From c8688f9e44d8dcb4b7f544ec300816fe82461ea5 Mon Sep 17 00:00:00 2001
From: openclouders <devops@opencloud.eu>
Date: Thu, 2 Apr 2026 00:06:07 +0000
Subject: [PATCH] Update docs with latest env vars

---
 docs/_static/env-vars/frontend_configvars.md  |  8 +--
 docs/_static/env-vars/global_configvars.md    | 64 +++++++++----------
 docs/_static/env-vars/ocm_configvars.md       |  2 +-
 .../env-vars/storage-users_configvars.md      |  2 +-
 docs/_static/env-vars/webfinger_configvars.md | 16 ++---
 5 files changed, 46 insertions(+), 46 deletions(-)

diff --git a/docs/_static/env-vars/frontend_configvars.md b/docs/_static/env-vars/frontend_configvars.md
index c9c1bd81..f1a67fe4 100644
--- a/docs/_static/env-vars/frontend_configvars.md
+++ b/docs/_static/env-vars/frontend_configvars.md
@@ -1,5 +1,5 @@
 
-2026-03-30-00-05-56
+2026-04-02-00-06-01
 
 # Deprecation Notice
 
@@ -88,13 +88,13 @@ Environment variables for the **frontend** service
 |`OCDAV_OCM_NAMESPACE`<br/>`FRONTENT_OCDAV_OCM_NAMESPACE`| 1.0.0 |string|`The human readable path prefix for the ocm shares.`|`/public`|
 |`OC_URL`<br/>`OCDAV_PUBLIC_URL`<br/>`FRONTENT_OCDAV_PUBLIC_URL`| 1.0.0 |string|`URL where OpenCloud is reachable for users.`|`https://localhost:9200`|
 |`OC_INSECURE`<br/>`OCDAV_INSECURE`<br/>`FRONTENT_OCDAV_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the GATEWAY service.`|`false`|
-|`OCDAV_ENABLE_HTTP_TPC`<br/>`FRONTENT_OCDAV_ENABLE_HTTP_TPC`| next |bool|`Enable HTTP / WebDAV Third-Party-Copy support.`|`false`|
+|`OCDAV_ENABLE_HTTP_TPC`<br/>`FRONTENT_OCDAV_ENABLE_HTTP_TPC`| 6.0.0 |bool|`Enable HTTP / WebDAV Third-Party-Copy support.`|`false`|
 |`OCDAV_GATEWAY_REQUEST_TIME`<br/>`FRONTENT_OUTOCDAV_GATEWAY_REQUEST_TIMEOUT`| 1.0.0 |int64|`Request timeout in seconds for requests from the oCDAV service to the GATEWAY service.`|`84300`|
 |`OC_MACHINE_AUTH_API_KEY`<br/>`OCDAV_MACHINE_AUTH_API_KEY`<br/>`FRONTENT_OCDAV_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`|``|
 |`OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY`<br/>`FRONTENT_OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY`| 1.0.0 |bool|`Allow the use of depth infinity in PROPFINDS. When enabled, a propfind will traverse through all subfolders. If many subfolders are expected, depth infinity can cause heavy server load and/or delayed response times.`|`false`|
-|`OCDAV_NAME_VALIDATION_INVALID_CHARS`<br/>`FRONTENT_OCDAV_NAME_VALIDATION_INVALID_CHARS`| next |[]string|`List of characters that are not allowed in file or folder names.`|`[ 
 
+|`OCDAV_NAME_VALIDATION_INVALID_CHARS`<br/>`FRONTENT_OCDAV_NAME_VALIDATION_INVALID_CHARS`| 6.0.0 |[]string|`List of characters that are not allowed in file or folder names.`|`[ 
 
  \]`|
-|`OCDAV_NAME_VALIDATION_MAX_LENGTH`<br/>`FRONTENT_OCDAV_NAME_VALIDATION_MAX_LENGTH`| next |int|`Max length of file or folder names.`|`255`|
+|`OCDAV_NAME_VALIDATION_MAX_LENGTH`<br/>`FRONTENT_OCDAV_NAME_VALIDATION_MAX_LENGTH`| 6.0.0 |int|`Max length of file or folder names.`|`255`|
 |`FRONTEND_CHECKSUMS_SUPPORTED_TYPES`| 1.0.0 |[]string|`A list of checksum types that indicate to clients which hashes the server can use to verify upload integrity. Supported types are 'sha1', 'md5' and 'adler32'. See the Environment Variable Types description for more details.`|`[sha1 md5 adler32]`|
 |`FRONTEND_CHECKSUMS_PREFERRED_UPLOAD_TYPE`| 1.0.0 |string|`The supported checksum type for uploads that indicates to clients supporting multiple hash algorithms which one is preferred by the server. Must be one out of the defined list of SUPPORTED_TYPES.`|`sha1`|
 |`FRONTEND_READONLY_USER_ATTRIBUTES`| 1.0.0 |[]string|`A list of user attributes to indicate as read-only. Supported values: 'user.onPremisesSamAccountName' (username), 'user.displayName', 'user.mail', 'user.passwordProfile' (password), 'user.appRoleAssignments' (role), 'user.memberOf' (groups), 'user.accountEnabled' (login allowed), 'drive.quota' (quota). See the Environment Variable Types description for more details.`|`[]`|
diff --git a/docs/_static/env-vars/global_configvars.md b/docs/_static/env-vars/global_configvars.md
index 8e8ccab0..fe9271a4 100644
--- a/docs/_static/env-vars/global_configvars.md
+++ b/docs/_static/env-vars/global_configvars.md
@@ -3,17 +3,17 @@
 | Name | Introduction Version | Type | Description | Default Value |
 |---|---|---|---|---|
 | `IDM_CREATE_DEMO_USERS` | 1.0.0 | bool | Flag to enable or disable the creation of the demo users. | false |
-| `OC_ADMIN_USER_ID` | 1.0.0 | string | ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand. |  |
+| `OC_ADMIN_USER_ID` | 1.0.0 | string | ID of the user who collects all necessary information for deletion. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand. |  |
 | `OC_ASYNC_UPLOADS` | 1.0.0 | bool | Enable asynchronous file uploads. | true |
-| `OC_CACHE_AUTH_PASSWORD` | 1.0.0 | string | The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. |  |
-| `OC_CACHE_AUTH_USERNAME` | 1.0.0 | string | The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. |  |
-| `OC_CACHE_DATABASE` | 1.0.0 | string | The database name the configured store should use. | storage-system |
+| `OC_CACHE_AUTH_PASSWORD` | 1.0.0 | string | The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured. |  |
+| `OC_CACHE_AUTH_USERNAME` | 1.0.0 | string | The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured. |  |
+| `OC_CACHE_DATABASE` | 1.0.0 | string | The database name the configured store should use. | cache-stat |
 | `OC_CACHE_DISABLE_PERSISTENCE` | 1.0.0 | bool | Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false. | false |
-| `OC_CACHE_STORE` | 1.0.0 | string | The type of the signing key store. Supported values are: 'redis-sentinel' and 'nats-js-kv'. See the text description for details. | nats-js-kv |
-| `OC_CACHE_STORE_NODES` | 1.0.0 | []string | A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | [127.0.0.1:9233] |
-| `OC_CACHE_TTL` | 1.0.0 | Duration | Default time to live for signing keys. See the Environment Variable Types description for more details. | 12h0m0s |
+| `OC_CACHE_STORE` | 1.0.0 | string | The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details. | memory |
+| `OC_CACHE_STORE_NODES` | 1.0.0 | []string | A list of nodes to access the configured store. This has no effect when 'memory' store are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | [127.0.0.1:9233] |
+| `OC_CACHE_TTL` | 1.0.0 | Duration | Time to live for cache records in the graph. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details. | 336h0m0s |
 | `OC_CORS_ALLOW_CREDENTIALS` | 1.0.0 | bool | Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials. | true |
-| `OC_CORS_ALLOW_HEADERS` | 1.0.0 | []string | A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details. | [Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Cache-Control] |
+| `OC_CORS_ALLOW_HEADERS` | 1.0.0 | []string | A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details. | [Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Purge Restore] |
 | `OC_CORS_ALLOW_METHODS` | 1.0.0 | []string | A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details. | [GET POST PUT PATCH DELETE OPTIONS] |
 | `OC_CORS_ALLOW_ORIGINS` | 1.0.0 | []string | A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details. | [*] |
 | `OC_DECOMPOSEDFS_PROPAGATOR` | 1.0.0 | string | The propagator used for decomposedfs. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option. | sync |
@@ -26,8 +26,8 @@
 | `OC_EVENTS_ENABLE_TLS` | 1.0.0 | bool | Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. | false |
 | `OC_EVENTS_ENDPOINT` | 1.0.0 | string | The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. | 127.0.0.1:9233 |
 | `OC_EVENTS_TLS_INSECURE` | 1.0.0 | bool | Whether to verify the server TLS certificates. | false |
-| `OC_EVENTS_TLS_ROOT_CA_CERTIFICATE` | 1.0.0 | string | The root CA certificate used to validate the server's TLS certificate. If provided AUDIT_EVENTS_TLS_INSECURE will be seen as false. |  |
-| `OC_GATEWAY_GRPC_ADDR` | 1.0.0 | string | The bind address of the GRPC service. | 127.0.0.1:9142 |
+| `OC_EVENTS_TLS_ROOT_CA_CERTIFICATE` | 1.0.0 | string | The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false. |  |
+| `OC_GATEWAY_GRPC_ADDR` | 1.0.0 | string | The bind address of the gateway GRPC address. | 127.0.0.1:9142 |
 | `OC_GRPC_CLIENT_TLS_CACERT` | 1.0.0 | string | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services. |  |
 | `OC_GRPC_CLIENT_TLS_MODE` | 1.0.0 | string | TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification. |  |
 | `OC_GRPC_PROTOCOL` | 1.0.0 | string | The transport protocol of the GRPC service. | tcp |
@@ -37,47 +37,47 @@
 | `OC_INSECURE` | 1.0.0 | bool | Whether to verify the server TLS certificates. | false |
 | `OC_JWT_SECRET` | 1.0.0 | string | The secret to mint and validate jwt tokens. |  |
 | `OC_KEYCLOAK_BASE_PATH` | 1.0.0 | string | The URL to access keycloak. |  |
-| `OC_KEYCLOAK_CLIENT_ID` | 1.0.0 | string | The client ID to authenticate with keycloak. |  |
+| `OC_KEYCLOAK_CLIENT_ID` | 1.0.0 | string | The client id to authenticate with keycloak. |  |
 | `OC_KEYCLOAK_CLIENT_REALM` | 1.0.0 | string | The realm the client is defined in. |  |
 | `OC_KEYCLOAK_CLIENT_SECRET` | 1.0.0 | string | The client secret to use in authentication. |  |
 | `OC_KEYCLOAK_INSECURE_SKIP_VERIFY` | 1.0.0 | bool | Disable TLS certificate validation for Keycloak connections. Do not set this in production environments. | false |
 | `OC_KEYCLOAK_USER_REALM` | 1.0.0 | string | The realm users are defined. |  |
-| `OC_LDAP_BIND_DN` | 1.0.0 | string | LDAP DN to use for simple bind authentication with the target LDAP server. | uid=idp,ou=sysusers,o=libregraph-idm |
+| `OC_LDAP_BIND_DN` | 1.0.0 | string | LDAP DN to use for simple bind authentication with the target LDAP server. | uid=libregraph,ou=sysusers,o=libregraph-idm |
 | `OC_LDAP_BIND_PASSWORD` | 1.0.0 | string | Password to use for authenticating the 'bind_dn'. |  |
-| `OC_LDAP_CACERT` | 1.0.0 | string | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp. | /root/.opencloud/idm/ldap.crt |
+| `OC_LDAP_CACERT` | 1.0.0 | string | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm. | /root/.opencloud/idm/ldap.crt |
 | `OC_LDAP_DISABLED_USERS_GROUP_DN` | 1.0.0 | string | The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'. | cn=DisabledUsersGroup,ou=groups,o=libregraph-idm |
-| `OC_LDAP_DISABLE_USER_MECHANISM` | 1.0.0 | string | An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. | attribute |
+| `OC_LDAP_DISABLE_USER_MECHANISM` | 1.0.0 | string | An option to control the behavior for disabling users. Supported options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. Default is 'attribute'. | attribute |
 | `OC_LDAP_GROUP_BASE_DN` | 1.0.0 | string | Search base DN for looking up LDAP groups. | ou=groups,o=libregraph-idm |
 | `OC_LDAP_GROUP_FILTER` | 1.0.0 | string | LDAP filter to add to the default filters for group searches. |  |
-| `OC_LDAP_GROUP_OBJECTCLASS` | 1.0.0 | string | The object class to use for groups in the default group search filter like 'groupOfNames'. | groupOfNames |
+| `OC_LDAP_GROUP_OBJECTCLASS` | 1.0.0 | string | The object class to use for groups in the default group search filter ('groupOfNames'). | groupOfNames |
 | `OC_LDAP_GROUP_SCHEMA_DISPLAYNAME` | 1.0.0 | string | LDAP Attribute to use for the displayname of groups (often the same as groupname attribute). | cn |
 | `OC_LDAP_GROUP_SCHEMA_GROUPNAME` | 1.0.0 | string | LDAP Attribute to use for the name of groups. | cn |
-| `OC_LDAP_GROUP_SCHEMA_ID` | 1.0.0 | string | LDAP Attribute to use as the unique ID for groups. This should be a stable globally unique ID like a UUID. | openclouduuid |
-| `OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID's. | false |
+| `OC_LDAP_GROUP_SCHEMA_ID` | 1.0.0 | string | LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID. | openCloudUUID |
+| `OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'ID' attribute for groups is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the group ID's. | false |
 | `OC_LDAP_GROUP_SCHEMA_MAIL` | 1.0.0 | string | LDAP Attribute to use for the email address of groups (can be empty). | mail |
 | `OC_LDAP_GROUP_SCHEMA_MEMBER` | 1.0.0 | string | LDAP Attribute that is used for group members. | member |
-| `OC_LDAP_GROUP_SCOPE` | 1.0.0 | string | LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'. | sub |
+| `OC_LDAP_GROUP_SCOPE` | 1.0.0 | string | LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'. | sub |
 | `OC_LDAP_INSECURE` | 1.0.0 | bool | Disable TLS certificate validation for the LDAP connections. Do not set this in production environments. | false |
 | `OC_LDAP_SERVER_WRITE_ENABLED` | 1.0.0 | bool | Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OC_LDAP_USER_SCHEMA_* and 'OC_LDAP_GROUP_SCHEMA_* variables). | true |
-| `OC_LDAP_URI` | 1.0.0 | string | Url of the LDAP service to use as IDP. | ldaps://localhost:9235 |
+| `OC_LDAP_URI` | 1.0.0 | string | URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://' | ldaps://localhost:9235 |
 | `OC_LDAP_USER_BASE_DN` | 1.0.0 | string | Search base DN for looking up LDAP users. | ou=users,o=libregraph-idm |
 | `OC_LDAP_USER_ENABLED_ATTRIBUTE` | 1.0.0 | string | LDAP Attribute to use as a flag telling if the user is enabled or disabled. | openCloudUserEnabled |
 | `OC_LDAP_USER_FILTER` | 1.0.0 | string | LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'. |  |
-| `OC_LDAP_USER_OBJECTCLASS` | 1.0.0 | string | LDAP User ObjectClass like 'inetOrgPerson'. | inetOrgPerson |
-| `OC_LDAP_USER_SCHEMA_DISPLAYNAME` | 1.0.0 | string | LDAP Attribute to use for the displayname of users. | displayname |
-| `OC_LDAP_USER_SCHEMA_ID` | 1.0.0 | string | LDAP User UUID attribute like 'uid'. | openCloudUUID |
-| `OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID's. | false |
-| `OC_LDAP_USER_SCHEMA_MAIL` | 1.0.0 | string | LDAP User email attribute like 'mail'. | mail |
+| `OC_LDAP_USER_OBJECTCLASS` | 1.0.0 | string | The object class to use for users in the default user search filter ('inetOrgPerson'). | inetOrgPerson |
+| `OC_LDAP_USER_SCHEMA_DISPLAYNAME` | 1.0.0 | string | LDAP Attribute to use for the display name of users. | displayName |
+| `OC_LDAP_USER_SCHEMA_ID` | 1.0.0 | string | LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID. | openCloudUUID |
+| `OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the user ID's. | false |
+| `OC_LDAP_USER_SCHEMA_MAIL` | 1.0.0 | string | LDAP Attribute to use for the email address of users. | mail |
 | `OC_LDAP_USER_SCHEMA_TENANT_ID` | 4.0.0 | string | LDAP Attribute to use for the tenant ID of users. This is used to identify the tenant of a user in a multi-tenant environment. |  |
-| `OC_LDAP_USER_SCHEMA_USERNAME` | 1.0.0 | string | LDAP User name attribute like 'displayName'. | displayName |
+| `OC_LDAP_USER_SCHEMA_USERNAME` | 1.0.0 | string | LDAP Attribute to use for username of users. | uid |
 | `OC_LDAP_USER_SCHEMA_USER_TYPE` | 1.0.0 | string | LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'. | openCloudUserType |
 | `OC_LDAP_USER_SCOPE` | 1.0.0 | string | LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'. | sub |
 | `OC_LOG_LEVEL` | 1.0.0 | string | The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'. | error |
 | `OC_MACHINE_AUTH_API_KEY` | 1.0.0 | string | Machine auth API key used to validate internal requests necessary for the access to resources from other services. |  |
-| `OC_MAX_CONCURRENCY` | 1.0.0 | int | Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used. | 1 |
+| `OC_MAX_CONCURRENCY` | 1.0.0 | int | The maximum number of concurrent requests the service will handle. | 20 |
 | `OC_OIDC_CLIENT_ID` | 1.0.0 | string | The OIDC client ID which OpenCloud Web uses. This client needs to be set up in your IDP. Note that this setting has no effect when using the builtin IDP. | web |
-| `OC_OIDC_CLIENT_SCOPES` | next | []string | The OIDC client scopes the Android app should request. | [openid profile email offline_access] |
-| `OC_OIDC_ISSUER` | 1.0.0 | string | The OIDC issuer URL to use. | https://localhost:9200 |
+| `OC_OIDC_CLIENT_SCOPES` | 6.0.0 | []string | The OIDC client scopes the Android app should request. | [openid profile email offline_access] |
+| `OC_OIDC_ISSUER` | 1.0.0 | string | URL of the OIDC issuer. It defaults to URL of the builtin IDP. | https://localhost:9200 |
 | `OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST` | 1.0.0 | string | Path to the 'banned passwords list' file. This only impacts public link password validation. See the documentation for more details. |  |
 | `OC_PASSWORD_POLICY_DISABLED` | 1.0.0 | bool | Disable the password policy. Defaults to false if not set. | false |
 | `OC_PASSWORD_POLICY_MIN_CHARACTERS` | 1.0.0 | int | Define the minimum password length. Defaults to 8 if not set. | 8 |
@@ -97,12 +97,12 @@
 | `OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD` | 1.0.0 | bool | Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares. If not using the global OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD, you must define the FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD (deprecated) in the frontend service. | false |
 | `OC_SHOW_USER_EMAIL_IN_RESULTS` | 1.0.0 | bool | Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses. | false |
 | `OC_SPACES_MAX_QUOTA` | 1.0.0 | uint64 | Set the global max quota value in bytes. A value of 0 equals unlimited. The value is provided via capabilities. | 0 |
-| `OC_SYSTEM_USER_API_KEY` | 1.0.0 | string | API key for the STORAGE-SYSTEM system user. |  |
-| `OC_SYSTEM_USER_ID` | 1.0.0 | string | ID of the OpenCloud storage-system system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format. |  |
+| `OC_SYSTEM_USER_API_KEY` | 4.0.0 | string | API key for the STORAGE-SYSTEM system user. |  |
+| `OC_SYSTEM_USER_ID` | 4.0.0 | string | ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format. |  |
 | `OC_SYSTEM_USER_IDP` | 4.0.0 | string | IDP of the OpenCloud STORAGE-SYSTEM system user. | internal |
-| `OC_TRANSFER_SECRET` | 1.0.0 | string | The storage transfer secret. |  |
+| `OC_TRANSFER_SECRET` | 1.0.0 | string | Transfer secret for signing file up- and download requests. |  |
 | `OC_TRANSLATION_PATH` | 1.0.0 | string | (optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details. |  |
-| `OC_URL` | 1.0.0 | string | The OIDC issuer URL to use. | https://localhost:9200 |
+| `OC_URL` | 1.0.0 | string | The public facing URL of WebDAV. | https://localhost:9200 |
 | `OC_WOPI_DISABLE_CHAT` | 1.0.0 | bool | Disable chat in the office web frontend. This feature applies to OnlyOffice and Microsoft. | false |
 | `SEARCH_EVENTS_ACK_WAIT` | 4.0.0 | Duration | The time to wait for an ack before the message is redelivered. This is used to ensure that messages are not lost if the consumer crashes. | 1m0s |
 | `SEARCH_EVENTS_MAX_ACK_PENDING` | 4.0.0 | int | The maximum number of unacknowledged messages. This is used to limit the number of messages that can be in flight at the same time. | 1000 |
diff --git a/docs/_static/env-vars/ocm_configvars.md b/docs/_static/env-vars/ocm_configvars.md
index 9d77dfdc..04ef487b 100644
--- a/docs/_static/env-vars/ocm_configvars.md
+++ b/docs/_static/env-vars/ocm_configvars.md
@@ -35,7 +35,7 @@ Environment variables for the **ocm** service
 |`OCM_MESH_DIRECTORY_URL`| 1.0.0 |string|`URL of the mesh directory service.`|``|
 |`OCM_DIRECTORY_SERVICE_URLS`| 3.5.0 |string|`Space delimited URLs of the directory services.`|``|
 |`OCM_INVITE_ACCEPT_DIALOG`| 3.5.0 |string|`/open-cloud-mesh/accept-invite;The frontend URL where to land when receiving an invitation`|`/open-cloud-mesh/accept-invite`|
-|`OC_INSECURE`<br/>`OCM_CLIENT_INSECURE`| next |bool|`Dev-only. Disable TLS verification for the OCM discovery client (directory fetch and provider discovery). Does not affect OCM invite manager, storage provider, or share provider. Do not set in production.`|`false`|
+|`OC_INSECURE`<br/>`OCM_CLIENT_INSECURE`| 6.0.0 |bool|`Dev-only. Disable TLS verification for the OCM discovery client (directory fetch and provider discovery). Does not affect OCM invite manager, storage provider, or share provider. Do not set in production.`|`false`|
 |`OCM_OCM_INVITE_MANAGER_DRIVER`| 1.0.0 |string|`Driver to be used to persist OCM invites. Supported value is only 'json'.`|`json`|
 |`OCM_OCM_INVITE_MANAGER_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where OCM invite data will be stored. This file is maintained by the instance and must not be changed manually. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/ocm.`|`/root/.opencloud/storage/ocm/ocminvites.json`|
 |`OCM_OCM_INVITE_MANAGER_TOKEN_EXPIRATION`| 1.0.0 |Duration|`Expiry duration for invite tokens.`|`24h0m0s`|
diff --git a/docs/_static/env-vars/storage-users_configvars.md b/docs/_static/env-vars/storage-users_configvars.md
index 4b135f40..f1f2f129 100644
--- a/docs/_static/env-vars/storage-users_configvars.md
+++ b/docs/_static/env-vars/storage-users_configvars.md
@@ -1,5 +1,5 @@
 
-2026-03-30-00-05-56
+2026-04-02-00-06-01
 
 # Deprecation Notice
 
diff --git a/docs/_static/env-vars/webfinger_configvars.md b/docs/_static/env-vars/webfinger_configvars.md
index 0b831c95..455003da 100644
--- a/docs/_static/env-vars/webfinger_configvars.md
+++ b/docs/_static/env-vars/webfinger_configvars.md
@@ -18,13 +18,13 @@ Environment variables for the **webfinger** service
 |`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``|
 |`WEBFINGER_RELATIONS`| 1.0.0 |[]string|`A list of relation URIs or registered relation types to add to webfinger responses. See the Environment Variable Types description for more details.`|`[http://openid.net/specs/connect/1.0/issuer http://webfinger.opencloud/rel/server-instance]`|
 |`OC_URL`<br/>`OC_OIDC_ISSUER`<br/>`WEBFINGER_OIDC_ISSUER`| 1.0.0 |string|`The identity provider href for the openid-discovery relation.`|`https://localhost:9200`|
-|`OC_OIDC_CLIENT_ID`<br/>`WEBFINGER_ANDROID_OIDC_CLIENT_ID`| next |string|`The OIDC client ID for Android app.`|`OpenCloudAndroid`|
-|`OC_OIDC_CLIENT_SCOPES`<br/>`WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES`| next |[]string|`The OIDC client scopes the Android app should request.`|`[openid profile email offline_access]`|
-|`OC_OIDC_CLIENT_ID`<br/>`WEBFINGER_DESKTOP_OIDC_CLIENT_ID`| next |string|`The OIDC client ID for the OpenCloud desktop application.`|`OpenCloudDesktop`|
-|`OC_OIDC_CLIENT_SCOPES`<br/>`WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES`| next |[]string|`The OIDC client scopes the OpenCloud desktop application should request.`|`[openid profile email offline_access]`|
-|`OC_OIDC_CLIENT_ID`<br/>`WEBFINGER_IOS_OIDC_CLIENT_ID`| next |string|`The OIDC client ID for the IOS app.`|`OpenCloudIOS`|
-|`OC_OIDC_CLIENT_SCOPES`<br/>`WEBFINGER_IOS_OIDC_CLIENT_SCOPES`| next |[]string|`The OIDC client scopes the IOS app should request.`|`[openid profile email offline_access]`|
-|`OC_OIDC_CLIENT_ID`<br/>`WEB_OIDC_CLIENT_ID`<br/>`WEBFINGER_WEB_OIDC_CLIENT_ID`| next |string|`The OIDC client ID for the OpenCloud web client. The 'WEB_OIDC_CLIENT_ID' setting is only here for backwards compatibility and will be remove in a future release.`|`web`|
-|`OC_OIDC_CLIENT_SCOPES`<br/>`WEB_OIDC_SCOPE`<br/>`WEBFINGER_WEB_OIDC_CLIENT_SCOPES`| next |[]string|`The OIDC client scopes the OpenCloud web client should request. The 'WEB_OIDC_SCOPE' setting is only here for backwards compatibility and will be remove in a future release.`|`[openid profile email]`|
+|`OC_OIDC_CLIENT_ID`<br/>`WEBFINGER_ANDROID_OIDC_CLIENT_ID`| 6.0.0 |string|`The OIDC client ID for Android app.`|`OpenCloudAndroid`|
+|`OC_OIDC_CLIENT_SCOPES`<br/>`WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES`| 6.0.0 |[]string|`The OIDC client scopes the Android app should request.`|`[openid profile email offline_access]`|
+|`OC_OIDC_CLIENT_ID`<br/>`WEBFINGER_DESKTOP_OIDC_CLIENT_ID`| 6.0.0 |string|`The OIDC client ID for the OpenCloud desktop application.`|`OpenCloudDesktop`|
+|`OC_OIDC_CLIENT_SCOPES`<br/>`WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES`| 6.0.0 |[]string|`The OIDC client scopes the OpenCloud desktop application should request.`|`[openid profile email offline_access]`|
+|`OC_OIDC_CLIENT_ID`<br/>`WEBFINGER_IOS_OIDC_CLIENT_ID`| 6.0.0 |string|`The OIDC client ID for the IOS app.`|`OpenCloudIOS`|
+|`OC_OIDC_CLIENT_SCOPES`<br/>`WEBFINGER_IOS_OIDC_CLIENT_SCOPES`| 6.0.0 |[]string|`The OIDC client scopes the IOS app should request.`|`[openid profile email offline_access]`|
+|`OC_OIDC_CLIENT_ID`<br/>`WEB_OIDC_CLIENT_ID`<br/>`WEBFINGER_WEB_OIDC_CLIENT_ID`| 6.0.0 |string|`The OIDC client ID for the OpenCloud web client. The 'WEB_OIDC_CLIENT_ID' setting is only here for backwards compatibility and will be remove in a future release.`|`web`|
+|`OC_OIDC_CLIENT_SCOPES`<br/>`WEB_OIDC_SCOPE`<br/>`WEBFINGER_WEB_OIDC_CLIENT_SCOPES`| 6.0.0 |[]string|`The OIDC client scopes the OpenCloud web client should request. The 'WEB_OIDC_SCOPE' setting is only here for backwards compatibility and will be remove in a future release.`|`[openid profile email]`|
 |`OC_URL`<br/>`WEBFINGER_OPENCLOUD_SERVER_INSTANCE_URL`| 1.0.0 |string|`The URL for the legacy OpenCloud server instance relation (not to be confused with the product OpenCloud Server). It defaults to the OC_URL but can be overridden to support some reverse proxy corner cases. To shard the deployment, multiple instances can be configured in the configuration file.`|`https://localhost:9200`|
 |`OC_INSECURE`<br/>`WEBFINGER_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the WEBFINGER service.`|`false`|