--- layout: "docs" page_title: "Environment" sidebar_current: "docs-commands-environment" description: |- Vault's behavior can be modified by certain environment variables. --- # Environment variables The Vault CLI will read the following environment variables to set behavioral defaults. These can be overridden in all cases using command-line arguments; see the command-line help for details. The following table describes them:
Variable name Value
VAULT_TOKEN The Vault authentication token. If not specified, the token located in $HOME/.vault-token will be used if it exists.
VAULT_ADDR The address of the Vault server.
VAULT_ADVERTISE_ADDR The advertised address of the server to use for client request forwarding when running in High Availability mode.
VAULT_CACERT Path to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate.
VAULT_CAPATH Path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate. If VAULT_CACERT is specified, its value will take precedence.
VAULT_CLIENT_CERT Path to a PEM-encoded client certificate for TLS authentication to the Vault server.
VAULT_CLIENT_KEY Path to an unencrypted PEM-encoded private key matching the client certificate.
VAULT_MAX_RETRIES The maximum number of retries when a `5xx` error code is encountered. Default is `2`, for three total tries; set to `0` or less to disable retrying.
VAULT_SKIP_VERIFY If set, do not verify Vault's presented certificate before communicating with it. Setting this variable is not recommended except during testing.
VAULT_TLS_SERVER_NAME If set, use the given name as the SNI host when connecting via TLS.