Configuration¶

xlwings Lite is configured via the following settings. You set them either as environment variables or by using the xlwings-lite CLI when deploying on a Linux VM. XLWINGS_LICENSE_KEY is required; all others are optional.

General¶

Variable	Default	Description
`XLWINGS_LICENSE_KEY`	—	Your xlwings license key (request a trial key).
`XLWINGS_HOSTNAME`	—	e.g., `xlwings-lite.mycompany.com`. Set this if the downloaded `manifest.xml` doesn’t use the correct URL.
`PORT`	`8000`	Sets the port on which the container, i.e., application runs.

Python packages¶

Variable	Default	Description
`XLWINGS_ENABLE_PYPI`	`true`	If `true`, allows installing packages directly from https://pypi.org/. Ignored when `XLWINGS_PYPI_INDEX_URL` is set.
`XLWINGS_PYPI_INDEX_URL`	—	Full URL of a private PyPI index (e.g., Nexus, Artifactory, devpi, Azure Artifacts) — the same URL you’d pass to `pip install --index-url`. Example: `https://nexus.example.com/repository/pypi-proxy/simple/`. For an authenticated index, the credential can be embedded in the URL (e.g., a token: `https://<token>@host/.../simple/`); it is forwarded to the index and never exposed to the browser.
`XLWINGS_PYPI_AUTH_MODE`	`basic`	How the container authenticates to `XLWINGS_PYPI_INDEX_URL`. `basic` uses credentials embedded in the URL (or none). Set to `azure-managed-identity` to authenticate to an Azure Artifacts feed using the Azure platform’s managed identity instead of a token — the container fetches a short-lived Microsoft Entra token at runtime, so no secret is stored. Requires hosting on Azure, see Azure Container Apps guide.
`XLWINGS_PYODIDE_BASE_URL`	—	Base URL from which Pyodide and its packages are served. Defaults to the Pyodide distribution bundled with the Docker image. Set this to an external URL (e.g., `https://pyodide.company.com/`) to serve Pyodide from a separate host instead. The value must end with a `/` if it includes a path (needed for the Content-Security-Policy).

CORS proxy¶

Variable	Default	Description
`XLWINGS_CORS_PROXY_HOSTS`	—	Comma-separated allowlist of hostnames that user Python code can reach via the built-in CORS proxy. Supports exact matches and `.domain.com` wildcards (e.g., `api.example.com,.trusted.com`). HTTPS-only. Unset (the default) disables the proxy.
`XLWINGS_CORS_PROXY_ALLOW_ALL_HOSTS`	`false`	If `true`, proxies all requests, ignoring `XLWINGS_CORS_PROXY_HOSTS`.

Tooling¶

Variable	Default	Description
`XLWINGS_ENABLE_MISSING_ADDIN_CLEANUP`	`true`	If `true`, exposes a “Clean up missing add-in references” menu item that strips orphaned add-in references from workbooks in `/data`. Only required if workbooks that were created with the cloud add-in complain about a missing add-in.