  |
 Environment variables for the **storage-users** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`STORAGE_USERS_SERVICE_NAME`| 1.0.0 |string|`Service name to use. Change this when starting an additional storage provider with a custom configuration to prevent it from colliding with the default 'storage-users' service.`|`storage-users`|
-|`OC_LOG_LEVEL`<br/>`STORAGE_USERS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`STORAGE_USERS_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`STORAGE_USERS_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`STORAGE_USERS_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`STORAGE_USERS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9159`|
-|`STORAGE_USERS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`STORAGE_USERS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`STORAGE_USERS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`STORAGE_USERS_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9157`|
-|`OC_GRPC_PROTOCOL`<br/>`STORAGE_USERS_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GPRC service.`|`tcp`|
-|`STORAGE_USERS_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9158`|
-|`STORAGE_USERS_HTTP_PROTOCOL`| 1.0.0 |string|`The transport protocol of the HTTP service.`|`tcp`|
-|`OC_CORS_ALLOW_ORIGINS`<br/>`STORAGE_USERS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[https://localhost:9200]`|
-|`OC_CORS_ALLOW_METHODS`<br/>`STORAGE_USERS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[POST HEAD PATCH OPTIONS GET DELETE]`|
-|`OC_CORS_ALLOW_HEADERS`<br/>`STORAGE_USERS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin X-Requested-With X-Request-Id X-HTTP-Method-Override Content-Type Upload-Length Upload-Offset Tus-Resumable Upload-Metadata Upload-Defer-Length Upload-Concat Upload-Incomplete Upload-Draft-Interop-Version]`|
-|`OC_CORS_ALLOW_CREDENTIALS`<br/>`STORAGE_USERS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`false`|
-|`OC_CORS_EXPOSE_HEADERS`<br/>`STORAGE_USERS_CORS_EXPOSE_HEADERS`| 1.0.0 |[]string|`A list of exposed CORS headers. See following chapter for more details: *Access-Control-Expose-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers. See the Environment Variable Types description for more details.`|`[Upload-Offset Location Upload-Length Tus-Version Tus-Resumable Tus-Max-Size Tus-Extension Upload-Metadata Upload-Defer-Length Upload-Concat Upload-Incomplete Upload-Draft-Interop-Version]`|
-|`OC_CORS_MAX_AGE`<br/>`STORAGE_USERS_CORS_MAX_AGE`| 1.0.0 |uint|`The max cache duration of preflight headers. See following chapter for more details: *Access-Control-Max-Age* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age. See the Environment Variable Types description for more details.`|`86400`|
-|`OC_JWT_SECRET`<br/>`STORAGE_USERS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`STORAGE_USERS_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`|
-|`STORAGE_USERS_GRACEFUL_SHUTDOWN_TIMEOUT`| 1.0.0 |int|`The number of seconds to wait for the 'storage-users' service to shutdown cleanly before exiting with an error that gets logged. Note: This setting is only applicable when running the 'storage-users' service as a standalone service. See the text description for more details.`|`30`|
-|`STORAGE_USERS_DRIVER`| 1.0.0 |string|`The storage driver which should be used by the service. Defaults to 'posix'. Supported values are: 'posix', 'decomposed', 'decomposeds3' and 'owncloudsql'. For backwards compatibility reasons it's also possible to use the 'ocis' and 's3ng' driver and configure them using the 'decomposed'/'decomposeds3' options. The 'posix' driver stores data directly on a POSIX-compliant filesystem. The 'decomposed' driver stores all data (blob and meta data) in a POSIX compliant volume. The 'decomposeds3' driver stores metadata in a POSIX compliant volume and uploads blobs to the s3 bucket.`|`posix`|
-|`OC_DECOMPOSEDFS_PROPAGATOR`<br/>`STORAGE_USERS_DECOMPOSED_PROPAGATOR`| 1.0.0 |string|`The propagator used for decomposedfs. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option.`|`sync`|
-|`STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY`| 1.0.0 |Duration|`The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details.`|`0s`|
-|`STORAGE_USERS_DECOMPOSED_ROOT`| 1.0.0 |string|`The directory where the filesystem storage will store blobs and metadata. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users.`|`/var/lib/opencloud/storage/users`|
-|`STORAGE_USERS_DECOMPOSED_USER_LAYOUT`| 1.0.0 |string|`Template string for the user storage layout in the user directory.`|`{{.Id.OpaqueId}}`|
-|`STORAGE_USERS_PERMISSION_ENDPOINT`<br/>`STORAGE_USERS_DECOMPOSED_PERMISSIONS_ENDPOINT`| 1.0.0 |string|`Endpoint of the permissions service. The endpoints can differ for 'decomposed' and 'decomposeds3'.`|`eu.opencloud.api.settings`|
-|`STORAGE_USERS_DECOMPOSED_PERSONAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct personal space aliases.`|`{{.SpaceType}}/{{.User.Username \| lower}}`|
-|`STORAGE_USERS_DECOMPOSED_PERSONAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the personal space roots.`|``|
-|`STORAGE_USERS_DECOMPOSED_GENERAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct general space aliases.`|`{{.SpaceType}}/{{.SpaceName \| replace " " "-" \| lower}}`|
-|`STORAGE_USERS_DECOMPOSED_GENERAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the projects space roots.`|``|
-|`STORAGE_USERS_DECOMPOSED_SHARE_FOLDER`| 1.0.0 |string|`Name of the folder jailing all shares.`|`/Shares`|
-|`STORAGE_USERS_DECOMPOSED_MAX_ACQUIRE_LOCK_CYCLES`| 1.0.0 |int|`When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value will be used.`|`20`|
-|`STORAGE_USERS_DECOMPOSED_LOCK_CYCLE_DURATION_FACTOR`| 1.0.0 |int|`When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value will be used.`|`30`|
-|`OC_MAX_CONCURRENCY`<br/>`STORAGE_USERS_DECOMPOSED_MAX_CONCURRENCY`| 1.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.`|`5`|
-|`OC_ASYNC_UPLOADS`| 1.0.0 |bool|`Enable asynchronous file uploads.`|`true`|
-|`OC_SPACES_MAX_QUOTA`<br/>`STORAGE_USERS_DECOMPOSED_MAX_QUOTA`| 1.0.0 |uint64|`Set a global max quota for spaces in bytes. A value of 0 equals unlimited. If not using the global OC_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA in the frontend service.`|`0`|
-|`OC_DISABLE_VERSIONING`| 1.0.0 |bool|`Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version.`|`false`|
-|`OC_DECOMPOSEDFS_PROPAGATOR`<br/>`STORAGE_USERS_DECOMPOSEDS3_PROPAGATOR`| 1.0.0 |string|`The propagator used for decomposedfs. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option.`|`sync`|
-|`STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY`| 1.0.0 |Duration|`The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details.`|`0s`|
-|`STORAGE_USERS_DECOMPOSEDS3_ROOT`| 1.0.0 |string|`The directory where the filesystem storage will store metadata for blobs. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users.`|`/var/lib/opencloud/storage/users`|
-|`STORAGE_USERS_DECOMPOSEDS3_USER_LAYOUT`| 1.0.0 |string|`Template string for the user storage layout in the user directory.`|`{{.Id.OpaqueId}}`|
-|`STORAGE_USERS_PERMISSION_ENDPOINT`<br/>`STORAGE_USERS_DECOMPOSEDS3_PERMISSIONS_ENDPOINT`| 1.0.0 |string|`Endpoint of the permissions service. The endpoints can differ for 'decomposed' and 'decomposeds3'.`|`eu.opencloud.api.settings`|
-|`STORAGE_USERS_DECOMPOSEDS3_REGION`| 1.0.0 |string|`Region of the S3 bucket.`|`default`|
-|`STORAGE_USERS_DECOMPOSEDS3_ACCESS_KEY`| 1.0.0 |string|`Access key for the S3 bucket.`|``|
-|`STORAGE_USERS_DECOMPOSEDS3_SECRET_KEY`| 1.0.0 |string|`Secret key for the S3 bucket.`|``|
-|`STORAGE_USERS_DECOMPOSEDS3_ENDPOINT`| 1.0.0 |string|`Endpoint for the S3 bucket.`|``|
-|`STORAGE_USERS_DECOMPOSEDS3_BUCKET`| 1.0.0 |string|`Name of the S3 bucket.`|``|
-|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_DISABLE_CONTENT_SHA256`| 1.0.0 |bool|`Disable sending content sha256 when copying objects to S3.`|`false`|
-|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_DISABLE_MULTIPART`| 1.0.0 |bool|`Disable multipart uploads when copying objects to S3.`|`false`|
-|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_SEND_CONTENT_MD5`| 1.0.0 |bool|`Send a Content-MD5 header when copying objects to S3.`|`true`|
-|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_CONCURRENT_STREAM_PARTS`| 1.0.0 |bool|`Always precreate parts when copying objects to S3. This is not recommended. It uses a memory buffer. If true, PartSize needs to be set.`|`false`|
-|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_NUM_THREADS`| 1.0.0 |uint|`Number of concurrent uploads to use when copying objects to S3.`|`4`|
-|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_PART_SIZE`| 1.0.0 |uint64|`Part size for concurrent uploads to S3. If no value or 0 is set, the library automatically calculates the part size according to the total size of the file to be uploaded. The value range is min 5MB and max 5GB.`|`0`|
-|`STORAGE_USERS_DECOMPOSEDS3_PERSONAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct personal space aliases.`|`{{.SpaceType}}/{{.User.Username \| lower}}`|
-|`STORAGE_USERS_DECOMPOSEDS3_PERSONAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the personal space roots.`|``|
-|`STORAGE_USERS_DECOMPOSEDS3_GENERAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct general space aliases.`|`{{.SpaceType}}/{{.SpaceName \| replace " " "-" \| lower}}`|
-|`STORAGE_USERS_DECOMPOSEDS3_GENERAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the projects space roots.`|``|
-|`STORAGE_USERS_DECOMPOSEDS3_SHARE_FOLDER`| 1.0.0 |string|`Name of the folder jailing all shares.`|`/Shares`|
-|`STORAGE_USERS_DECOMPOSEDS3_MAX_ACQUIRE_LOCK_CYCLES`| 1.0.0 |int|`When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value of 20 will be used.`|`20`|
-|`STORAGE_USERS_DECOMPOSEDS3_LOCK_CYCLE_DURATION_FACTOR`| 1.0.0 |int|`When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value of 30 will be used.`|`30`|
-|`OC_MAX_CONCURRENCY`<br/>`STORAGE_USERS_DECOMPOSEDS3_MAX_CONCURRENCY`| 1.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value of 100 will be used.`|`5`|
-|`OC_ASYNC_UPLOADS`| 1.0.0 |bool|`Enable asynchronous file uploads.`|`true`|
-|`OC_DISABLE_VERSIONING`| 1.0.0 |bool|`Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version.`|`false`|
-|`STORAGE_USERS_OWNCLOUDSQL_DATADIR`| 1.0.0 |string|`The directory where the filesystem storage will store SQL migration data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/owncloud.`|`/var/lib/opencloud/storage/owncloud`|
-|`STORAGE_USERS_OWNCLOUDSQL_SHARE_FOLDER`| 1.0.0 |string|`Name of the folder jailing all shares.`|`/Shares`|
-|`STORAGE_USERS_OWNCLOUDSQL_LAYOUT`| 1.0.0 |string|`Path layout to use to navigate into a users folder in an owncloud data directory`|`{{.Username}}`|
-|`STORAGE_USERS_OWNCLOUDSQL_UPLOADINFO_DIR`| 1.0.0 |string|`The directory where the filesystem will store uploads temporarily. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/uploadinfo.`|`/var/lib/opencloud/storage/uploadinfo`|
-|`STORAGE_USERS_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|`Username for the database.`|`owncloud`|
-|`STORAGE_USERS_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|`Password for the database.`|`owncloud`|
-|`STORAGE_USERS_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|`Hostname or IP of the database server.`|``|
-|`STORAGE_USERS_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|`Port that the database server is listening on.`|`3306`|
-|`STORAGE_USERS_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|`Name of the database to be used.`|`owncloud`|
-|`STORAGE_USERS_OWNCLOUDSQL_USERS_PROVIDER_ENDPOINT`| 1.0.0 |string|`Endpoint of the users provider.`|`eu.opencloud.api.users`|
-|`STORAGE_USERS_POSIX_ROOT`| 1.0.0 |string|`The directory where the filesystem storage will store its data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users.`|`/var/lib/opencloud/storage/users`|
-|`OC_DECOMPOSEDFS_PROPAGATOR`<br/>`STORAGE_USERS_POSIX_PROPAGATOR`| 2.0.0 |string|`The propagator used for the posix driver. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option.`|``|
-|`STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY`| 1.0.0 |Duration|`The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details.`|`0s`|
-|`STORAGE_USERS_POSIX_PERSONAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct personal space aliases.`|`{{.SpaceType}}/{{.User.Username \| lower}}`|
-|`STORAGE_USERS_POSIX_PERSONAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the personal space roots.`|`users/{{.User.Id.OpaqueId}}`|
-|`STORAGE_USERS_POSIX_GENERAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct general space aliases.`|`{{.SpaceType}}/{{.SpaceName \| replace " " "-" \| lower}}`|
-|`STORAGE_USERS_POSIX_GENERAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the projects space roots.`|`projects/{{.SpaceId}}`|
-|`STORAGE_USERS_PERMISSION_ENDPOINT`<br/>`STORAGE_USERS_POSIX_PERMISSIONS_ENDPOINT`| 1.0.0 |string|`Endpoint of the permissions service. The endpoints can differ for 'decomposed', 'posix' and 'decomposeds3'.`|`eu.opencloud.api.settings`|
-|`OC_ASYNC_UPLOADS`| 1.0.0 |bool|`Enable asynchronous file uploads.`|`true`|
-|`STORAGE_USERS_POSIX_SCAN_DEBOUNCE_DELAY`| 1.0.0 |Duration|`The time in milliseconds to wait before scanning the filesystem for changes after a change has been detected.`|`1s`|
-|`OC_SPACES_MAX_QUOTA`<br/>`STORAGE_USERS_POSIX_MAX_QUOTA`| 2.0.0 |uint64|`Set a global max quota for spaces in bytes. A value of 0 equals unlimited. If not using the global OC_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA in the frontend service.`|`0`|
-|`STORAGE_USERS_POSIX_MAX_ACQUIRE_LOCK_CYCLES`| 2.0.0 |int|`When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value will be used.`|`0`|
-|`STORAGE_USERS_POSIX_LOCK_CYCLE_DURATION_FACTOR`| 2.0.0 |int|`When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value will be used.`|`0`|
-|`OC_MAX_CONCURRENCY`<br/>`STORAGE_USERS_POSIX_MAX_CONCURRENCY`| 2.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.`|`0`|
-|`OC_DISABLE_VERSIONING`| 2.0.0 |bool|`Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version.`|`false`|
-|`STORAGE_USERS_POSIX_USE_SPACE_GROUPS`| 1.0.0 |bool|`Use space groups to manage permissions on spaces.`|`false`|
-|`STORAGE_USERS_POSIX_ENABLE_FS_REVISIONS`| 1.0.0 |bool|`Allow for generating revisions from changes done to the local storage. Note: This doubles the number of bytes stored on disk because a copy of the current revision is stored to be turned into a revision later.`|`false`|
-|`STORAGE_USERS_POSIX_WATCH_FS`| 2.0.0 |bool|`Enable the filesystem watcher to detect changes to the filesystem. This is used to detect changes to the filesystem and update the metadata accordingly.`|`false`|
-|`STORAGE_USERS_POSIX_WATCH_TYPE`| 1.0.0 |string|`Type of the watcher to use for getting notified about changes to the filesystem. Currently available options are 'inotifywait' (default), 'cephfs', 'gpfswatchfolder' and 'gpfsfileauditlogging'.`|``|
-|`STORAGE_USERS_POSIX_WATCH_PATH`| 1.0.0 |string|`Path to the watch directory/file. Only applies to the 'gpfsfileauditlogging' and 'inotifywait' watcher, in which case it is the path of the file audit log file/base directory to watch.`|``|
-|`STORAGE_USERS_POSIX_WATCH_NOTIFICATION_BROKERS,STORAGE_USERS_POSIX_WATCH_FOLDER_KAFKA_BROKERS`| 1.0.0 |string|`Comma-separated list of kafka brokers to read the watchfolder events from.`|``|
-|`STORAGE_USERS_POSIX_WATCH_ROOT`| 4.0.0 |string|`Path to the watch root directory. Event paths will be considered relative to this path. Only applies to the 'gpswatchfolder' and 'cephfs' watchers.`|``|
-|`STORAGE_USERS_POSIX_INOTIFY_STATS_FREQUENCY`| 4.0.0 |Duration|`Frequency to log inotify stats.`|`5m0s`|
-|`STORAGE_USERS_DATA_SERVER_URL`| 1.0.0 |string|`URL of the data server, needs to be reachable by the data gateway provided by the frontend service or the user if directly exposed.`|`http://localhost:9158/data`|
-|`STORAGE_USERS_DATA_GATEWAY_URL`| 1.0.0 |string|`URL of the data gateway server`|`http://localhost:9140/data`|
-|`STORAGE_USERS_TRANSFER_EXPIRES`| 1.0.0 |int64|`The time after which the token for upload postprocessing expires`|`86400`|
-|`OC_EVENTS_ENDPOINT`<br/>`STORAGE_USERS_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`|
-|`OC_EVENTS_CLUSTER`<br/>`STORAGE_USERS_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`|
-|`OC_INSECURE`<br/>`STORAGE_USERS_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`|
-|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`STORAGE_USERS_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_EVENTS_TLS_INSECURE will be seen as false.`|``|
-|`OC_EVENTS_ENABLE_TLS`<br/>`STORAGE_USERS_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`|
-|`STORAGE_USERS_EVENTS_NUM_CONSUMERS`| 1.0.0 |int|`The amount of concurrent event consumers to start. Event consumers are used for post-processing files. Multiple consumers increase parallelisation, but will also increase CPU and memory demands. The setting has no effect when the OC_ASYNC_UPLOADS is set to false. The default and minimum value is 1.`|`0`|
-|`OC_EVENTS_AUTH_USERNAME`<br/>`STORAGE_USERS_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_EVENTS_AUTH_PASSWORD`<br/>`STORAGE_USERS_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_CACHE_STORE`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`|
-|`OC_CACHE_STORE_NODES`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
-|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`storage-users`|
-|`OC_CACHE_TTL`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`24m0s`|
-|`OC_CACHE_DISABLE_PERSISTENCE`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
-|`OC_CACHE_AUTH_USERNAME`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_CACHE_AUTH_PASSWORD`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_CACHE_STORE`<br/>`STORAGE_USERS_ID_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`nats-js-kv`|
-|`OC_CACHE_STORE_NODES`<br/>`STORAGE_USERS_ID_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
-|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`ids-storage-users`|
-|`OC_CACHE_TTL`<br/>`STORAGE_USERS_ID_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens have no expiration. Defaults to 300s which is derived from the underlaying package though not explicitly set as default. See the Environment Variable Types description for more details.`|`24m0s`|
-|`OC_CACHE_DISABLE_PERSISTENCE`<br/>`STORAGE_USERS_ID_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
-|`OC_CACHE_AUTH_USERNAME`<br/>`STORAGE_USERS_ID_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_CACHE_AUTH_PASSWORD`<br/>`STORAGE_USERS_ID_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`STORAGE_USERS_MOUNT_ID`| 1.0.0 |string|`Mount ID of this storage.`|``|
-|`STORAGE_USERS_EXPOSE_DATA_SERVER`| 1.0.0 |bool|`Exposes the data server directly to users and bypasses the data gateway. Ensure that the data server address is reachable by users.`|`false`|
-|`STORAGE_USERS_READ_ONLY`| 1.0.0 |bool|`Set this storage to be read-only.`|`false`|
-|`STORAGE_USERS_UPLOAD_EXPIRATION`| 1.0.0 |int64|`Duration in seconds after which uploads will expire. Note that when setting this to a low number, uploads could be cancelled before they are finished and return a 403 to the user.`|`86400`|
-|`OC_ADMIN_USER_ID`<br/>`STORAGE_USERS_PURGE_TRASH_BIN_USER_ID`| 1.0.0 |string|`ID of the user who collects all necessary information for deletion. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.`|``|
-|`STORAGE_USERS_PURGE_TRASH_BIN_PERSONAL_DELETE_BEFORE`| 1.0.0 |Duration|`Specifies the period of time in which items that have been in the personal trash-bin for longer than this value should be deleted. A value of 0 means no automatic deletion. See the Environment Variable Types description for more details.`|`720h0m0s`|
-|`STORAGE_USERS_PURGE_TRASH_BIN_PROJECT_DELETE_BEFORE`| 1.0.0 |Duration|`Specifies the period of time in which items that have been in the project trash-bin for longer than this value should be deleted. A value of 0 means no automatic deletion. See the Environment Variable Types description for more details.`|`720h0m0s`|
-|`OC_SERVICE_ACCOUNT_ID`<br/>`STORAGE_USERS_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``|
-|`OC_SERVICE_ACCOUNT_SECRET`<br/>`STORAGE_USERS_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``|
-|`OC_GATEWAY_GRPC_ADDR`<br/>`STORAGE_USERS_GATEWAY_GRPC_ADDR`| 1.0.0 |string|`The bind address of the gateway GRPC address.`|`127.0.0.1:9142`|
-|`OC_MACHINE_AUTH_API_KEY`<br/>`STORAGE_USERS_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`|``|
-|`STORAGE_USERS_CLI_MAX_ATTEMPTS_RENAME_FILE`| 1.0.0 |int|`The maximum number of attempts to rename a file when a user restores a file to an existing destination with the same name. The minimum value is 100.`|`0`|
+|---|---|---|---|---|
+|`STORAGE_USERS_SERVICE_NAME`| 1.0.0 |string|`Service name to use. Change this when starting an additional storage provider with a custom configuration to prevent it from colliding with the default 'storage-users' service.`|storage-users|
+|`OC_LOG_LEVEL`<br/>`STORAGE_USERS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`STORAGE_USERS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9159|
+|`STORAGE_USERS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`STORAGE_USERS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`STORAGE_USERS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`STORAGE_USERS_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9157|
+|`OC_GRPC_PROTOCOL`<br/>`STORAGE_USERS_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GPRC service.`|tcp|
+|`STORAGE_USERS_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|127.0.0.1:9158|
+|`STORAGE_USERS_HTTP_PROTOCOL`| 1.0.0 |string|`The transport protocol of the HTTP service.`|tcp|
+|`OC_CORS_ALLOW_ORIGINS`<br/>`STORAGE_USERS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|[https://localhost:9200]|
+|`OC_CORS_ALLOW_METHODS`<br/>`STORAGE_USERS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|[POST HEAD PATCH OPTIONS GET DELETE]|
+|`OC_CORS_ALLOW_HEADERS`<br/>`STORAGE_USERS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|[Authorization Origin X-Requested-With X-Request-Id X-HTTP-Method-Override Content-Type Upload-Length Upload-Offset Tus-Resumable Upload-Metadata Upload-Defer-Length Upload-Concat Upload-Incomplete Upload-Draft-Interop-Version]|
+|`OC_CORS_ALLOW_CREDENTIALS`<br/>`STORAGE_USERS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|false|
+|`OC_CORS_EXPOSE_HEADERS`<br/>`STORAGE_USERS_CORS_EXPOSE_HEADERS`| 1.0.0 |[]string|`A list of exposed CORS headers. See following chapter for more details: *Access-Control-Expose-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers. See the Environment Variable Types description for more details.`|[Upload-Offset Location Upload-Length Tus-Version Tus-Resumable Tus-Max-Size Tus-Extension Upload-Metadata Upload-Defer-Length Upload-Concat Upload-Incomplete Upload-Draft-Interop-Version]|
+|`OC_CORS_MAX_AGE`<br/>`STORAGE_USERS_CORS_MAX_AGE`| 1.0.0 |uint|`The max cache duration of preflight headers. See following chapter for more details: *Access-Control-Max-Age* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age. See the Environment Variable Types description for more details.`|86400|
+|`OC_JWT_SECRET`<br/>`STORAGE_USERS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`STORAGE_USERS_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|false|
+|`STORAGE_USERS_GRACEFUL_SHUTDOWN_TIMEOUT`| 1.0.0 |int|`The number of seconds to wait for the 'storage-users' service to shutdown cleanly before exiting with an error that gets logged. Note: This setting is only applicable when running the 'storage-users' service as a standalone service. See the text description for more details.`|30|
+|`STORAGE_USERS_DRIVER`| 1.0.0 |string|`The storage driver which should be used by the service. Defaults to 'posix'. Supported values are: 'posix', 'decomposed', 'decomposeds3' and 'owncloudsql'. For backwards compatibility reasons it's also possible to use the 'ocis' and 's3ng' driver and configure them using the 'decomposed'/'decomposeds3' options. The 'posix' driver stores data directly on a POSIX-compliant filesystem. The 'decomposed' driver stores all data (blob and meta data) in a POSIX compliant volume. The 'decomposeds3' driver stores metadata in a POSIX compliant volume and uploads blobs to the s3 bucket.`|posix|
+|`OC_DECOMPOSEDFS_PROPAGATOR`<br/>`STORAGE_USERS_DECOMPOSED_PROPAGATOR`| 1.0.0 |string|`The propagator used for decomposedfs. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option.`|sync|
+|`STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY`| 1.0.0 |Duration|`The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details.`|0s|
+|`STORAGE_USERS_DECOMPOSED_ROOT`| 1.0.0 |string|`The directory where the filesystem storage will store blobs and metadata. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users.`|/home/chaser/.opencloud/storage/users|
+|`STORAGE_USERS_DECOMPOSED_USER_LAYOUT`| 1.0.0 |string|`Template string for the user storage layout in the user directory.`|{{.Id.OpaqueId}}|
+|`STORAGE_USERS_PERMISSION_ENDPOINT`<br/>`STORAGE_USERS_DECOMPOSED_PERMISSIONS_ENDPOINT`| 1.0.0 |string|`Endpoint of the permissions service. The endpoints can differ for 'decomposed' and 'decomposeds3'.`|eu.opencloud.api.settings|
+|`STORAGE_USERS_DECOMPOSED_PERSONAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct personal space aliases.`|{{.SpaceType}}/{{.User.Username \| lower}}|
+|`STORAGE_USERS_DECOMPOSED_PERSONAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the personal space roots.`||
+|`STORAGE_USERS_DECOMPOSED_GENERAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct general space aliases.`|{{.SpaceType}}/{{.SpaceName \| replace " " "-" \| lower}}|
+|`STORAGE_USERS_DECOMPOSED_GENERAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the projects space roots.`||
+|`STORAGE_USERS_DECOMPOSED_SHARE_FOLDER`| 1.0.0 |string|`Name of the folder jailing all shares.`|/Shares|
+|`STORAGE_USERS_DECOMPOSED_MAX_ACQUIRE_LOCK_CYCLES`| 1.0.0 |int|`When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value will be used.`|20|
+|`STORAGE_USERS_DECOMPOSED_LOCK_CYCLE_DURATION_FACTOR`| 1.0.0 |int|`When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value will be used.`|30|
+|`OC_MAX_CONCURRENCY`<br/>`STORAGE_USERS_DECOMPOSED_MAX_CONCURRENCY`| 1.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.`|5|
+|`OC_ASYNC_UPLOADS`| 1.0.0 |bool|`Enable asynchronous file uploads.`|true|
+|`OC_SPACES_MAX_QUOTA`<br/>`STORAGE_USERS_DECOMPOSED_MAX_QUOTA`| 1.0.0 |uint64|`Set a global max quota for spaces in bytes. A value of 0 equals unlimited. If not using the global OC_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA in the frontend service.`|0|
+|`OC_DISABLE_VERSIONING`| 1.0.0 |bool|`Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version.`|false|
+|`OC_DECOMPOSEDFS_PROPAGATOR`<br/>`STORAGE_USERS_DECOMPOSEDS3_PROPAGATOR`| 1.0.0 |string|`The propagator used for decomposedfs. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option.`|sync|
+|`STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY`| 1.0.0 |Duration|`The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details.`|0s|
+|`STORAGE_USERS_DECOMPOSEDS3_ROOT`| 1.0.0 |string|`The directory where the filesystem storage will store metadata for blobs. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users.`|/home/chaser/.opencloud/storage/users|
+|`STORAGE_USERS_DECOMPOSEDS3_USER_LAYOUT`| 1.0.0 |string|`Template string for the user storage layout in the user directory.`|{{.Id.OpaqueId}}|
+|`STORAGE_USERS_PERMISSION_ENDPOINT`<br/>`STORAGE_USERS_DECOMPOSEDS3_PERMISSIONS_ENDPOINT`| 1.0.0 |string|`Endpoint of the permissions service. The endpoints can differ for 'decomposed' and 'decomposeds3'.`|eu.opencloud.api.settings|
+|`STORAGE_USERS_DECOMPOSEDS3_REGION`| 1.0.0 |string|`Region of the S3 bucket.`|default|
+|`STORAGE_USERS_DECOMPOSEDS3_ACCESS_KEY`| 1.0.0 |string|`Access key for the S3 bucket.`||
+|`STORAGE_USERS_DECOMPOSEDS3_SECRET_KEY`| 1.0.0 |string|`Secret key for the S3 bucket.`||
+|`STORAGE_USERS_DECOMPOSEDS3_ENDPOINT`| 1.0.0 |string|`Endpoint for the S3 bucket.`||
+|`STORAGE_USERS_DECOMPOSEDS3_BUCKET`| 1.0.0 |string|`Name of the S3 bucket.`||
+|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_DISABLE_CONTENT_SHA256`| 1.0.0 |bool|`Disable sending content sha256 when copying objects to S3.`|false|
+|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_DISABLE_MULTIPART`| 1.0.0 |bool|`Disable multipart uploads when copying objects to S3.`|false|
+|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_SEND_CONTENT_MD5`| 1.0.0 |bool|`Send a Content-MD5 header when copying objects to S3.`|true|
+|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_CONCURRENT_STREAM_PARTS`| 1.0.0 |bool|`Always precreate parts when copying objects to S3. This is not recommended. It uses a memory buffer. If true, PartSize needs to be set.`|false|
+|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_NUM_THREADS`| 1.0.0 |uint|`Number of concurrent uploads to use when copying objects to S3.`|4|
+|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_PART_SIZE`| 1.0.0 |uint64|`Part size for concurrent uploads to S3. If no value or 0 is set, the library automatically calculates the part size according to the total size of the file to be uploaded. The value range is min 5MB and max 5GB.`|0|
+|`STORAGE_USERS_DECOMPOSEDS3_PERSONAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct personal space aliases.`|{{.SpaceType}}/{{.User.Username \| lower}}|
+|`STORAGE_USERS_DECOMPOSEDS3_PERSONAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the personal space roots.`||
+|`STORAGE_USERS_DECOMPOSEDS3_GENERAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct general space aliases.`|{{.SpaceType}}/{{.SpaceName \| replace " " "-" \| lower}}|
+|`STORAGE_USERS_DECOMPOSEDS3_GENERAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the projects space roots.`||
+|`STORAGE_USERS_DECOMPOSEDS3_SHARE_FOLDER`| 1.0.0 |string|`Name of the folder jailing all shares.`|/Shares|
+|`STORAGE_USERS_DECOMPOSEDS3_MAX_ACQUIRE_LOCK_CYCLES`| 1.0.0 |int|`When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value of 20 will be used.`|20|
+|`STORAGE_USERS_DECOMPOSEDS3_LOCK_CYCLE_DURATION_FACTOR`| 1.0.0 |int|`When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value of 30 will be used.`|30|
+|`OC_MAX_CONCURRENCY`<br/>`STORAGE_USERS_DECOMPOSEDS3_MAX_CONCURRENCY`| 1.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value of 100 will be used.`|5|
+|`OC_ASYNC_UPLOADS`| 1.0.0 |bool|`Enable asynchronous file uploads.`|true|
+|`OC_DISABLE_VERSIONING`| 1.0.0 |bool|`Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version.`|false|
+|`STORAGE_USERS_OWNCLOUDSQL_DATADIR`| 1.0.0 |string|`The directory where the filesystem storage will store SQL migration data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/owncloud.`|/home/chaser/.opencloud/storage/owncloud|
+|`STORAGE_USERS_OWNCLOUDSQL_SHARE_FOLDER`| 1.0.0 |string|`Name of the folder jailing all shares.`|/Shares|
+|`STORAGE_USERS_OWNCLOUDSQL_LAYOUT`| 1.0.0 |string|`Path layout to use to navigate into a users folder in an owncloud data directory`|{{.Username}}|
+|`STORAGE_USERS_OWNCLOUDSQL_UPLOADINFO_DIR`| 1.0.0 |string|`The directory where the filesystem will store uploads temporarily. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/uploadinfo.`|/home/chaser/.opencloud/storage/uploadinfo|
+|`STORAGE_USERS_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|`Username for the database.`|owncloud|
+|`STORAGE_USERS_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|`Password for the database.`|owncloud|
+|`STORAGE_USERS_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|`Hostname or IP of the database server.`||
+|`STORAGE_USERS_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|`Port that the database server is listening on.`|3306|
+|`STORAGE_USERS_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|`Name of the database to be used.`|owncloud|
+|`STORAGE_USERS_OWNCLOUDSQL_USERS_PROVIDER_ENDPOINT`| 1.0.0 |string|`Endpoint of the users provider.`|eu.opencloud.api.users|
+|`STORAGE_USERS_POSIX_ROOT`| 1.0.0 |string|`The directory where the filesystem storage will store its data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users.`|/home/chaser/.opencloud/storage/users|
+|`OC_DECOMPOSEDFS_PROPAGATOR`<br/>`STORAGE_USERS_POSIX_PROPAGATOR`| 2.0.0 |string|`The propagator used for the posix driver. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option.`||
+|`STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY`| 1.0.0 |Duration|`The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details.`|0s|
+|`STORAGE_USERS_POSIX_PERSONAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct personal space aliases.`|{{.SpaceType}}/{{.User.Username \| lower}}|
+|`STORAGE_USERS_POSIX_PERSONAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the personal space roots.`|users/{{.User.Id.OpaqueId}}|
+|`STORAGE_USERS_POSIX_GENERAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct general space aliases.`|{{.SpaceType}}/{{.SpaceName \| replace " " "-" \| lower}}|
+|`STORAGE_USERS_POSIX_GENERAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the projects space roots.`|projects/{{.SpaceId}}|
+|`STORAGE_USERS_PERMISSION_ENDPOINT`<br/>`STORAGE_USERS_POSIX_PERMISSIONS_ENDPOINT`| 1.0.0 |string|`Endpoint of the permissions service. The endpoints can differ for 'decomposed', 'posix' and 'decomposeds3'.`|eu.opencloud.api.settings|
+|`OC_ASYNC_UPLOADS`| 1.0.0 |bool|`Enable asynchronous file uploads.`|true|
+|`STORAGE_USERS_POSIX_SCAN_DEBOUNCE_DELAY`| 1.0.0 |Duration|`The time in milliseconds to wait before scanning the filesystem for changes after a change has been detected.`|1s|
+|`OC_SPACES_MAX_QUOTA`<br/>`STORAGE_USERS_POSIX_MAX_QUOTA`| 2.0.0 |uint64|`Set a global max quota for spaces in bytes. A value of 0 equals unlimited. If not using the global OC_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA in the frontend service.`|0|
+|`STORAGE_USERS_POSIX_MAX_ACQUIRE_LOCK_CYCLES`| 2.0.0 |int|`When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value will be used.`|0|
+|`STORAGE_USERS_POSIX_LOCK_CYCLE_DURATION_FACTOR`| 2.0.0 |int|`When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value will be used.`|0|
+|`OC_MAX_CONCURRENCY`<br/>`STORAGE_USERS_POSIX_MAX_CONCURRENCY`| 2.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.`|0|
+|`OC_DISABLE_VERSIONING`| 2.0.0 |bool|`Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version.`|false|
+|`STORAGE_USERS_POSIX_USE_SPACE_GROUPS`| 1.0.0 |bool|`Use space groups to manage permissions on spaces.`|false|
+|`STORAGE_USERS_POSIX_ENABLE_FS_REVISIONS`| 1.0.0 |bool|`Allow for generating revisions from changes done to the local storage. Note: This doubles the number of bytes stored on disk because a copy of the current revision is stored to be turned into a revision later.`|false|
+|`STORAGE_USERS_POSIX_WATCH_FS`| 2.0.0 |bool|`Enable the filesystem watcher to detect changes to the filesystem. This is used to detect changes to the filesystem and update the metadata accordingly.`|false|
+|`STORAGE_USERS_POSIX_WATCH_TYPE`| 1.0.0 |string|`Type of the watcher to use for getting notified about changes to the filesystem. Currently available options are 'inotifywait' (default), 'cephfs', 'gpfswatchfolder' and 'gpfsfileauditlogging'.`||
+|`STORAGE_USERS_POSIX_WATCH_PATH`| 1.0.0 |string|`Path to the watch directory/file. Only applies to the 'gpfsfileauditlogging' and 'inotifywait' watcher, in which case it is the path of the file audit log file/base directory to watch.`||
+|`STORAGE_USERS_POSIX_WATCH_NOTIFICATION_BROKERS,STORAGE_USERS_POSIX_WATCH_FOLDER_KAFKA_BROKERS`| 1.0.0 |string|`Comma-separated list of kafka brokers to read the watchfolder events from.`||
+|`STORAGE_USERS_POSIX_WATCH_ROOT`| 4.0.0 |string|`Path to the watch root directory. Event paths will be considered relative to this path. Only applies to the 'gpswatchfolder' and 'cephfs' watchers.`||
+|`STORAGE_USERS_POSIX_INOTIFY_STATS_FREQUENCY`| 4.0.0 |Duration|`Frequency to log inotify stats.`|5m0s|
+|`STORAGE_USERS_DATA_SERVER_URL`| 1.0.0 |string|`URL of the data server, needs to be reachable by the data gateway provided by the frontend service or the user if directly exposed.`|http://localhost:9158/data|
+|`STORAGE_USERS_DATA_GATEWAY_URL`| 1.0.0 |string|`URL of the data gateway server`|http://localhost:9140/data|
+|`STORAGE_USERS_TRANSFER_EXPIRES`| 1.0.0 |int64|`The time after which the token for upload postprocessing expires`|86400|
+|`OC_EVENTS_ENDPOINT`<br/>`STORAGE_USERS_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|127.0.0.1:9233|
+|`OC_EVENTS_CLUSTER`<br/>`STORAGE_USERS_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|opencloud-cluster|
+|`OC_INSECURE`<br/>`OC_EVENTS_TLS_INSECURE`<br/>`STORAGE_USERS_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|false|
+|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`STORAGE_USERS_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_EVENTS_TLS_INSECURE will be seen as false.`||
+|`OC_EVENTS_ENABLE_TLS`<br/>`STORAGE_USERS_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|false|
+|`STORAGE_USERS_EVENTS_NUM_CONSUMERS`| 1.0.0 |int|`The amount of concurrent event consumers to start. Event consumers are used for post-processing files. Multiple consumers increase parallelisation, but will also increase CPU and memory demands. The setting has no effect when the OC_ASYNC_UPLOADS is set to false. The default and minimum value is 1.`|0|
+|`OC_EVENTS_AUTH_USERNAME`<br/>`STORAGE_USERS_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_EVENTS_AUTH_PASSWORD`<br/>`STORAGE_USERS_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_CACHE_STORE`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|memory|
+|`OC_CACHE_STORE_NODES`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|[127.0.0.1:9233]|
+|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|storage-users|
+|`OC_CACHE_TTL`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|24m0s|
+|`OC_CACHE_DISABLE_PERSISTENCE`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|false|
+|`OC_CACHE_AUTH_USERNAME`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_CACHE_AUTH_PASSWORD`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_CACHE_STORE`<br/>`STORAGE_USERS_ID_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|nats-js-kv|
+|`OC_CACHE_STORE_NODES`<br/>`STORAGE_USERS_ID_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|[127.0.0.1:9233]|
+|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|ids-storage-users|
+|`OC_CACHE_TTL`<br/>`STORAGE_USERS_ID_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens have no expiration. Defaults to 300s which is derived from the underlaying package though not explicitly set as default. See the Environment Variable Types description for more details.`|24m0s|
+|`OC_CACHE_DISABLE_PERSISTENCE`<br/>`STORAGE_USERS_ID_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|false|
+|`OC_CACHE_AUTH_USERNAME`<br/>`STORAGE_USERS_ID_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_CACHE_AUTH_PASSWORD`<br/>`STORAGE_USERS_ID_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`||
+|`STORAGE_USERS_MOUNT_ID`| 1.0.0 |string|`Mount ID of this storage.`||
+|`STORAGE_USERS_EXPOSE_DATA_SERVER`| 1.0.0 |bool|`Exposes the data server directly to users and bypasses the data gateway. Ensure that the data server address is reachable by users.`|false|
+|`STORAGE_USERS_READ_ONLY`| 1.0.0 |bool|`Set this storage to be read-only.`|false|
+|`STORAGE_USERS_UPLOAD_EXPIRATION`| 1.0.0 |int64|`Duration in seconds after which uploads will expire. Note that when setting this to a low number, uploads could be cancelled before they are finished and return a 403 to the user.`|86400|
+|`OC_ADMIN_USER_ID`<br/>`STORAGE_USERS_PURGE_TRASH_BIN_USER_ID`| 1.0.0 |string|`ID of the user who collects all necessary information for deletion. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.`||
+|`STORAGE_USERS_PURGE_TRASH_BIN_PERSONAL_DELETE_BEFORE`| 1.0.0 |Duration|`Specifies the period of time in which items that have been in the personal trash-bin for longer than this value should be deleted. A value of 0 means no automatic deletion. See the Environment Variable Types description for more details.`|720h0m0s|
+|`STORAGE_USERS_PURGE_TRASH_BIN_PROJECT_DELETE_BEFORE`| 1.0.0 |Duration|`Specifies the period of time in which items that have been in the project trash-bin for longer than this value should be deleted. A value of 0 means no automatic deletion. See the Environment Variable Types description for more details.`|720h0m0s|
+|`OC_SERVICE_ACCOUNT_ID`<br/>`STORAGE_USERS_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`||
+|`OC_SERVICE_ACCOUNT_SECRET`<br/>`STORAGE_USERS_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`||
+|`OC_GATEWAY_GRPC_ADDR`<br/>`STORAGE_USERS_GATEWAY_GRPC_ADDR`| 1.0.0 |string|`The bind address of the gateway GRPC address.`|127.0.0.1:9142|
+|`OC_MACHINE_AUTH_API_KEY`<br/>`STORAGE_USERS_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`||
+|`STORAGE_USERS_CLI_MAX_ATTEMPTS_RENAME_FILE`| 1.0.0 |int|`The maximum number of attempts to rename a file when a user restores a file to an existing destination with the same name. The minimum value is 100.`|0|
diff --git a/static/env-vars/storage-users_readme.md b/static/env-vars/storage-users_readme.md
index 51c7064e..8a494239 100644
--- a/static/env-vars/storage-users_readme.md
+++ b/static/env-vars/storage-users_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Storage-Users
-date: 2025-11-27T22:56:02.334862+01:00
+date: 2026-01-13T10:10:18.224352113+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/storage-users
diff --git a/static/env-vars/thumbnails-config-example.yaml b/static/env-vars/thumbnails-config-example.yaml
new file mode 100644
index 00000000..e75d306a
--- /dev/null
+++ b/static/env-vars/thumbnails-config-example.yaml
@@ -0,0 +1,63 @@
+# Autogenerated
+# Filename: thumbnails-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9189
+  token: ""
+  pprof: false
+  zpages: false
+grpc:
+  addr: 127.0.0.1:9185
+  tls: null
+  max_concurrent_requests: 0
+http:
+  addr: 127.0.0.1:9186
+  tls:
+    enabled: false
+    cert: ""
+    key: ""
+  root: /thumbnails
+  cors:
+    allow_origins:
+    - '*'
+    allow_methods:
+    - GET
+    - POST
+    - PUT
+    - PATCH
+    - DELETE
+    - OPTIONS
+    allow_headers:
+    - Authorization
+    - Origin
+    - Content-Type
+    - Accept
+    - X-Requested-With
+    - X-Request-Id
+    - Cache-Control
+    allow_credentials: true
+grpc_client_tls: null
+thumbnail:
+  resolutions:
+  - 16x16
+  - 32x32
+  - 64x64
+  - 128x128
+  - 1080x1920
+  - 1920x1080
+  - 2160x3840
+  - 3840x2160
+  - 4320x7680
+  - 7680x4320
+  filesystem_storage:
+    root_directory: /home/chaser/.opencloud/thumbnails
+  webdav_allow_insecure: false
+  cs3_allow_insecure: false
+  reva_gateway: eu.opencloud.api.gateway
+  font_map_file: ""
+  transfer_secret: ""
+  data_endpoint: http://127.0.0.1:9186/thumbnails/data
+  max_input_width: 7680
+  max_input_height: 7680
+  max_input_image_file_size: 50MB
diff --git a/static/env-vars/thumbnails_configvars.md b/static/env-vars/thumbnails_configvars.md
index b61c1386..d4793cd2 100644
--- a/static/env-vars/thumbnails_configvars.md
+++ b/static/env-vars/thumbnails_configvars.md
@@ -1,34 +1,31 @@
 Environment variables for the **thumbnails** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`THUMBNAILS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`THUMBNAILS_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`THUMBNAILS_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`THUMBNAILS_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`THUMBNAILS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9189`|
-|`THUMBNAILS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`THUMBNAILS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`THUMBNAILS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`THUMBNAILS_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9185`|
-|`THUMBNAILS_MAX_CONCURRENT_REQUESTS`| 1.0.0 |int|`Number of maximum concurrent thumbnail requests. Default is 0 which is unlimited.`|`0`|
-|`THUMBNAILS_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9186`|
-|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`|
-|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``|
-|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``|
-|`THUMBNAILS_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/thumbnails`|
-|`OC_CORS_ALLOW_ORIGINS`<br/>`THUMBNAILS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`|
-|`OC_CORS_ALLOW_METHODS`<br/>`THUMBNAILS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET POST PUT PATCH DELETE OPTIONS]`|
-|`OC_CORS_ALLOW_HEADERS`<br/>`THUMBNAILS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Cache-Control]`|
-|`OC_CORS_ALLOW_CREDENTIALS`<br/>`THUMBNAILS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`|
-|`THUMBNAILS_RESOLUTIONS`| 1.0.0 |[]string|`The supported list of target resolutions in the format WidthxHeight like 32x32. You can define any resolution as required. See the Environment Variable Types description for more details.`|`[16x16 32x32 64x64 128x128 1080x1920 1920x1080 2160x3840 3840x2160 4320x7680 7680x4320]`|
-|`THUMBNAILS_FILESYSTEMSTORAGE_ROOT`| 1.0.0 |string|`The directory where the filesystem storage will store the thumbnails. If not defined, the root directory derives from $OC_BASE_DATA_PATH/thumbnails.`|`/var/lib/opencloud/thumbnails`|
-|`OC_INSECURE`<br/>`THUMBNAILS_WEBDAVSOURCE_INSECURE`| 1.0.0 |bool|`Ignore untrusted SSL certificates when connecting to the webdav source.`|`false`|
-|`OC_INSECURE`<br/>`THUMBNAILS_CS3SOURCE_INSECURE`| 1.0.0 |bool|`Ignore untrusted SSL certificates when connecting to the CS3 source.`|`false`|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|`eu.opencloud.api.gateway`|
-|`THUMBNAILS_TXT_FONTMAP_FILE`| 1.0.0 |string|`The path to a font file for txt thumbnails.`|``|
-|`THUMBNAILS_TRANSFER_TOKEN`| 1.0.0 |string|`The secret to sign JWT to download the actual thumbnail file.`|``|
-|`THUMBNAILS_DATA_ENDPOINT`| 1.0.0 |string|`The HTTP endpoint where the actual thumbnail file can be downloaded.`|`http://127.0.0.1:9186/thumbnails/data`|
-|`THUMBNAILS_MAX_INPUT_WIDTH`| 1.0.0 |int|`The maximum width of an input image which is being processed.`|`7680`|
-|`THUMBNAILS_MAX_INPUT_HEIGHT`| 1.0.0 |int|`The maximum height of an input image which is being processed.`|`7680`|
-|`THUMBNAILS_MAX_INPUT_IMAGE_FILE_SIZE`| 1.0.0 |string|`The maximum file size of an input image which is being processed. Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB.`|`50MB`|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`THUMBNAILS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`THUMBNAILS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9189|
+|`THUMBNAILS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`THUMBNAILS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`THUMBNAILS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`THUMBNAILS_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9185|
+|`THUMBNAILS_MAX_CONCURRENT_REQUESTS`| 1.0.0 |int|`Number of maximum concurrent thumbnail requests. Default is 0 which is unlimited.`|0|
+|`THUMBNAILS_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|127.0.0.1:9186|
+|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|false|
+|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`||
+|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`||
+|`THUMBNAILS_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|/thumbnails|
+|`OC_CORS_ALLOW_ORIGINS`<br/>`THUMBNAILS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|[*]|
+|`OC_CORS_ALLOW_METHODS`<br/>`THUMBNAILS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|[GET POST PUT PATCH DELETE OPTIONS]|
+|`OC_CORS_ALLOW_HEADERS`<br/>`THUMBNAILS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Cache-Control]|
+|`OC_CORS_ALLOW_CREDENTIALS`<br/>`THUMBNAILS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|true|
+|`THUMBNAILS_RESOLUTIONS`| 1.0.0 |[]string|`The supported list of target resolutions in the format WidthxHeight like 32x32. You can define any resolution as required. See the Environment Variable Types description for more details.`|[16x16 32x32 64x64 128x128 1080x1920 1920x1080 2160x3840 3840x2160 4320x7680 7680x4320]|
+|`THUMBNAILS_FILESYSTEMSTORAGE_ROOT`| 1.0.0 |string|`The directory where the filesystem storage will store the thumbnails. If not defined, the root directory derives from $OC_BASE_DATA_PATH/thumbnails.`|/home/chaser/.opencloud/thumbnails|
+|`OC_INSECURE`<br/>`THUMBNAILS_WEBDAVSOURCE_INSECURE`| 1.0.0 |bool|`Ignore untrusted SSL certificates when connecting to the webdav source.`|false|
+|`OC_INSECURE`<br/>`THUMBNAILS_CS3SOURCE_INSECURE`| 1.0.0 |bool|`Ignore untrusted SSL certificates when connecting to the CS3 source.`|false|
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|eu.opencloud.api.gateway|
+|`THUMBNAILS_TXT_FONTMAP_FILE`| 1.0.0 |string|`The path to a font file for txt thumbnails.`||
+|`THUMBNAILS_TRANSFER_TOKEN`| 1.0.0 |string|`The secret to sign JWT to download the actual thumbnail file.`||
+|`THUMBNAILS_DATA_ENDPOINT`| 1.0.0 |string|`The HTTP endpoint where the actual thumbnail file can be downloaded.`|http://127.0.0.1:9186/thumbnails/data|
+|`THUMBNAILS_MAX_INPUT_WIDTH`| 1.0.0 |int|`The maximum width of an input image which is being processed.`|7680|
+|`THUMBNAILS_MAX_INPUT_HEIGHT`| 1.0.0 |int|`The maximum height of an input image which is being processed.`|7680|
+|`THUMBNAILS_MAX_INPUT_IMAGE_FILE_SIZE`| 1.0.0 |string|`The maximum file size of an input image which is being processed. Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB.`|50MB|
diff --git a/static/env-vars/thumbnails_readme.md b/static/env-vars/thumbnails_readme.md
index ad62b83f..22be933f 100644
--- a/static/env-vars/thumbnails_readme.md
+++ b/static/env-vars/thumbnails_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Thumbnails
-date: 2025-11-27T22:56:02.334947+01:00
+date: 2026-01-13T10:10:18.224534597+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/thumbnails
diff --git a/static/env-vars/userlog-config-example.yaml b/static/env-vars/userlog-config-example.yaml
new file mode 100644
index 00000000..f01761b5
--- /dev/null
+++ b/static/env-vars/userlog-config-example.yaml
@@ -0,0 +1,58 @@
+# Autogenerated
+# Filename: userlog-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9214
+  token: ""
+  pprof: false
+  zpages: false
+http:
+  addr: 127.0.0.1:9210
+  root: /
+  cors:
+    allow_origins:
+    - '*'
+    allow_methods:
+    - GET
+    allow_headers:
+    - Authorization
+    - Origin
+    - Content-Type
+    - Accept
+    - X-Requested-With
+    - X-Request-Id
+    - Ocs-Apirequest
+    allow_credentials: true
+  tls:
+    enabled: false
+    cert: ""
+    key: ""
+grpc_client_tls: null
+token_manager:
+  jwt_secret: ""
+reva_gateway: eu.opencloud.api.gateway
+translation_path: ""
+default_language: ""
+events:
+  endpoint: 127.0.0.1:9233
+  cluster: opencloud-cluster
+  tls_insecure: false
+  tls_root_ca_certificate: ""
+  enable_tls: false
+  username: ""
+  password: ""
+max_concurrency: 1
+persistence:
+  store: memory
+  nodes: []
+  database: userlog
+  table: events
+  ttl: 336h0m0s
+  username: ""
+  password: ""
+disable_sse: false
+global_notifications_secret: ""
+service_account:
+  service_account_id: ""
+  service_account_secret: ""
diff --git a/static/env-vars/userlog_configvars.md b/static/env-vars/userlog_configvars.md
index 40753381..06e91815 100644
--- a/static/env-vars/userlog_configvars.md
+++ b/static/env-vars/userlog_configvars.md
@@ -1,44 +1,41 @@
 Environment variables for the **userlog** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`USERLOG_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`USERLOG_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`USERLOG_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`USERLOG_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`USERLOG_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9214`|
-|`USERLOG_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`USERLOG_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`USERLOG_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`USERLOG_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9210`|
-|`USERLOG_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`|
-|`OC_CORS_ALLOW_ORIGINS`<br/>`USERLOG_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`|
-|`OC_CORS_ALLOW_METHODS`<br/>`USERLOG_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET]`|
-|`OC_CORS_ALLOW_HEADERS`<br/>`USERLOG_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]`|
-|`OC_CORS_ALLOW_CREDENTIALS`<br/>`USERLOG_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`|
-|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`|
-|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``|
-|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``|
-|`OC_JWT_SECRET`<br/>`USERLOG_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|`eu.opencloud.api.gateway`|
-|`OC_TRANSLATION_PATH`<br/>`USERLOG_TRANSLATION_PATH`| 1.0.0 |string|`(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.`|``|
-|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|`The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.`|``|
-|`OC_EVENTS_ENDPOINT`<br/>`USERLOG_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`|
-|`OC_EVENTS_CLUSTER`<br/>`USERLOG_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`|
-|`OC_INSECURE`<br/>`USERLOG_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`|
-|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`USERLOG_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.`|``|
-|`OC_EVENTS_ENABLE_TLS`<br/>`USERLOG_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`|
-|`OC_EVENTS_AUTH_USERNAME`<br/>`USERLOG_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_EVENTS_AUTH_PASSWORD`<br/>`USERLOG_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
-|`OC_MAX_CONCURRENCY`<br/>`USERLOG_MAX_CONCURRENCY`| 1.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.`|`1`|
-|`OC_PERSISTENT_STORE`<br/>`USERLOG_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|`memory`|
-|`OC_PERSISTENT_STORE_NODES`<br/>`USERLOG_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[]`|
-|`USERLOG_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`userlog`|
-|`USERLOG_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|`events`|
-|`OC_PERSISTENT_STORE_TTL`<br/>`USERLOG_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|`336h0m0s`|
-|`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`USERLOG_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`USERLOG_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
-|`OC_DISABLE_SSE,USERLOG_DISABLE_SSE`| 1.0.0 |bool|`Disables server-sent events (sse). When disabled, clients will no longer receive sse notifications.`|`false`|
-|`USERLOG_GLOBAL_NOTIFICATIONS_SECRET`| 1.0.0 |string|`The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.`|``|
-|`OC_SERVICE_ACCOUNT_ID`<br/>`USERLOG_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``|
-|`OC_SERVICE_ACCOUNT_SECRET`<br/>`USERLOG_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`USERLOG_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`USERLOG_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9214|
+|`USERLOG_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`USERLOG_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`USERLOG_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`USERLOG_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|127.0.0.1:9210|
+|`USERLOG_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|/|
+|`OC_CORS_ALLOW_ORIGINS`<br/>`USERLOG_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|[*]|
+|`OC_CORS_ALLOW_METHODS`<br/>`USERLOG_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|[GET]|
+|`OC_CORS_ALLOW_HEADERS`<br/>`USERLOG_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]|
+|`OC_CORS_ALLOW_CREDENTIALS`<br/>`USERLOG_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|true|
+|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|false|
+|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`||
+|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`||
+|`OC_JWT_SECRET`<br/>`USERLOG_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|eu.opencloud.api.gateway|
+|`OC_TRANSLATION_PATH`<br/>`USERLOG_TRANSLATION_PATH`| 1.0.0 |string|`(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.`||
+|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|`The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.`||
+|`OC_EVENTS_ENDPOINT`<br/>`USERLOG_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|127.0.0.1:9233|
+|`OC_EVENTS_CLUSTER`<br/>`USERLOG_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|opencloud-cluster|
+|`OC_INSECURE`<br/>`OC_EVENTS_TLS_INSECURE`<br/>`USERLOG_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|false|
+|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`<br/>`USERLOG_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.`||
+|`OC_EVENTS_ENABLE_TLS`<br/>`USERLOG_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|false|
+|`OC_EVENTS_AUTH_USERNAME`<br/>`USERLOG_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_EVENTS_AUTH_PASSWORD`<br/>`USERLOG_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`||
+|`OC_MAX_CONCURRENCY`<br/>`USERLOG_MAX_CONCURRENCY`| 1.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.`|1|
+|`OC_PERSISTENT_STORE`<br/>`USERLOG_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|memory|
+|`OC_PERSISTENT_STORE_NODES`<br/>`USERLOG_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|[]|
+|`USERLOG_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|userlog|
+|`USERLOG_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|events|
+|`OC_PERSISTENT_STORE_TTL`<br/>`USERLOG_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|336h0m0s|
+|`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`USERLOG_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`USERLOG_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`||
+|`OC_DISABLE_SSE,USERLOG_DISABLE_SSE`| 1.0.0 |bool|`Disables server-sent events (sse). When disabled, clients will no longer receive sse notifications.`|false|
+|`USERLOG_GLOBAL_NOTIFICATIONS_SECRET`| 1.0.0 |string|`The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.`||
+|`OC_SERVICE_ACCOUNT_ID`<br/>`USERLOG_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`||
+|`OC_SERVICE_ACCOUNT_SECRET`<br/>`USERLOG_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`||
diff --git a/static/env-vars/userlog_readme.md b/static/env-vars/userlog_readme.md
index e55816e7..388eaf2c 100644
--- a/static/env-vars/userlog_readme.md
+++ b/static/env-vars/userlog_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Userlog
-date: 2025-11-27T22:56:02.335031+01:00
+date: 2026-01-13T10:10:18.224744271+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/userlog
diff --git a/static/env-vars/users-config-example.yaml b/static/env-vars/users-config-example.yaml
new file mode 100644
index 00000000..0e2ee577
--- /dev/null
+++ b/static/env-vars/users-config-example.yaml
@@ -0,0 +1,68 @@
+# Autogenerated
+# Filename: users-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9145
+  token: ""
+  pprof: false
+  zpages: false
+grpc:
+  addr: 127.0.0.1:9144
+  tls: null
+  protocol: tcp
+token_manager:
+  jwt_secret: ""
+reva:
+  address: eu.opencloud.api.gateway
+  tls:
+    mode: ""
+    cacert: ""
+skip_user_groups_in_token: false
+driver: ldap
+drivers:
+  ldap:
+    uri: ldaps://localhost:9235
+    ca_cert: /home/chaser/.opencloud/idm/ldap.crt
+    insecure: false
+    bind_dn: uid=reva,ou=sysusers,o=libregraph-idm
+    bind_password: ""
+    user_base_dn: ou=users,o=libregraph-idm
+    group_base_dn: ou=groups,o=libregraph-idm
+    user_scope: sub
+    group_scope: sub
+    user_substring_filter_type: any
+    user_filter: ""
+    group_filter: ""
+    user_object_class: inetOrgPerson
+    group_object_class: groupOfNames
+    idp: https://localhost:9200
+    disable_user_mechanism: attribute
+    user_type_attribute: openCloudUserType
+    ldap_disabled_users_group_dn: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm
+    user_schema:
+      id: openclouduuid
+      tenant_id: ""
+      id_is_octet_string: false
+      mail: mail
+      display_name: displayname
+      user_name: uid
+      user_enabled: openclouduserenabled
+    group_schema:
+      id: openclouduuid
+      id_is_octet_string: false
+      mail: mail
+      display_name: cn
+      group_name: cn
+      member: member
+  owncloudsql:
+    db_username: owncloud
+    db_password: secret
+    db_host: mysql
+    db_port: 3306
+    db_name: owncloud
+    idp: https://localhost:9200
+    nobody: 90
+    join_username: false
+    join_owncloud_uuid: false
+    enable_medial_search: false
diff --git a/static/env-vars/users_configvars.md b/static/env-vars/users_configvars.md
index 96e4a7f8..bf658a0d 100644
--- a/static/env-vars/users_configvars.md
+++ b/static/env-vars/users_configvars.md
@@ -1,61 +1,58 @@
 Environment variables for the **users** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`USERS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`USERS_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`USERS_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`USERS_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`USERS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9145`|
-|`USERS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`USERS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`USERS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`USERS_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9144`|
-|`OC_GRPC_PROTOCOL`<br/>`USERS_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GPRC service.`|`tcp`|
-|`OC_JWT_SECRET`<br/>`USERS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`|
-|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``|
-|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``|
-|`USERS_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`|
-|`USERS_DRIVER`| 1.0.0 |string|`The driver which should be used by the users service. Supported values are 'ldap' and 'owncloudsql'.`|`ldap`|
-|`OC_LDAP_URI`<br/>`USERS_LDAP_URI`| 1.0.0 |string|`URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'`|`ldaps://localhost:9235`|
-|`OC_LDAP_CACERT`<br/>`USERS_LDAP_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|`/var/lib/opencloud/idm/ldap.crt`|
-|`OC_LDAP_INSECURE`<br/>`USERS_LDAP_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.`|`false`|
-|`OC_LDAP_BIND_DN`<br/>`USERS_LDAP_BIND_DN`| 1.0.0 |string|`LDAP DN to use for simple bind authentication with the target LDAP server.`|`uid=reva,ou=sysusers,o=libregraph-idm`|
-|`OC_LDAP_BIND_PASSWORD`<br/>`USERS_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`|``|
-|`OC_LDAP_USER_BASE_DN`<br/>`USERS_LDAP_USER_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|`ou=users,o=libregraph-idm`|
-|`OC_LDAP_GROUP_BASE_DN`<br/>`USERS_LDAP_GROUP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP groups.`|`ou=groups,o=libregraph-idm`|
-|`OC_LDAP_USER_SCOPE`<br/>`USERS_LDAP_USER_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'.`|`sub`|
-|`OC_LDAP_GROUP_SCOPE`<br/>`USERS_LDAP_GROUP_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'.`|`sub`|
-|`LDAP_USER_SUBSTRING_FILTER_TYPE`<br/>`USERS_LDAP_USER_SUBSTRING_FILTER_TYPE`| 1.0.0 |string|`Type of substring search filter to use for substring searches for users. Possible values: 'initial' for doing prefix only searches, 'final' for doing suffix only searches or 'any' for doing full substring searches`|`any`|
-|`OC_LDAP_USER_FILTER`<br/>`USERS_LDAP_USER_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.`|``|
-|`OC_LDAP_GROUP_FILTER`<br/>`USERS_LDAP_GROUP_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for group searches.`|``|
-|`OC_LDAP_USER_OBJECTCLASS`<br/>`USERS_LDAP_USER_OBJECTCLASS`| 1.0.0 |string|`The object class to use for users in the default user search filter like 'inetOrgPerson'.`|`inetOrgPerson`|
-|`OC_LDAP_GROUP_OBJECTCLASS`<br/>`USERS_LDAP_GROUP_OBJECTCLASS`| 1.0.0 |string|`The object class to use for groups in the default group search filter like 'groupOfNames'.`|`groupOfNames`|
-|`OC_URL`<br/>`OC_OIDC_ISSUER`<br/>`USERS_IDP_URL`| 1.0.0 |string|`The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.`|`https://localhost:9200`|
-|`OC_LDAP_DISABLE_USER_MECHANISM`<br/>`USERS_LDAP_DISABLE_USER_MECHANISM`| 1.0.0 |string|`An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed.`|`attribute`|
-|`OC_LDAP_USER_SCHEMA_USER_TYPE`<br/>`USERS_LDAP_USER_TYPE_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'.`|`openCloudUserType`|
-|`OC_LDAP_DISABLED_USERS_GROUP_DN`<br/>`USERS_LDAP_DISABLED_USERS_GROUP_DN`| 1.0.0 |string|`The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'.`|`cn=DisabledUsersGroup,ou=groups,o=libregraph-idm`|
-|`OC_LDAP_USER_SCHEMA_ID`<br/>`USERS_LDAP_USER_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.`|`openclouduuid`|
-|`OC_LDAP_USER_SCHEMA_TENANT_ID`<br/>`USERS_LDAP_USER_SCHEMA_TENANT_ID`| 4.0.0 |string|`LDAP Attribute to use for the tenant ID of users. This is used to identify the tenant of a user in a multi-tenant environment.`|``|
-|`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`<br/>`USERS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID's.`|`false`|
-|`OC_LDAP_USER_SCHEMA_MAIL`<br/>`USERS_LDAP_USER_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of users.`|`mail`|
-|`OC_LDAP_USER_SCHEMA_DISPLAYNAME`<br/>`USERS_LDAP_USER_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of users.`|`displayname`|
-|`OC_LDAP_USER_SCHEMA_USERNAME`<br/>`USERS_LDAP_USER_SCHEMA_USERNAME`| 1.0.0 |string|`LDAP Attribute to use for username of users.`|`uid`|
-|`OC_LDAP_USER_ENABLED_ATTRIBUTE`<br/>`USERS_LDAP_USER_ENABLED_ATTRIBUTE`| 1.0.0 |string|`LDAP attribute to use as a flag telling if the user is enabled or disabled.`|`openclouduserenabled`|
-|`OC_LDAP_GROUP_SCHEMA_ID`<br/>`USERS_LDAP_GROUP_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique ID for groups. This should be a stable globally unique ID like a UUID.`|`openclouduuid`|
-|`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`<br/>`USERS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID's.`|`false`|
-|`OC_LDAP_GROUP_SCHEMA_MAIL`<br/>`USERS_LDAP_GROUP_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of groups (can be empty).`|`mail`|
-|`OC_LDAP_GROUP_SCHEMA_DISPLAYNAME`<br/>`USERS_LDAP_GROUP_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).`|`cn`|
-|`OC_LDAP_GROUP_SCHEMA_GROUPNAME`<br/>`USERS_LDAP_GROUP_SCHEMA_GROUPNAME`| 1.0.0 |string|`LDAP Attribute to use for the name of groups.`|`cn`|
-|`OC_LDAP_GROUP_SCHEMA_MEMBER`<br/>`USERS_LDAP_GROUP_SCHEMA_MEMBER`| 1.0.0 |string|`LDAP Attribute that is used for group members.`|`member`|
-|`USERS_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|`Database user to use for authenticating with the owncloud database.`|`owncloud`|
-|`USERS_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|`Password for the database user.`|`secret`|
-|`USERS_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|`Hostname of the database server.`|`mysql`|
-|`USERS_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|`Network port to use for the database connection.`|`3306`|
-|`USERS_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|`Name of the owncloud database.`|`owncloud`|
-|`USERS_OWNCLOUDSQL_IDP`| 1.0.0 |string|`The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.`|`https://localhost:9200`|
-|`USERS_OWNCLOUDSQL_NOBODY`| 1.0.0 |int64|`Fallback number if no numeric UID and GID properties are provided.`|`90`|
-|`USERS_OWNCLOUDSQL_JOIN_USERNAME`| 1.0.0 |bool|`Join the user properties table to read usernames`|`false`|
-|`USERS_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID`| 1.0.0 |bool|`Join the user properties table to read user IDs.`|`false`|
-|`USERS_OWNCLOUDSQL_ENABLE_MEDIAL_SEARCH`| 1.0.0 |bool|`Allow 'medial search' when searching for users instead of just doing a prefix search. This allows finding 'Alice' when searching for 'lic'.`|`false`|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`USERS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`USERS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9145|
+|`USERS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`USERS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`USERS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`USERS_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|127.0.0.1:9144|
+|`OC_GRPC_PROTOCOL`<br/>`USERS_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GPRC service.`|tcp|
+|`OC_JWT_SECRET`<br/>`USERS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|eu.opencloud.api.gateway|
+|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`||
+|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`||
+|`USERS_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|false|
+|`USERS_DRIVER`| 1.0.0 |string|`The driver which should be used by the users service. Supported values are 'ldap' and 'owncloudsql'.`|ldap|
+|`OC_LDAP_URI`<br/>`USERS_LDAP_URI`| 1.0.0 |string|`URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'`|ldaps://localhost:9235|
+|`OC_LDAP_CACERT`<br/>`USERS_LDAP_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|/home/chaser/.opencloud/idm/ldap.crt|
+|`OC_LDAP_INSECURE`<br/>`USERS_LDAP_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.`|false|
+|`OC_LDAP_BIND_DN`<br/>`USERS_LDAP_BIND_DN`| 1.0.0 |string|`LDAP DN to use for simple bind authentication with the target LDAP server.`|uid=reva,ou=sysusers,o=libregraph-idm|
+|`OC_LDAP_BIND_PASSWORD`<br/>`USERS_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`||
+|`OC_LDAP_USER_BASE_DN`<br/>`USERS_LDAP_USER_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|ou=users,o=libregraph-idm|
+|`OC_LDAP_GROUP_BASE_DN`<br/>`USERS_LDAP_GROUP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP groups.`|ou=groups,o=libregraph-idm|
+|`OC_LDAP_USER_SCOPE`<br/>`USERS_LDAP_USER_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'.`|sub|
+|`OC_LDAP_GROUP_SCOPE`<br/>`USERS_LDAP_GROUP_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'.`|sub|
+|`LDAP_USER_SUBSTRING_FILTER_TYPE`<br/>`USERS_LDAP_USER_SUBSTRING_FILTER_TYPE`| 1.0.0 |string|`Type of substring search filter to use for substring searches for users. Possible values: 'initial' for doing prefix only searches, 'final' for doing suffix only searches or 'any' for doing full substring searches`|any|
+|`OC_LDAP_USER_FILTER`<br/>`USERS_LDAP_USER_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.`||
+|`OC_LDAP_GROUP_FILTER`<br/>`USERS_LDAP_GROUP_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for group searches.`||
+|`OC_LDAP_USER_OBJECTCLASS`<br/>`USERS_LDAP_USER_OBJECTCLASS`| 1.0.0 |string|`The object class to use for users in the default user search filter like 'inetOrgPerson'.`|inetOrgPerson|
+|`OC_LDAP_GROUP_OBJECTCLASS`<br/>`USERS_LDAP_GROUP_OBJECTCLASS`| 1.0.0 |string|`The object class to use for groups in the default group search filter like 'groupOfNames'.`|groupOfNames|
+|`OC_URL`<br/>`OC_OIDC_ISSUER`<br/>`USERS_IDP_URL`| 1.0.0 |string|`The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.`|https://localhost:9200|
+|`OC_LDAP_DISABLE_USER_MECHANISM`<br/>`USERS_LDAP_DISABLE_USER_MECHANISM`| 1.0.0 |string|`An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed.`|attribute|
+|`OC_LDAP_USER_SCHEMA_USER_TYPE`<br/>`USERS_LDAP_USER_TYPE_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'.`|openCloudUserType|
+|`OC_LDAP_DISABLED_USERS_GROUP_DN`<br/>`USERS_LDAP_DISABLED_USERS_GROUP_DN`| 1.0.0 |string|`The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'.`|cn=DisabledUsersGroup,ou=groups,o=libregraph-idm|
+|`OC_LDAP_USER_SCHEMA_ID`<br/>`USERS_LDAP_USER_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.`|openclouduuid|
+|`OC_LDAP_USER_SCHEMA_TENANT_ID`<br/>`USERS_LDAP_USER_SCHEMA_TENANT_ID`| 4.0.0 |string|`LDAP Attribute to use for the tenant ID of users. This is used to identify the tenant of a user in a multi-tenant environment.`||
+|`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`<br/>`USERS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID's.`|false|
+|`OC_LDAP_USER_SCHEMA_MAIL`<br/>`USERS_LDAP_USER_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of users.`|mail|
+|`OC_LDAP_USER_SCHEMA_DISPLAYNAME`<br/>`USERS_LDAP_USER_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of users.`|displayname|
+|`OC_LDAP_USER_SCHEMA_USERNAME`<br/>`USERS_LDAP_USER_SCHEMA_USERNAME`| 1.0.0 |string|`LDAP Attribute to use for username of users.`|uid|
+|`OC_LDAP_USER_ENABLED_ATTRIBUTE`<br/>`USERS_LDAP_USER_ENABLED_ATTRIBUTE`| 1.0.0 |string|`LDAP attribute to use as a flag telling if the user is enabled or disabled.`|openclouduserenabled|
+|`OC_LDAP_GROUP_SCHEMA_ID`<br/>`USERS_LDAP_GROUP_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique ID for groups. This should be a stable globally unique ID like a UUID.`|openclouduuid|
+|`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`<br/>`USERS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID's.`|false|
+|`OC_LDAP_GROUP_SCHEMA_MAIL`<br/>`USERS_LDAP_GROUP_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of groups (can be empty).`|mail|
+|`OC_LDAP_GROUP_SCHEMA_DISPLAYNAME`<br/>`USERS_LDAP_GROUP_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).`|cn|
+|`OC_LDAP_GROUP_SCHEMA_GROUPNAME`<br/>`USERS_LDAP_GROUP_SCHEMA_GROUPNAME`| 1.0.0 |string|`LDAP Attribute to use for the name of groups.`|cn|
+|`OC_LDAP_GROUP_SCHEMA_MEMBER`<br/>`USERS_LDAP_GROUP_SCHEMA_MEMBER`| 1.0.0 |string|`LDAP Attribute that is used for group members.`|member|
+|`USERS_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|`Database user to use for authenticating with the owncloud database.`|owncloud|
+|`USERS_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|`Password for the database user.`|secret|
+|`USERS_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|`Hostname of the database server.`|mysql|
+|`USERS_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|`Network port to use for the database connection.`|3306|
+|`USERS_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|`Name of the owncloud database.`|owncloud|
+|`USERS_OWNCLOUDSQL_IDP`| 1.0.0 |string|`The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.`|https://localhost:9200|
+|`USERS_OWNCLOUDSQL_NOBODY`| 1.0.0 |int64|`Fallback number if no numeric UID and GID properties are provided.`|90|
+|`USERS_OWNCLOUDSQL_JOIN_USERNAME`| 1.0.0 |bool|`Join the user properties table to read usernames`|false|
+|`USERS_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID`| 1.0.0 |bool|`Join the user properties table to read user IDs.`|false|
+|`USERS_OWNCLOUDSQL_ENABLE_MEDIAL_SEARCH`| 1.0.0 |bool|`Allow 'medial search' when searching for users instead of just doing a prefix search. This allows finding 'Alice' when searching for 'lic'.`|false|
diff --git a/static/env-vars/users_readme.md b/static/env-vars/users_readme.md
index 6d2eb34f..642bb6e6 100644
--- a/static/env-vars/users_readme.md
+++ b/static/env-vars/users_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Users
-date: 2025-11-27T22:56:02.335114+01:00
+date: 2026-01-13T10:10:18.225027223+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/users
diff --git a/static/env-vars/web-config-example.yaml b/static/env-vars/web-config-example.yaml
new file mode 100644
index 00000000..b2a76b3c
--- /dev/null
+++ b/static/env-vars/web-config-example.yaml
@@ -0,0 +1,122 @@
+# Autogenerated
+# Filename: web-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9104
+  token: ""
+  pprof: false
+  zpages: false
+http:
+  addr: 127.0.0.1:9100
+  tls:
+    enabled: false
+    cert: ""
+    key: ""
+  root: /
+  cache_ttl: 604800
+  cors:
+    allow_origins:
+    - https://localhost:9200
+    allow_methods:
+    - OPTIONS
+    - HEAD
+    - GET
+    - PUT
+    - PATCH
+    - POST
+    - DELETE
+    - MKCOL
+    - PROPFIND
+    - PROPPATCH
+    - MOVE
+    - COPY
+    - REPORT
+    - SEARCH
+    allow_headers:
+    - Origin
+    - Accept
+    - Content-Type
+    - Depth
+    - Authorization
+    - Ocs-Apirequest
+    - If-None-Match
+    - If-Match
+    - Destination
+    - Overwrite
+    - X-Request-Id
+    - X-Requested-With
+    - Tus-Resumable
+    - Tus-Checksum-Algorithm
+    - Upload-Concat
+    - Upload-Length
+    - Upload-Metadata
+    - Upload-Defer-Length
+    - Upload-Expires
+    - Upload-Checksum
+    - Upload-Offset
+    - X-HTTP-Method-Override
+    allow_credentials: false
+asset:
+  core_path: /home/chaser/.opencloud/web/assets/core
+  themes_path: /home/chaser/.opencloud/web/assets/themes
+  apps_path: /home/chaser/.opencloud/web/assets/apps
+file: ""
+web:
+  theme_server: https://localhost:9200
+  theme_path: /themes/opencloud/theme.json
+  config:
+    server: https://localhost:9200
+    oidc:
+      metadata_url: https://localhost:9200/.well-known/openid-configuration
+      authority: https://localhost:9200
+      client_id: web
+      response_type: code
+      scope: openid profile email
+      post_logout_redirect_uri: ""
+    apps:
+    - files
+    - search
+    - text-editor
+    - pdf-viewer
+    - external
+    - admin-settings
+    - epub-reader
+    - preview
+    - app-store
+    applications: []
+    external_apps: []
+    options:
+      accountEditLink: null
+      disableFeedbackLink: false
+      feedbackLink: null
+      runningOnEos: false
+      cernFeatures: false
+      upload: null
+      editor: null
+      contextHelpersReadMore: true
+      logoutUrl: ""
+      loginUrl: ""
+      tokenStorageLocal: true
+      disabledExtensions: []
+      embed:
+        enabled: ""
+        target: ""
+        messagesOrigin: ""
+        delegateAuthentication: false
+        delegateAuthenticationOrigin: ""
+      userListRequiresFilter: false
+      concurrentRequests:
+        resourceBatchActions: 0
+        sse: 0
+        shares:
+          create: 0
+          list: 0
+      defaultAppId: ""
+    styles: []
+    scripts: []
+    custom_translations: []
+apps: {}
+token_manager:
+  jwt_secret: ""
+gateway_addr: eu.opencloud.api.gateway
diff --git a/static/env-vars/web_configvars.md b/static/env-vars/web_configvars.md
index 6d4b4ed9..9701f9b3 100644
--- a/static/env-vars/web_configvars.md
+++ b/static/env-vars/web_configvars.md
@@ -1,55 +1,52 @@
 Environment variables for the **web** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`WEB_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`WEB_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`WEB_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`WEB_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`WEB_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9104`|
-|`WEB_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`WEB_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`WEB_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`WEB_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9100`|
-|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`|
-|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``|
-|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``|
-|`WEB_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`|
-|`WEB_CACHE_TTL`| 1.0.0 |int|`Cache policy in seconds for OpenCloud Web assets.`|`604800`|
-|`OC_CORS_ALLOW_ORIGINS`<br/>`WEB_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[https://localhost:9200]`|
-|`OC_CORS_ALLOW_METHODS`<br/>`WEB_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[OPTIONS HEAD GET PUT PATCH POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH]`|
-|`OC_CORS_ALLOW_HEADERS`<br/>`WEB_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override]`|
-|`OC_CORS_ALLOW_CREDENTIALS`<br/>`WEB_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS. See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`false`|
-|`WEB_ASSET_CORE_PATH`| 1.0.0 |string|`Serve OpenCloud Web assets from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/core`|`/var/lib/opencloud/web/assets/core`|
-|`OC_ASSET_THEMES_PATH`<br/>`WEB_ASSET_THEMES_PATH`| 1.0.0 |string|`Serve OpenCloud themes from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/themes`|`/var/lib/opencloud/web/assets/themes`|
-|`WEB_ASSET_APPS_PATH`| 1.0.0 |string|`Serve OpenCloud Web apps assets from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/apps`|`/var/lib/opencloud/web/assets/apps`|
-|`WEB_UI_CONFIG_FILE`| 1.0.0 |string|`Read the OpenCloud Web json based configuration from this path/file. The config file takes precedence over WEB_OPTION_xxx environment variables. See the text description for more details.`|``|
-|`OC_URL`<br/>`WEB_UI_THEME_SERVER`| 1.0.0 |string|`Base URL to load themes from. Will be prepended to the theme path.`|`https://localhost:9200`|
-|`WEB_UI_THEME_PATH`| 1.0.0 |string|`Path to the theme json file. Will be appended to the URL of the theme server.`|`/themes/opencloud/theme.json`|
-|`OC_URL`<br/>`WEB_UI_CONFIG_SERVER`| 1.0.0 |string|`URL, where the OpenCloud APIs are reachable for OpenCloud Web.`|`https://localhost:9200`|
-|`WEB_OIDC_METADATA_URL`| 1.0.0 |string|`URL for the OIDC well-known configuration endpoint. Defaults to the OpenCloud API URL + '/.well-known/openid-configuration'.`|`https://localhost:9200/.well-known/openid-configuration`|
-|`OC_URL`<br/>`OC_OIDC_ISSUER`<br/>`WEB_OIDC_AUTHORITY`| 1.0.0 |string|`URL of the OIDC issuer. It defaults to URL of the builtin IDP.`|`https://localhost:9200`|
-|`OC_OIDC_CLIENT_ID`<br/>`WEB_OIDC_CLIENT_ID`| 1.0.0 |string|`The OIDC client ID which OpenCloud Web uses. This client needs to be set up in your IDP. Note that this setting has no effect when using the builtin IDP.`|`web`|
-|`WEB_OIDC_RESPONSE_TYPE`| 1.0.0 |string|`The OIDC response type to use for authentication.`|`code`|
-|`WEB_OIDC_SCOPE`| 1.0.0 |string|`OIDC scopes to request during authentication to authorize access to user details. Defaults to 'openid profile email'. Values are separated by blank. More example values but not limited to are 'address' or 'phone' etc.`|`openid profile email`|
-|`WEB_OIDC_POST_LOGOUT_REDIRECT_URI`| 1.0.0 |string|`This value needs to point to a valid and reachable web page. The web client will trigger a redirect to that page directly after the logout action. The default value is empty and redirects to the login page.`|``|
-|`WEB_OPTION_DISABLE_FEEDBACK_LINK`| 1.0.0 |bool|`Set this option to 'true' to disable the feedback link in the top bar. Keeping it enabled by setting the value to 'false' or with the absence of the option, allows OpenCloud to get feedback from your user base through a dedicated survey website.`|`false`|
-|`WEB_OPTION_RUNNING_ON_EOS`| 1.0.0 |bool|`Set this option to 'true' if running on an EOS storage backend (\https://eos-web.web.cern.ch/eos-web/) to enable its specific features. Defaults to 'false'.`|`false`|
-|`WEB_OPTION_CONTEXTHELPERS_READ_MORE`| 1.0.0 |bool|`Specifies whether the 'Read more' link should be displayed or not.`|`true`|
-|`WEB_OPTION_LOGOUT_URL`| 1.0.0 |string|`Adds a link to the user's profile page to point him to an external page, where he can manage his session and devices. This is helpful when an external IdP is used. This option is disabled by default.`|``|
-|`WEB_OPTION_LOGIN_URL`| 1.0.0 |string|`Specifies the target URL to the login page. This is helpful when an external IdP is used. This option is disabled by default. Example URL like: \https://www.myidp.com/login.`|``|
-|`WEB_OPTION_TOKEN_STORAGE_LOCAL`| 1.0.0 |bool|`Specifies whether the access token will be stored in the local storage when set to 'true' or in the session storage when set to 'false'. If stored in the local storage, login state will be persisted across multiple browser tabs, means no additional logins are required.`|`true`|
-|`WEB_OPTION_DISABLED_EXTENSIONS`| 1.0.0 |[]string|`A list to disable specific Web extensions identified by their ID. The ID can e.g. be taken from the 'index.ts' file of the web extension. Example: 'com.github.opencloud-eu.web.files.search,com.github.opencloud-eu.web.files.print'. See the Environment Variable Types description for more details.`|`[]`|
-|`WEB_OPTION_EMBED_ENABLED`| 1.0.0 |string|`Defines whether Web should be running in 'embed' mode. Setting this to 'true' will enable a stripped down version of Web with reduced functionality used to integrate Web into other applications like via iFrame. Setting it to 'false' or not setting it (default) will run Web as usual with all functionality enabled. See the text description for more details.`|``|
-|`WEB_OPTION_EMBED_TARGET`| 1.0.0 |string|`Defines how Web is being integrated when running in 'embed' mode. Currently, the only supported options are '' (empty) and 'location'. With '' which is the default, Web will run regular as defined via the 'embed.enabled' config option. With 'location', Web will run embedded as location picker. Resource selection will be disabled and the selected resources array always includes the current folder as the only item. See the text description for more details.`|``|
-|`WEB_OPTION_EMBED_MESSAGES_ORIGIN`| 1.0.0 |string|`Defines a URL under which Web can be integrated via iFrame in 'embed' mode. Note that setting this is mandatory when running Web in 'embed' mode. Use '*' as value to allow running the iFrame under any URL, although this is not recommended for security reasons. See the text description for more details.`|``|
-|`WEB_OPTION_EMBED_DELEGATE_AUTHENTICATION`| 1.0.0 |bool|`Defines whether Web should require authentication to be done by the parent application when running in 'embed' mode. If set to 'true' Web will not try to authenticate the user on its own but will require an access token coming from the parent application. Defaults to being unset.`|`false`|
-|`WEB_OPTION_EMBED_DELEGATE_AUTHENTICATION_ORIGIN`| 1.0.0 |string|`Defines the host to validate the message event origin against when running Web in 'embed' mode with delegated authentication. Defaults to event message origin validation being omitted, which is only recommended for development setups.`|``|
-|`WEB_OPTION_USER_LIST_REQUIRES_FILTER`| 1.0.0 |bool|`Defines whether one or more filters must be set in order to list users in the Web admin settings. Set this option to 'true' if running in an environment with a lot of users and listing all users could slow down performance. Defaults to 'false'.`|`false`|
-|`WEB_OPTION_CONCURRENT_REQUESTS_RESOURCE_BATCH_ACTIONS`| 1.0.0 |int|`Defines the maximum number of concurrent requests per file/folder/space batch action. Defaults to 4.`|`0`|
-|`WEB_OPTION_CONCURRENT_REQUESTS_SSE`| 1.0.0 |int|`Defines the maximum number of concurrent requests in SSE event handlers. Defaults to 4.`|`0`|
-|`WEB_OPTION_CONCURRENT_REQUESTS_SHARES_CREATE`| 1.0.0 |int|`Defines the maximum number of concurrent requests per sharing invite batch. Defaults to 4.`|`0`|
-|`WEB_OPTION_CONCURRENT_REQUESTS_SHARES_LIST`| 1.0.0 |int|`Defines the maximum number of concurrent requests when loading individual share information inside listings. Defaults to 2.`|`0`|
-|`WEB_OPTION_DEFAULT_APP_ID`| 4.0.0 |string|`Defines the entrypoint for the web ui.`|``|
-|`OC_JWT_SECRET`<br/>`WEB_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
-|`WEB_GATEWAY_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`eu.opencloud.api.gateway`|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`WEB_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`WEB_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9104|
+|`WEB_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`WEB_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`WEB_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`WEB_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|127.0.0.1:9100|
+|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|false|
+|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`||
+|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`||
+|`WEB_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|/|
+|`WEB_CACHE_TTL`| 1.0.0 |int|`Cache policy in seconds for OpenCloud Web assets.`|604800|
+|`OC_CORS_ALLOW_ORIGINS`<br/>`WEB_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|[https://localhost:9200]|
+|`OC_CORS_ALLOW_METHODS`<br/>`WEB_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|[OPTIONS HEAD GET PUT PATCH POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH]|
+|`OC_CORS_ALLOW_HEADERS`<br/>`WEB_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override]|
+|`OC_CORS_ALLOW_CREDENTIALS`<br/>`WEB_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS. See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|false|
+|`WEB_ASSET_CORE_PATH`| 1.0.0 |string|`Serve OpenCloud Web assets from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/core`|/home/chaser/.opencloud/web/assets/core|
+|`OC_ASSET_THEMES_PATH`<br/>`WEB_ASSET_THEMES_PATH`| 1.0.0 |string|`Serve OpenCloud themes from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/themes`|/home/chaser/.opencloud/web/assets/themes|
+|`WEB_ASSET_APPS_PATH`| 1.0.0 |string|`Serve OpenCloud Web apps assets from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/apps`|/home/chaser/.opencloud/web/assets/apps|
+|`WEB_UI_CONFIG_FILE`| 1.0.0 |string|`Read the OpenCloud Web json based configuration from this path/file. The config file takes precedence over WEB_OPTION_xxx environment variables. See the text description for more details.`||
+|`OC_URL`<br/>`WEB_UI_THEME_SERVER`| 1.0.0 |string|`Base URL to load themes from. Will be prepended to the theme path.`|https://localhost:9200|
+|`WEB_UI_THEME_PATH`| 1.0.0 |string|`Path to the theme json file. Will be appended to the URL of the theme server.`|/themes/opencloud/theme.json|
+|`OC_URL`<br/>`WEB_UI_CONFIG_SERVER`| 1.0.0 |string|`URL, where the OpenCloud APIs are reachable for OpenCloud Web.`|https://localhost:9200|
+|`WEB_OIDC_METADATA_URL`| 1.0.0 |string|`URL for the OIDC well-known configuration endpoint. Defaults to the OpenCloud API URL + '/.well-known/openid-configuration'.`|https://localhost:9200/.well-known/openid-configuration|
+|`OC_URL`<br/>`OC_OIDC_ISSUER`<br/>`WEB_OIDC_AUTHORITY`| 1.0.0 |string|`URL of the OIDC issuer. It defaults to URL of the builtin IDP.`|https://localhost:9200|
+|`OC_OIDC_CLIENT_ID`<br/>`WEB_OIDC_CLIENT_ID`| 1.0.0 |string|`The OIDC client ID which OpenCloud Web uses. This client needs to be set up in your IDP. Note that this setting has no effect when using the builtin IDP.`|web|
+|`WEB_OIDC_RESPONSE_TYPE`| 1.0.0 |string|`The OIDC response type to use for authentication.`|code|
+|`WEB_OIDC_SCOPE`| 1.0.0 |string|`OIDC scopes to request during authentication to authorize access to user details. Defaults to 'openid profile email'. Values are separated by blank. More example values but not limited to are 'address' or 'phone' etc.`|openid profile email|
+|`WEB_OIDC_POST_LOGOUT_REDIRECT_URI`| 1.0.0 |string|`This value needs to point to a valid and reachable web page. The web client will trigger a redirect to that page directly after the logout action. The default value is empty and redirects to the login page.`||
+|`WEB_OPTION_DISABLE_FEEDBACK_LINK`| 1.0.0 |bool|`Set this option to 'true' to disable the feedback link in the top bar. Keeping it enabled by setting the value to 'false' or with the absence of the option, allows OpenCloud to get feedback from your user base through a dedicated survey website.`|false|
+|`WEB_OPTION_RUNNING_ON_EOS`| 1.0.0 |bool|`Set this option to 'true' if running on an EOS storage backend (\https://eos-web.web.cern.ch/eos-web/) to enable its specific features. Defaults to 'false'.`|false|
+|`WEB_OPTION_CONTEXTHELPERS_READ_MORE`| 1.0.0 |bool|`Specifies whether the 'Read more' link should be displayed or not.`|true|
+|`WEB_OPTION_LOGOUT_URL`| 1.0.0 |string|`Adds a link to the user's profile page to point him to an external page, where he can manage his session and devices. This is helpful when an external IdP is used. This option is disabled by default.`||
+|`WEB_OPTION_LOGIN_URL`| 1.0.0 |string|`Specifies the target URL to the login page. This is helpful when an external IdP is used. This option is disabled by default. Example URL like: \https://www.myidp.com/login.`||
+|`WEB_OPTION_TOKEN_STORAGE_LOCAL`| 1.0.0 |bool|`Specifies whether the access token will be stored in the local storage when set to 'true' or in the session storage when set to 'false'. If stored in the local storage, login state will be persisted across multiple browser tabs, means no additional logins are required.`|true|
+|`WEB_OPTION_DISABLED_EXTENSIONS`| 1.0.0 |[]string|`A list to disable specific Web extensions identified by their ID. The ID can e.g. be taken from the 'index.ts' file of the web extension. Example: 'com.github.opencloud-eu.web.files.search,com.github.opencloud-eu.web.files.print'. See the Environment Variable Types description for more details.`|[]|
+|`WEB_OPTION_EMBED_ENABLED`| 1.0.0 |string|`Defines whether Web should be running in 'embed' mode. Setting this to 'true' will enable a stripped down version of Web with reduced functionality used to integrate Web into other applications like via iFrame. Setting it to 'false' or not setting it (default) will run Web as usual with all functionality enabled. See the text description for more details.`||
+|`WEB_OPTION_EMBED_TARGET`| 1.0.0 |string|`Defines how Web is being integrated when running in 'embed' mode. Currently, the only supported options are '' (empty) and 'location'. With '' which is the default, Web will run regular as defined via the 'embed.enabled' config option. With 'location', Web will run embedded as location picker. Resource selection will be disabled and the selected resources array always includes the current folder as the only item. See the text description for more details.`||
+|`WEB_OPTION_EMBED_MESSAGES_ORIGIN`| 1.0.0 |string|`Defines a URL under which Web can be integrated via iFrame in 'embed' mode. Note that setting this is mandatory when running Web in 'embed' mode. Use '*' as value to allow running the iFrame under any URL, although this is not recommended for security reasons. See the text description for more details.`||
+|`WEB_OPTION_EMBED_DELEGATE_AUTHENTICATION`| 1.0.0 |bool|`Defines whether Web should require authentication to be done by the parent application when running in 'embed' mode. If set to 'true' Web will not try to authenticate the user on its own but will require an access token coming from the parent application. Defaults to being unset.`|false|
+|`WEB_OPTION_EMBED_DELEGATE_AUTHENTICATION_ORIGIN`| 1.0.0 |string|`Defines the host to validate the message event origin against when running Web in 'embed' mode with delegated authentication. Defaults to event message origin validation being omitted, which is only recommended for development setups.`||
+|`WEB_OPTION_USER_LIST_REQUIRES_FILTER`| 1.0.0 |bool|`Defines whether one or more filters must be set in order to list users in the Web admin settings. Set this option to 'true' if running in an environment with a lot of users and listing all users could slow down performance. Defaults to 'false'.`|false|
+|`WEB_OPTION_CONCURRENT_REQUESTS_RESOURCE_BATCH_ACTIONS`| 1.0.0 |int|`Defines the maximum number of concurrent requests per file/folder/space batch action. Defaults to 4.`|0|
+|`WEB_OPTION_CONCURRENT_REQUESTS_SSE`| 1.0.0 |int|`Defines the maximum number of concurrent requests in SSE event handlers. Defaults to 4.`|0|
+|`WEB_OPTION_CONCURRENT_REQUESTS_SHARES_CREATE`| 1.0.0 |int|`Defines the maximum number of concurrent requests per sharing invite batch. Defaults to 4.`|0|
+|`WEB_OPTION_CONCURRENT_REQUESTS_SHARES_LIST`| 1.0.0 |int|`Defines the maximum number of concurrent requests when loading individual share information inside listings. Defaults to 2.`|0|
+|`WEB_OPTION_DEFAULT_APP_ID`| 4.0.0 |string|`Defines the entrypoint for the web ui.`||
+|`OC_JWT_SECRET`<br/>`WEB_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`||
+|`WEB_GATEWAY_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|eu.opencloud.api.gateway|
diff --git a/static/env-vars/web_readme.md b/static/env-vars/web_readme.md
index 4dbda35d..59a2f1e5 100644
--- a/static/env-vars/web_readme.md
+++ b/static/env-vars/web_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Web
-date: 2025-11-27T22:56:02.335267+01:00
+date: 2026-01-13T10:10:18.225186453+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/web
diff --git a/static/env-vars/webdav-config-example.yaml b/static/env-vars/webdav-config-example.yaml
new file mode 100644
index 00000000..617db385
--- /dev/null
+++ b/static/env-vars/webdav-config-example.yaml
@@ -0,0 +1,40 @@
+# Autogenerated
+# Filename: webdav-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9119
+  token: ""
+  pprof: false
+  zpages: false
+grpc_client_tls: null
+http:
+  addr: 127.0.0.1:9115
+  root: /
+  cors:
+    allow_origins:
+    - '*'
+    allow_methods:
+    - GET
+    - POST
+    - PUT
+    - PATCH
+    - DELETE
+    - OPTIONS
+    allow_headers:
+    - Authorization
+    - Origin
+    - Content-Type
+    - Accept
+    - X-Requested-With
+    - X-Request-Id
+    - Cache-Control
+    allow_credentials: true
+  tls:
+    enabled: false
+    cert: ""
+    key: ""
+disablePreviews: false
+opencloud_public_url: https://localhost:9200
+webdav_namespace: /users/{{.Id.OpaqueId}}
+reva_gateway: eu.opencloud.api.gateway
diff --git a/static/env-vars/webdav_configvars.md b/static/env-vars/webdav_configvars.md
index eaa32876..07eeb721 100644
--- a/static/env-vars/webdav_configvars.md
+++ b/static/env-vars/webdav_configvars.md
@@ -1,25 +1,22 @@
 Environment variables for the **webdav** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`WEBDAV_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`WEBDAV_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`WEBDAV_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`WEBDAV_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`WEBDAV_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9119`|
-|`WEBDAV_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`WEBDAV_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`WEBDAV_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`WEBDAV_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9115`|
-|`WEBDAV_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`|
-|`OC_CORS_ALLOW_ORIGINS`<br/>`WEBDAV_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`|
-|`OC_CORS_ALLOW_METHODS`<br/>`WEBDAV_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET POST PUT PATCH DELETE OPTIONS]`|
-|`OC_CORS_ALLOW_HEADERS`<br/>`WEBDAV_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Cache-Control]`|
-|`OC_CORS_ALLOW_CREDENTIALS`<br/>`WEBDAV_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`|
-|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`|
-|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``|
-|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``|
-|`OC_DISABLE_PREVIEWS`<br/>`WEBDAV_DISABLE_PREVIEWS`| 1.0.0 |bool|`Set this option to 'true' to disable rendering of thumbnails triggered via webdav access. Note that when disabled, all access to preview related webdav paths will return a 404.`|`false`|
-|`OC_URL`<br/>`OC_PUBLIC_URL`| 1.0.0 |string|`URL, where OpenCloud is reachable for users.`|`https://localhost:9200`|
-|`WEBDAV_WEBDAV_NAMESPACE`| 1.0.0 |string|`CS3 path layout to use when forwarding /webdav requests`|`/users/{{.Id.OpaqueId}}`|
-|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|`eu.opencloud.api.gateway`|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`WEBDAV_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`WEBDAV_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9119|
+|`WEBDAV_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`WEBDAV_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`WEBDAV_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`WEBDAV_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|127.0.0.1:9115|
+|`WEBDAV_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|/|
+|`OC_CORS_ALLOW_ORIGINS`<br/>`WEBDAV_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|[*]|
+|`OC_CORS_ALLOW_METHODS`<br/>`WEBDAV_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|[GET POST PUT PATCH DELETE OPTIONS]|
+|`OC_CORS_ALLOW_HEADERS`<br/>`WEBDAV_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Cache-Control]|
+|`OC_CORS_ALLOW_CREDENTIALS`<br/>`WEBDAV_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|true|
+|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|false|
+|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`||
+|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`||
+|`OC_DISABLE_PREVIEWS`<br/>`WEBDAV_DISABLE_PREVIEWS`| 1.0.0 |bool|`Set this option to 'true' to disable rendering of thumbnails triggered via webdav access. Note that when disabled, all access to preview related webdav paths will return a 404.`|false|
+|`OC_URL`<br/>`OC_PUBLIC_URL`| 1.0.0 |string|`URL, where OpenCloud is reachable for users.`|https://localhost:9200|
+|`WEBDAV_WEBDAV_NAMESPACE`| 1.0.0 |string|`CS3 path layout to use when forwarding /webdav requests`|/users/{{.Id.OpaqueId}}|
+|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|eu.opencloud.api.gateway|
diff --git a/static/env-vars/webdav_readme.md b/static/env-vars/webdav_readme.md
index 01c2e503..ad790032 100644
--- a/static/env-vars/webdav_readme.md
+++ b/static/env-vars/webdav_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Webdav
-date: 2025-11-27T22:56:02.335343+01:00
+date: 2026-01-13T10:10:18.225422417+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/webdav
@@ -13,7 +13,7 @@ geekdocCollapseSection: true
 ## Abstract
 
 
-The webdav service, like the [ocdav](../ocdav) service, provides a HTTP API following the webdav protocol. It receives HTTP calls from requestors like clients and issues gRPC calls to other services executing these requests. After the called service has finished the request, the webdav service will render their responses in `xml` and sends them back to the requestor.
+The webdav service, like the [frontend](../frontend) service, provides a HTTP API following the webdav protocol. It receives HTTP calls from requestors like clients and issues gRPC calls to other services executing these requests. After the called service has finished the request, the webdav service will render their responses in `xml` and sends them back to the requestor.
 
 
 ## Table of Contents
diff --git a/static/env-vars/webfinger-config-example.yaml b/static/env-vars/webfinger-config-example.yaml
new file mode 100644
index 00000000..d8ccde0a
--- /dev/null
+++ b/static/env-vars/webfinger-config-example.yaml
@@ -0,0 +1,35 @@
+# Autogenerated
+# Filename: webfinger-config-example.yaml
+
+loglevel: error
+debug:
+  addr: 127.0.0.1:9279
+  token: ""
+  pprof: false
+  zpages: false
+http:
+  addr: 127.0.0.1:9275
+  root: /
+  cors:
+    allow_origins:
+    - https://localhost:9200
+    allow_methods: []
+    allow_headers: []
+    allow_credentials: false
+  tls:
+    enabled: false
+    cert: ""
+    key: ""
+instances:
+- claim: sub
+  regex: .+
+  href: '{{.OC_URL}}'
+  titles:
+    en: OpenCloud Instance
+  break: false
+relations:
+- http://openid.net/specs/connect/1.0/issuer
+- http://webfinger.opencloud/rel/server-instance
+idp: https://localhost:9200
+opencloud_url: https://localhost:9200
+insecure: false
diff --git a/static/env-vars/webfinger_configvars.md b/static/env-vars/webfinger_configvars.md
index 08733164..862a9399 100644
--- a/static/env-vars/webfinger_configvars.md
+++ b/static/env-vars/webfinger_configvars.md
@@ -1,25 +1,22 @@
 Environment variables for the **webfinger** service
 
 | Name | Introduction Version | Type | Description | Default Value |
-|---|---|---|---|:---|
-|`OC_LOG_LEVEL`<br/>`WEBFINGER_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``|
-|`OC_LOG_PRETTY`<br/>`WEBFINGER_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`|
-|`OC_LOG_COLOR`<br/>`WEBFINGER_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`|
-|`OC_LOG_FILE`<br/>`WEBFINGER_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``|
-|`WEBFINGER_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9279`|
-|`WEBFINGER_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
-|`WEBFINGER_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
-|`WEBFINGER_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`|
-|`WEBFINGER_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9275`|
-|`WEBFINGER_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`|
-|`OC_CORS_ALLOW_ORIGINS`<br/>`WEBFINGER_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[https://localhost:9200]`|
-|`OC_CORS_ALLOW_METHODS`<br/>`WEBFINGER_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[]`|
-|`OC_CORS_ALLOW_HEADERS`<br/>`WEBFINGER_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[]`|
-|`OC_CORS_ALLOW_CREDENTIALS`<br/>`WEBFINGER_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`false`|
-|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`|
-|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``|
-|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``|
-|`WEBFINGER_RELATIONS`| 1.0.0 |[]string|`A list of relation URIs or registered relation types to add to webfinger responses. See the Environment Variable Types description for more details.`|`[http://openid.net/specs/connect/1.0/issuer http://webfinger.opencloud/rel/server-instance]`|
-|`OC_URL`<br/>`OC_OIDC_ISSUER`<br/>`WEBFINGER_OIDC_ISSUER`| 1.0.0 |string|`The identity provider href for the openid-discovery relation.`|`https://localhost:9200`|
-|`OC_URL`<br/>`WEBFINGER_OPENCLOUD_SERVER_INSTANCE_URL`| 1.0.0 |string|`The URL for the legacy OpenCloud server instance relation (not to be confused with the product OpenCloud Server). It defaults to the OC_URL but can be overridden to support some reverse proxy corner cases. To shard the deployment, multiple instances can be configured in the configuration file.`|`https://localhost:9200`|
-|`OC_INSECURE`<br/>`WEBFINGER_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the WEBFINGER service.`|`false`|
+|---|---|---|---|---|
+|`OC_LOG_LEVEL`<br/>`WEBFINGER_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|error|
+|`WEBFINGER_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|127.0.0.1:9279|
+|`WEBFINGER_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`||
+|`WEBFINGER_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|false|
+|`WEBFINGER_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|false|
+|`WEBFINGER_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|127.0.0.1:9275|
+|`WEBFINGER_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|/|
+|`OC_CORS_ALLOW_ORIGINS`<br/>`WEBFINGER_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|[https://localhost:9200]|
+|`OC_CORS_ALLOW_METHODS`<br/>`WEBFINGER_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|[]|
+|`OC_CORS_ALLOW_HEADERS`<br/>`WEBFINGER_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|[]|
+|`OC_CORS_ALLOW_CREDENTIALS`<br/>`WEBFINGER_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|false|
+|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|false|
+|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`||
+|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`||
+|`WEBFINGER_RELATIONS`| 1.0.0 |[]string|`A list of relation URIs or registered relation types to add to webfinger responses. See the Environment Variable Types description for more details.`|[http://openid.net/specs/connect/1.0/issuer http://webfinger.opencloud/rel/server-instance]|
+|`OC_URL`<br/>`OC_OIDC_ISSUER`<br/>`WEBFINGER_OIDC_ISSUER`| 1.0.0 |string|`The identity provider href for the openid-discovery relation.`|https://localhost:9200|
+|`OC_URL`<br/>`WEBFINGER_OPENCLOUD_SERVER_INSTANCE_URL`| 1.0.0 |string|`The URL for the legacy OpenCloud server instance relation (not to be confused with the product OpenCloud Server). It defaults to the OC_URL but can be overridden to support some reverse proxy corner cases. To shard the deployment, multiple instances can be configured in the configuration file.`|https://localhost:9200|
+|`OC_INSECURE`<br/>`WEBFINGER_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the WEBFINGER service.`|false|
diff --git a/static/env-vars/webfinger_readme.md b/static/env-vars/webfinger_readme.md
index 39185961..64f4cf2f 100644
--- a/static/env-vars/webfinger_readme.md
+++ b/static/env-vars/webfinger_readme.md
@@ -1,6 +1,6 @@
 ---
 title: Webfinger
-date: 2025-11-27T22:56:02.335416+01:00
+date: 2026-01-13T10:10:18.225639285+01:00
 weight: 20
 geekdocRepo: https://github.com/opencloud-eu/opencloud
 geekdocEditPath: edit/master/services/webfinger