-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy path.env.example
More file actions
113 lines (95 loc) · 6.62 KB
/
Copy path.env.example
File metadata and controls
113 lines (95 loc) · 6.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# =============================================================================
# AnythingMCP — Environment Variables
# =============================================================================
# The recommended way to generate this file is `./setup.sh`, which writes a
# fully-populated `.env` to the project root (where docker-compose.yml lives).
#
# For manual setup: copy this file to `.env` in the project root, replace the
# `change-me-…` values with secure secrets, then run `docker compose up -d`.
# For local development without Docker, copy it to `packages/backend/.env`.
# =============================================================================
# ── General ──────────────────────────────────────────────────────────────────
NODE_ENV=production
# Internal backend port inside the container. The host-published port is set
# separately via BACKEND_PORT (see the Ports section) — leave this at 4000.
PORT=4000
# Compose project name — also the prefix for the network, volumes and container
# names (amcp-app, amcp-postgres, …). Override it to run more than one
# AnythingMCP stack on the same host without name collisions.
# COMPOSE_PROJECT_NAME=amcp
# ── Database ─────────────────────────────────────────────────────────────────
POSTGRES_PASSWORD=change-me-in-production
DATABASE_URL=postgresql://amcp:${POSTGRES_PASSWORD}@postgres:5432/anythingmcp
# ── Redis (optional) ─────────────────────────────────────────────────────────
# Redis enables response caching and rate limiting. The app works without it.
# REDIS_URL=redis://redis:6379
# ── Security ─────────────────────────────────────────────────────────────────
# JWT secret for API authentication (min 32 characters)
JWT_SECRET=change-me-in-production-min-32-chars
# AES-256-GCM encryption key for stored credentials (exactly 32 characters)
ENCRYPTION_KEY=change-me-in-production-exactly-32
# HMAC secret for signed cookies (OAuth callback flow). Optional — falls back
# to JWT_SECRET if unset. Set it separately for defense in depth (rotate it
# independently from JWT_SECRET).
# COOKIE_SECRET=change-me-in-production-min-32-chars
# ── Frontend ─────────────────────────────────────────────────────────────────
FRONTEND_URL=http://localhost:3000
NEXT_PUBLIC_API_URL=http://localhost:4000
NEXTAUTH_URL=http://localhost:3000
NEXTAUTH_SECRET=change-me-in-production
# ── CORS ─────────────────────────────────────────────────────────────────────
CORS_ORIGIN=http://localhost:3000
# ── Registration ──────────────────────────────────────────────────────────────
# When false (default), only the first user can self-register via the UI.
# All other users must be invited by an admin. Set to true to allow open registration.
ALLOW_OPEN_REGISTRATION=false
# ── MCP Server Auth (for external MCP clients like Claude Desktop) ───────────
# Auth mode: none | legacy | oauth2 | both
# none — No authentication (not recommended for production)
# legacy — Static Bearer Token or API Key (set MCP_BEARER_TOKEN / MCP_API_KEY)
# oauth2 — OAuth 2.0 Authorization Code (PKCE) + Client Credentials
# both — OAuth 2.0 + Legacy (accepts either)
MCP_AUTH_MODE=oauth2
# Legacy auth tokens (used when MCP_AUTH_MODE=legacy or both)
# MCP_BEARER_TOKEN=your-secret-token
# MCP_API_KEY=your-api-key
# Server URL for OAuth2 redirects and metadata endpoints
SERVER_URL=http://localhost:4000
# ── MCP Rate Limiting ──────────────────────────────────────────────────────
# Max requests per minute per client (by API key or IP). Only enforced when Redis is available.
MCP_RATE_LIMIT_PER_MINUTE=60
# ── Proxy / Web-Unblocker (optional) ─────────────────────────────────────────
# When set, tools whose `use_proxy` flag is on route their outbound HTTP
# request through this proxy. Use a plain rotating proxy for IP/geo/rate-limit
# cases, or a "web unblocker" (e.g. Zyte API proxy mode) for anti-bot targets
# like Akamai / Cloudflare / DataDome.
#
# Zyte API proxy mode: http://<ZYTE_API_KEY>:@api.zyte.com:8011
# Generic proxy: http://user:pass@host:port
#
# If unset, the feature is off everywhere: tools that opted in simply make a
# direct request. Per-tool opt-in is a UI checkbox (shown only when this is
# set) plus the adapter spec's `useProxy` field.
# CONNECTOR_PROXY_URL=
# Cloud only: default hourly cap on proxy-routed tool calls PER WORKSPACE.
# Override per workspace by setting organizations.proxy_rate_limit in the DB
# (admin-only; there is no API to change it). Defaults to 100 when unset.
# PROXY_RATE_LIMIT_DEFAULT=100
# ── Operator Analytics (cloud build only — leave empty on self-hosted) ──────
# Loads Google Tag Manager + a Consent Mode v2 cookie banner. Self-hosted
# builds must leave both empty so no tracking is shipped to community users.
#
# GTM_ID — Google Tag Manager container ID (e.g. GTM-XXXXXXX).
# COOKIE_DOMAIN — Domain attribute for the consent cookie. Set to a parent
# domain (e.g. .anythingmcp.com) to share consent with the
# marketing site running on the same parent domain. Leave
# unset for host-only scope.
# GTM_ID=
# COOKIE_DOMAIN=
# ── Reverse Proxy (Caddy) ────────────────────────────────────────────────────
# Uncomment to enable Caddy reverse proxy with automatic HTTPS (Let's Encrypt).
# Requires a Caddyfile in the project root (setup.sh generates it automatically).
# COMPOSE_PROFILES=proxy
# DOMAIN=example.com
# ACME_EMAIL=admin@example.com
# APP_BIND_IP=127.0.0.1