mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-06-09 17:31:19 +00:00
83d8ac0682
* Shared Role-Sync Core
* Environment Configuration
* Browser OpenID Wiring & improved shared component
* API Auth Wiring
* Improved Role Lookup
* added example for sync env
* small simplification
* protect existing manual assigned ADMIN Roles
* fix: Apply OpenID role-sync fallback for present-but-empty claims
Both role-sync call sites skipped on a falsy `openIdRoleValues`, treating an
empty claim string ('') the same as a missing claim and returning before
`selectOpenIdRole` could apply the configured fallback role. An IdP emitting
an empty roles claim for a user with no mapped groups left the stale local
role in place instead of the authoritative fallback.
Skip only when the helper returns `undefined` (missing/invalid), letting an
empty string flow through to fallback selection — consistent with how an
empty array is already handled. Adds regression coverage on both the OpenID
strategy and the remote-agent API auth paths.
* refactor: Address OpenID role-sync review feedback
- role.ts: reuse the shared escapeRegExp util instead of a local escapeRegex
duplicate, matching prompt/skill/user/userGroup methods (Copilot).
- openidStrategy.js / remoteAgentAuth.ts: make the tenantStorage.run callbacks
async so the documented ALS contract is satisfied and tenant context cannot
be lost during Mongoose execution; the wrapped lookups/updates are already
async, so behavior is unchanged (codex P2).
* fix: Harden OpenID role-sync claim and fallback handling
Addresses the second Codex review cycle (P2 findings):
- Apply fallback when the claim is absent: getOpenIdRolesForOpenIdSync now
returns an empty list (not undefined) when the token source exists but has
no usable claim value, so callers still run selection and assign the
configured fallback instead of leaving a stale elevated role. A truly
unavailable source still returns undefined and skips sync.
- Resolve group overage for access tokens too: the _claim_names/_claim_sources
overage path previously only ran for claimSource 'id'; Entra also moves an
oversized groups claim into access tokens, so 'access'+'groups' (the only
source supported by remote-agent API sync) now resolves overage as well.
- Allow system fallback roles for tenant users: getLibreChatRolesForOpenIdSync
treats SystemRoles (e.g. USER) as always-available canonical names, since
they are provisioned globally at startup and a tenant-scoped lookup may not
return them — preventing a spurious 'configured roles do not exist: USER'.
Adds unit and strategy-level coverage for all three.
* fix: Tighten OpenID role-sync tenant scoping and config validation
Addresses the third Codex review cycle:
- Constrain base-user role lookups to base roles (P2): findRolesByNames now
filters to roles with an unset tenantId when no tenant ALS context is active,
so a base user cannot match — and be assigned — a role that only exists within
a tenant. Tenant-scoped lookups remain controlled by the isolation plugin.
- Re-enforce tenant login policy after role sync (P2): when role sync changes a
tenant user's role, the OpenID strategy re-resolves the tenant appConfig and
re-checks allowedDomains, so a token cannot complete login under the previous
role's looser policy.
- Skip role-sync-specific validation when disabled (P3): getOpenIdRoleSyncOptions
returns disabled options before validating role-sync settings, so a stale or
mistyped value no longer breaks OpenID login while the feature is off.
Adds unit and strategy-level coverage for all three.
* fix: Run base role lookups under system context for strict isolation
Follow-up to the base-role scoping fix (Codex P1). With TENANT_ISOLATION_STRICT=true,
the tenant-isolation pre('find') hook throws on a context-less query before the manual
tenantId filter is honored, so base OpenID/remote-agent auth would 500 instead of
validating base roles. findRolesByNames now runs the no-context lookup inside
runAsSystem (SYSTEM_TENANT_ID), bypassing strict-mode injection while still applying an
explicit base-role (tenantId unset) filter. Adds a strict-mode regression test.
---------
Co-authored-by: Peter Rothlaender <peter.rothlaender@ginkgo.com>
1010 lines
35 KiB
Text
1010 lines
35 KiB
Text
#=====================================================================#
|
|
# LibreChat Configuration #
|
|
#=====================================================================#
|
|
# Please refer to the reference documentation for assistance #
|
|
# with configuring your LibreChat environment. #
|
|
# #
|
|
# https://www.librechat.ai/docs/configuration/dotenv #
|
|
#=====================================================================#
|
|
|
|
#==================================================#
|
|
# Server Configuration #
|
|
#==================================================#
|
|
|
|
HOST=localhost
|
|
PORT=3080
|
|
|
|
MONGO_URI=mongodb://127.0.0.1:27017/LibreChat
|
|
#The maximum number of connections in the connection pool. */
|
|
MONGO_MAX_POOL_SIZE=
|
|
#The minimum number of connections in the connection pool. */
|
|
MONGO_MIN_POOL_SIZE=
|
|
#The maximum number of connections that may be in the process of being established concurrently by the connection pool. */
|
|
MONGO_MAX_CONNECTING=
|
|
#The maximum number of milliseconds that a connection can remain idle in the pool before being removed and closed. */
|
|
MONGO_MAX_IDLE_TIME_MS=
|
|
#The maximum time in milliseconds that a thread can wait for a connection to become available. */
|
|
MONGO_WAIT_QUEUE_TIMEOUT_MS=
|
|
# Set to false to disable automatic index creation for all models associated with this connection. */
|
|
MONGO_AUTO_INDEX=
|
|
# Set to `false` to disable Mongoose automatically calling `createCollection()` on every model created on this connection. */
|
|
MONGO_AUTO_CREATE=
|
|
|
|
DOMAIN_CLIENT=http://localhost:3080
|
|
DOMAIN_SERVER=http://localhost:3080
|
|
|
|
# External admin panel base URL used for admin OAuth/SSO redirects.
|
|
# Required when the admin panel is hosted separately from LibreChat.
|
|
# May include a path. Do not include a trailing slash.
|
|
# Example: https://admin.example.com/admin
|
|
ADMIN_PANEL_URL=
|
|
|
|
NO_INDEX=true
|
|
# Use the address that is at most n number of hops away from the Express application.
|
|
# req.socket.remoteAddress is the first hop, and the rest are looked for in the X-Forwarded-For header from right to left.
|
|
# A value of 0 means that the first untrusted address would be req.socket.remoteAddress, i.e. there is no reverse proxy.
|
|
# Defaulted to 1.
|
|
TRUST_PROXY=1
|
|
|
|
# Minimum password length for user authentication
|
|
# Default: 8
|
|
# Note: When using LDAP authentication, you may want to set this to 1
|
|
# to bypass local password validation, as LDAP servers handle their own
|
|
# password policies.
|
|
# MIN_PASSWORD_LENGTH=8
|
|
|
|
# When enabled, the app will continue running after encountering uncaught exceptions
|
|
# instead of exiting the process. Not recommended for production unless necessary.
|
|
# CONTINUE_ON_UNCAUGHT_EXCEPTION=false
|
|
|
|
#===============#
|
|
# JSON Logging #
|
|
#===============#
|
|
|
|
# Use when process console logs in cloud deployment like GCP/AWS
|
|
CONSOLE_JSON=false
|
|
|
|
# The maximum length of a string in a JSON log object.
|
|
# Default: 255
|
|
# CONSOLE_JSON_STRING_LENGTH=255
|
|
|
|
#===============#
|
|
# Debug Logging #
|
|
#===============#
|
|
|
|
DEBUG_LOGGING=true
|
|
DEBUG_CONSOLE=false
|
|
# Set to false to disable file-backed Winston transports.
|
|
LOG_TO_FILE=true
|
|
# Set to true to enable agent debug logging
|
|
AGENT_DEBUG_LOGGING=false
|
|
|
|
# Enable memory diagnostics (logs heap/RSS snapshots every 60s, auto-enabled with --inspect)
|
|
# MEM_DIAG=true
|
|
|
|
#=============#
|
|
# Permissions #
|
|
#=============#
|
|
|
|
# UID=1000
|
|
# GID=1000
|
|
|
|
#==============#
|
|
# Node Options #
|
|
#==============#
|
|
|
|
# NOTE: NODE_MAX_OLD_SPACE_SIZE is NOT recognized by Node.js directly.
|
|
# This variable is used as a build argument for Docker or CI/CD workflows,
|
|
# and is NOT used by Node.js to set the heap size at runtime.
|
|
# To configure Node.js memory, use NODE_OPTIONS, e.g.:
|
|
# NODE_OPTIONS="--max-old-space-size=6144"
|
|
# See: https://nodejs.org/api/cli.html#--max-old-space-sizesize-in-mib
|
|
NODE_MAX_OLD_SPACE_SIZE=6144
|
|
|
|
#===============#
|
|
# Configuration #
|
|
#===============#
|
|
# Use an absolute path, a relative path, or a URL
|
|
|
|
# CONFIG_PATH="/alternative/path/to/librechat.yaml"
|
|
|
|
#==================#
|
|
# Langfuse Tracing #
|
|
#==================#
|
|
|
|
# Get Langfuse API keys for your project from the project settings page: https://cloud.langfuse.com
|
|
|
|
# LANGFUSE_PUBLIC_KEY=
|
|
# LANGFUSE_SECRET_KEY=
|
|
# LANGFUSE_BASE_URL=
|
|
|
|
#=======================#
|
|
# OpenTelemetry Tracing #
|
|
#=======================#
|
|
|
|
# Enables backend OpenTelemetry tracing. General backend visibility only;
|
|
# use Langfuse for GenAI-specific prompt/model observability.
|
|
# OTEL_TRACING_ENABLED=false
|
|
# OTEL_SERVICE_NAME=librechat
|
|
# OTEL_SERVICE_VERSION=
|
|
# OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
|
|
# OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=
|
|
# OTEL_EXPORTER_OTLP_HEADERS=
|
|
# OTEL_TRACES_EXPORTER=otlp
|
|
# OTEL_TRACES_SAMPLER=parentbased_always_on
|
|
# OTEL_LOG_LEVEL=INFO
|
|
# OTEL_SDK_DISABLED=false
|
|
|
|
#===============================#
|
|
# Real User Monitoring (Browser) #
|
|
#===============================#
|
|
|
|
# Enables browser Real User Monitoring. Disabled by default.
|
|
# Currently supports HyperDX via the browser SDK.
|
|
# RUM_ENABLED=false
|
|
# RUM_PROVIDER=hyperdx
|
|
# RUM_URL=http://localhost:4318
|
|
# RUM_SERVICE_NAME=librechat-web
|
|
# RUM_ENVIRONMENT=development
|
|
|
|
# Public browser-token mode is suitable for OSS/self-hosted deployments.
|
|
# Treat the token as public and restrict/rate-limit ingestion in your RUM backend.
|
|
# RUM_AUTH_MODE=publicToken
|
|
# RUM_PUBLIC_TOKEN=
|
|
|
|
# Authenticated proxy mode sends browser telemetry to this LibreChat backend first.
|
|
# The backend validates the LibreChat session, strips app auth, and forwards to the collector.
|
|
# RUM_AUTH_MODE=proxy
|
|
# RUM_PROXY_TARGET_URL=http://otel-collector:4318
|
|
# RUM_PROXY_TIMEOUT_MS=10000
|
|
|
|
# Optional comma-separated first-party HTTPS origins/URLs that should receive traceparent headers.
|
|
# Wildcards and non-HTTPS targets are ignored.
|
|
# RUM_TRACE_PROPAGATION_TARGETS=https://api.example.com
|
|
|
|
# Privacy defaults: replay, console capture, and full network body capture stay off.
|
|
# Console/network capture may collect sensitive browser logs, prompts, responses, or payloads.
|
|
# RUM_DISABLE_REPLAY=true
|
|
# RUM_CONSOLE_CAPTURE=false
|
|
# RUM_ADVANCED_NETWORK_CAPTURE=false
|
|
# RUM_SAMPLE_RATE=1
|
|
|
|
#===================================================#
|
|
# Endpoints #
|
|
#===================================================#
|
|
|
|
# ENDPOINTS=openAI,assistants,azureOpenAI,google,anthropic
|
|
|
|
# Optional outbound proxy for server-side requests, including remote MCP HTTP/SSE transports.
|
|
# Remote MCP transports also honor HTTP_PROXY, HTTPS_PROXY, and NO_PROXY when PROXY is unset.
|
|
PROXY=
|
|
|
|
#===================================#
|
|
# Known Endpoints - librechat.yaml #
|
|
#===================================#
|
|
# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints
|
|
|
|
# ANYSCALE_API_KEY=
|
|
# APIPIE_API_KEY=
|
|
# COHERE_API_KEY=
|
|
# DEEPSEEK_API_KEY=
|
|
# DATABRICKS_API_KEY=
|
|
# FIREWORKS_API_KEY=
|
|
# GROQ_API_KEY=
|
|
# HUGGINGFACE_TOKEN=
|
|
# MISTRAL_API_KEY=
|
|
# OPENROUTER_KEY=
|
|
# PERPLEXITY_API_KEY=
|
|
# SHUTTLEAI_API_KEY=
|
|
# TOGETHERAI_API_KEY=
|
|
# UNIFY_API_KEY=
|
|
# XAI_API_KEY=
|
|
|
|
#============#
|
|
# Anthropic #
|
|
#============#
|
|
|
|
ANTHROPIC_API_KEY=user_provided
|
|
# ANTHROPIC_MODELS=claude-opus-4-8,claude-opus-4-7,claude-sonnet-4-6,claude-opus-4-6,claude-opus-4-20250514,claude-3-7-sonnet-20250219,claude-3-5-sonnet-20241022,claude-3-5-haiku-20241022,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307
|
|
# ANTHROPIC_REVERSE_PROXY=
|
|
|
|
# Set to true to use Anthropic models through Google Vertex AI instead of direct API
|
|
# ANTHROPIC_USE_VERTEX=
|
|
# Supports regional locations like us-east5 and multi-region locations: us, eu, global
|
|
# ANTHROPIC_VERTEX_REGION=us-east5
|
|
|
|
#============#
|
|
# Azure #
|
|
#============#
|
|
|
|
# Note: these variables are DEPRECATED
|
|
# Use the `librechat.yaml` configuration for `azureOpenAI` instead
|
|
# You may also continue to use them if you opt out of using the `librechat.yaml` configuration
|
|
|
|
# AZURE_OPENAI_DEFAULT_MODEL=gpt-3.5-turbo # Deprecated
|
|
# AZURE_OPENAI_MODELS=gpt-3.5-turbo,gpt-4 # Deprecated
|
|
# AZURE_USE_MODEL_AS_DEPLOYMENT_NAME=TRUE # Deprecated
|
|
# AZURE_API_KEY= # Deprecated
|
|
# AZURE_OPENAI_API_INSTANCE_NAME= # Deprecated
|
|
# AZURE_OPENAI_API_DEPLOYMENT_NAME= # Deprecated
|
|
# AZURE_OPENAI_API_VERSION= # Deprecated
|
|
# AZURE_OPENAI_API_COMPLETIONS_DEPLOYMENT_NAME= # Deprecated
|
|
# AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME= # Deprecated
|
|
|
|
#=================#
|
|
# AWS Bedrock #
|
|
#=================#
|
|
# AWS Bedrock credentials
|
|
#
|
|
# Preferred for local development: configure an AWS profile in ~/.aws/config or
|
|
# ~/.aws/credentials, then set BEDROCK_AWS_PROFILE. LibreChat passes this profile
|
|
# to the AWS SDK for JavaScript credential provider chain.
|
|
#
|
|
# In deployed environments, prefer IAM roles or other short-term credentials
|
|
# discoverable by the AWS SDK default credential provider chain. If neither
|
|
# BEDROCK_AWS_PROFILE nor Bedrock-specific static credentials are set, the SDK
|
|
# uses its default provider chain. AWS-standard environment variables still
|
|
# follow AWS SDK precedence.
|
|
#
|
|
# Profiles can use IAM Identity Center, assume-role settings, or credential_process.
|
|
# If you use credential_process, secure the config file and helper command, and do
|
|
# not write secret material to stderr.
|
|
#
|
|
# AWS SDK credential chain:
|
|
# https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/setting-credentials-node.html
|
|
# Shared config/profile settings:
|
|
# https://docs.aws.amazon.com/sdkref/latest/guide/settings-reference.html
|
|
# credential_process security notes:
|
|
# https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html
|
|
|
|
# BEDROCK_AWS_DEFAULT_REGION=us-east-1 # A default region must be provided
|
|
|
|
# AWS Profile
|
|
# BEDROCK_AWS_PROFILE=your-profile-name
|
|
|
|
# Static credentials (use only if profiles or IAM roles are not suitable)
|
|
# BEDROCK_AWS_ACCESS_KEY_ID=someAccessKey
|
|
# BEDROCK_AWS_SECRET_ACCESS_KEY=someSecretAccessKey
|
|
# BEDROCK_AWS_SESSION_TOKEN=someSessionToken
|
|
|
|
# Bedrock API key
|
|
# BEDROCK_AWS_BEARER_TOKEN=yourBedrockApiKey
|
|
|
|
# Note: This example list is not meant to be exhaustive. If omitted, all known, supported model IDs will be included for you.
|
|
# BEDROCK_AWS_MODELS=anthropic.claude-opus-4-8,anthropic.claude-opus-4-7,anthropic.claude-sonnet-4-6,anthropic.claude-opus-4-6-v1,anthropic.claude-3-5-sonnet-20240620-v1:0,meta.llama3-1-8b-instruct-v1:0
|
|
# Cross-region inference model IDs: us.anthropic.claude-opus-4-8,us.anthropic.claude-opus-4-7,us.anthropic.claude-sonnet-4-6,us.anthropic.claude-opus-4-6-v1,global.anthropic.claude-opus-4-6-v1
|
|
|
|
# See all Bedrock model IDs here: https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html#model-ids-arns
|
|
|
|
# Notes on specific models:
|
|
# The following models are not support due to not supporting streaming:
|
|
# ai21.j2-mid-v1
|
|
|
|
# The following models are not support due to not supporting conversation history:
|
|
# ai21.j2-ultra-v1, cohere.command-text-v14, cohere.command-light-text-v14
|
|
|
|
#============#
|
|
# Google #
|
|
#============#
|
|
|
|
GOOGLE_KEY=user_provided
|
|
|
|
# GOOGLE_REVERSE_PROXY=
|
|
# Some reverse proxies do not support the X-goog-api-key header, uncomment to pass the API key in Authorization header instead.
|
|
# GOOGLE_AUTH_HEADER=true
|
|
|
|
# Gemini API (AI Studio)
|
|
# GOOGLE_MODELS=gemini-3.1-pro-preview,gemini-3.1-pro-preview-customtools,gemini-3.1-flash-lite-preview,gemini-2.5-pro,gemini-2.5-flash,gemini-2.5-flash-lite,gemini-2.0-flash,gemini-2.0-flash-lite
|
|
|
|
# Vertex AI
|
|
# GOOGLE_MODELS=gemini-3.1-pro-preview,gemini-3.1-pro-preview-customtools,gemini-3.1-flash-lite-preview,gemini-2.5-pro,gemini-2.5-flash,gemini-2.5-flash-lite,gemini-2.0-flash-001,gemini-2.0-flash-lite-001
|
|
|
|
# GOOGLE_TITLE_MODEL=gemini-2.0-flash-lite-001
|
|
|
|
# Google Cloud location for Vertex AI (used by both chat and image generation).
|
|
# Supports regional locations like us-central1 and multi-region locations: us, eu, global.
|
|
# GOOGLE_LOC=us-central1
|
|
|
|
# Alternative region env var for Gemini Image Generation
|
|
# GOOGLE_CLOUD_LOCATION=global
|
|
|
|
# Vertex AI Service Account Configuration
|
|
# Path to your Google Cloud service account JSON file
|
|
# GOOGLE_SERVICE_KEY_FILE=/path/to/service-account.json
|
|
|
|
# Google Safety Settings
|
|
# NOTE: These settings apply to both Vertex AI and Gemini API (AI Studio)
|
|
#
|
|
# For Vertex AI:
|
|
# To use the BLOCK_NONE setting, you need either:
|
|
# (a) Access through an allowlist via your Google account team, or
|
|
# (b) Switch to monthly invoiced billing: https://cloud.google.com/billing/docs/how-to/invoiced-billing
|
|
#
|
|
# For Gemini API (AI Studio):
|
|
# BLOCK_NONE is available by default, no special account requirements.
|
|
#
|
|
# Available options: BLOCK_NONE, BLOCK_ONLY_HIGH, BLOCK_MEDIUM_AND_ABOVE, BLOCK_LOW_AND_ABOVE
|
|
#
|
|
# GOOGLE_SAFETY_SEXUALLY_EXPLICIT=BLOCK_ONLY_HIGH
|
|
# GOOGLE_SAFETY_HATE_SPEECH=BLOCK_ONLY_HIGH
|
|
# GOOGLE_SAFETY_HARASSMENT=BLOCK_ONLY_HIGH
|
|
# GOOGLE_SAFETY_DANGEROUS_CONTENT=BLOCK_ONLY_HIGH
|
|
# GOOGLE_SAFETY_CIVIC_INTEGRITY=BLOCK_ONLY_HIGH
|
|
|
|
#========================#
|
|
# Gemini Image Generation #
|
|
#========================#
|
|
|
|
# Gemini Image Generation Tool (for Agents)
|
|
# Supports multiple authentication methods in priority order:
|
|
# 1. User-provided API key (via GUI)
|
|
# 2. GEMINI_API_KEY env var (admin-configured)
|
|
# 3. GOOGLE_KEY env var (shared with Google chat endpoint)
|
|
# 4. Vertex AI service account (via GOOGLE_SERVICE_KEY_FILE)
|
|
|
|
# Option A: Use dedicated Gemini API key for image generation
|
|
# GEMINI_API_KEY=your-gemini-api-key
|
|
|
|
# Vertex AI model for image generation (defaults to gemini-2.5-flash-image)
|
|
# GEMINI_IMAGE_MODEL=gemini-2.5-flash-image
|
|
|
|
#============#
|
|
# OpenAI #
|
|
#============#
|
|
|
|
OPENAI_API_KEY=user_provided
|
|
# OPENAI_MODELS=gpt-5,gpt-5-codex,gpt-5-mini,gpt-5-nano,o3-pro,o3,o4-mini,gpt-4.1,gpt-4.1-mini,gpt-4.1-nano,o3-mini,o1-pro,o1,gpt-4o,gpt-4o-mini
|
|
|
|
DEBUG_OPENAI=false
|
|
|
|
# TITLE_CONVO=false
|
|
# OPENAI_TITLE_MODEL=gpt-4o-mini
|
|
|
|
# OPENAI_SUMMARIZE=true
|
|
# OPENAI_SUMMARY_MODEL=gpt-4o-mini
|
|
|
|
# OPENAI_FORCE_PROMPT=true
|
|
|
|
# OPENAI_REVERSE_PROXY=
|
|
|
|
# OPENAI_ORGANIZATION=
|
|
|
|
#====================#
|
|
# Assistants API #
|
|
#====================#
|
|
|
|
ASSISTANTS_API_KEY=user_provided
|
|
# ASSISTANTS_BASE_URL=
|
|
# ASSISTANTS_MODELS=gpt-4o,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-16k-0613,gpt-3.5-turbo-16k,gpt-3.5-turbo,gpt-4,gpt-4-0314,gpt-4-32k-0314,gpt-4-0613,gpt-3.5-turbo-0613,gpt-3.5-turbo-1106,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview
|
|
|
|
#==========================#
|
|
# Azure Assistants API #
|
|
#==========================#
|
|
|
|
# Note: You should map your credentials with custom variables according to your Azure OpenAI Configuration
|
|
# The models for Azure Assistants are also determined by your Azure OpenAI configuration.
|
|
|
|
# More info, including how to enable use of Assistants with Azure here:
|
|
# https://www.librechat.ai/docs/configuration/librechat_yaml/ai_endpoints/azure#using-assistants-with-azure
|
|
|
|
CREDS_KEY=f34be427ebb29de8d88c107a71546019685ed8b241d8f2ed00c3df97ad2566f0
|
|
CREDS_IV=e2341419ec3dd3d19b13a1a87fafcbfb
|
|
|
|
# Azure AI Search
|
|
#-----------------
|
|
AZURE_AI_SEARCH_SERVICE_ENDPOINT=
|
|
AZURE_AI_SEARCH_INDEX_NAME=
|
|
AZURE_AI_SEARCH_API_KEY=
|
|
|
|
AZURE_AI_SEARCH_API_VERSION=
|
|
AZURE_AI_SEARCH_SEARCH_OPTION_QUERY_TYPE=
|
|
AZURE_AI_SEARCH_SEARCH_OPTION_TOP=
|
|
AZURE_AI_SEARCH_SEARCH_OPTION_SELECT=
|
|
|
|
# OpenAI Image Tools Customization
|
|
#----------------
|
|
# IMAGE_GEN_OAI_API_KEY= # Create or reuse OpenAI API key for image generation tool
|
|
# IMAGE_GEN_OAI_BASEURL= # Custom OpenAI base URL for image generation tool
|
|
# IMAGE_GEN_OAI_AZURE_API_VERSION= # Custom Azure OpenAI deployments
|
|
# IMAGE_GEN_OAI_MODEL=gpt-image-1 # OpenAI image model (e.g., gpt-image-1, gpt-image-1.5)
|
|
# IMAGE_GEN_OAI_DESCRIPTION=
|
|
# IMAGE_GEN_OAI_DESCRIPTION_WITH_FILES=Custom description for image generation tool when files are present
|
|
# IMAGE_GEN_OAI_DESCRIPTION_NO_FILES=Custom description for image generation tool when no files are present
|
|
# IMAGE_EDIT_OAI_DESCRIPTION=Custom description for image editing tool
|
|
# IMAGE_GEN_OAI_PROMPT_DESCRIPTION=Custom prompt description for image generation tool
|
|
# IMAGE_EDIT_OAI_PROMPT_DESCRIPTION=Custom prompt description for image editing tool
|
|
|
|
# DALL·E
|
|
#----------------
|
|
# DALLE_API_KEY=
|
|
# DALLE3_API_KEY=
|
|
# DALLE2_API_KEY=
|
|
# DALLE3_SYSTEM_PROMPT=
|
|
# DALLE2_SYSTEM_PROMPT=
|
|
# DALLE_REVERSE_PROXY=
|
|
# DALLE3_BASEURL=
|
|
# DALLE2_BASEURL=
|
|
|
|
# DALL·E (via Azure OpenAI)
|
|
# Note: requires some of the variables above to be set
|
|
#----------------
|
|
# DALLE3_AZURE_API_VERSION=
|
|
# DALLE2_AZURE_API_VERSION=
|
|
|
|
# Flux
|
|
#-----------------
|
|
FLUX_API_BASE_URL=https://api.us1.bfl.ai
|
|
# FLUX_API_BASE_URL = 'https://api.bfl.ml';
|
|
|
|
# Get your API key at https://api.us1.bfl.ai/auth/profile
|
|
# FLUX_API_KEY=
|
|
|
|
# Google
|
|
#-----------------
|
|
GOOGLE_SEARCH_API_KEY=
|
|
GOOGLE_CSE_ID=
|
|
|
|
# Stable Diffusion
|
|
#-----------------
|
|
SD_WEBUI_URL=http://host.docker.internal:7860
|
|
|
|
# Tavily
|
|
#-----------------
|
|
TAVILY_API_KEY=
|
|
|
|
# Traversaal
|
|
#-----------------
|
|
TRAVERSAAL_API_KEY=
|
|
|
|
# WolframAlpha
|
|
#-----------------
|
|
WOLFRAM_APP_ID=
|
|
|
|
# Zapier
|
|
#-----------------
|
|
ZAPIER_NLA_API_KEY=
|
|
|
|
#==================================================#
|
|
# Search #
|
|
#==================================================#
|
|
|
|
SEARCH=true
|
|
MEILI_NO_ANALYTICS=true
|
|
MEILI_HOST=http://0.0.0.0:7700
|
|
MEILI_MASTER_KEY=DrhYf7zENyR6AlUCKmnz0eYASOQdl6zxH7s7MKFSfFCt
|
|
|
|
# Optional: Disable indexing, useful in a multi-node setup
|
|
# where only one instance should perform an index sync.
|
|
# MEILI_NO_SYNC=true
|
|
|
|
#==================================================#
|
|
# Speech to Text & Text to Speech #
|
|
#==================================================#
|
|
|
|
STT_API_KEY=
|
|
TTS_API_KEY=
|
|
|
|
#==================================================#
|
|
# RAG #
|
|
#==================================================#
|
|
# More info: https://www.librechat.ai/docs/configuration/rag_api
|
|
|
|
# RAG_API_URL=http://rag_api:8000
|
|
# RAG_OPENAI_BASEURL=
|
|
# RAG_OPENAI_API_KEY=
|
|
# RAG_USE_FULL_CONTEXT=
|
|
# EMBEDDINGS_PROVIDER=openai
|
|
# EMBEDDINGS_MODEL=text-embedding-3-small
|
|
|
|
#===================================================#
|
|
# User System #
|
|
#===================================================#
|
|
|
|
#========================#
|
|
# Moderation #
|
|
#========================#
|
|
|
|
OPENAI_MODERATION=false
|
|
OPENAI_MODERATION_API_KEY=
|
|
# OPENAI_MODERATION_REVERSE_PROXY=
|
|
|
|
BAN_VIOLATIONS=true
|
|
BAN_DURATION=1000 * 60 * 60 * 2
|
|
BAN_INTERVAL=20
|
|
|
|
LOGIN_VIOLATION_SCORE=1
|
|
REGISTRATION_VIOLATION_SCORE=1
|
|
CONCURRENT_VIOLATION_SCORE=1
|
|
MESSAGE_VIOLATION_SCORE=1
|
|
NON_BROWSER_VIOLATION_SCORE=20
|
|
TTS_VIOLATION_SCORE=0
|
|
STT_VIOLATION_SCORE=0
|
|
FORK_VIOLATION_SCORE=0
|
|
IMPORT_VIOLATION_SCORE=0
|
|
FILE_UPLOAD_VIOLATION_SCORE=0
|
|
|
|
LOGIN_MAX=7
|
|
LOGIN_WINDOW=5
|
|
REGISTER_MAX=5
|
|
REGISTER_WINDOW=60
|
|
|
|
LIMIT_CONCURRENT_MESSAGES=true
|
|
CONCURRENT_MESSAGE_MAX=2
|
|
|
|
LIMIT_MESSAGE_IP=true
|
|
MESSAGE_IP_MAX=40
|
|
MESSAGE_IP_WINDOW=1
|
|
|
|
LIMIT_MESSAGE_USER=false
|
|
MESSAGE_USER_MAX=40
|
|
MESSAGE_USER_WINDOW=1
|
|
|
|
ILLEGAL_MODEL_REQ_SCORE=5
|
|
|
|
#========================#
|
|
# Balance #
|
|
#========================#
|
|
|
|
# CHECK_BALANCE=false
|
|
# START_BALANCE=20000 # note: the number of tokens that will be credited after registration.
|
|
|
|
#========================#
|
|
# Registration and Login #
|
|
#========================#
|
|
|
|
ALLOW_EMAIL_LOGIN=true
|
|
ALLOW_REGISTRATION=true
|
|
ALLOW_SOCIAL_LOGIN=false
|
|
ALLOW_SOCIAL_REGISTRATION=false
|
|
ALLOW_PASSWORD_RESET=false
|
|
# ALLOW_ACCOUNT_DELETION=true # note: enabled by default if omitted/commented out
|
|
ALLOW_UNVERIFIED_EMAIL_LOGIN=true
|
|
|
|
SESSION_EXPIRY=1000 * 60 * 15
|
|
REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7
|
|
# Overrides the Secure attribute for session/auth cookies when set to true or false;
|
|
# leave unset to use the default NODE_ENV/DOMAIN_SERVER heuristic.
|
|
# Set to false only for HTTP-only deployments where browsers drop Secure cookies.
|
|
# SESSION_COOKIE_SECURE=false
|
|
|
|
JWT_SECRET=16f8c0ef4a5d391b26034086c628469d3f9f497f08163ab9b40137092f2909ef
|
|
JWT_REFRESH_SECRET=eaa5191f2914e30b9387fd84e254e4ba6fc51b4654968a9b0803b456a54b8418
|
|
|
|
# Discord
|
|
DISCORD_CLIENT_ID=
|
|
DISCORD_CLIENT_SECRET=
|
|
DISCORD_CALLBACK_URL=/oauth/discord/callback
|
|
|
|
# Facebook
|
|
FACEBOOK_CLIENT_ID=
|
|
FACEBOOK_CLIENT_SECRET=
|
|
FACEBOOK_CALLBACK_URL=/oauth/facebook/callback
|
|
|
|
# GitHub
|
|
GITHUB_CLIENT_ID=
|
|
GITHUB_CLIENT_SECRET=
|
|
GITHUB_CALLBACK_URL=/oauth/github/callback
|
|
# GitHub Enterprise
|
|
# GITHUB_ENTERPRISE_BASE_URL=
|
|
# GITHUB_ENTERPRISE_USER_AGENT=
|
|
|
|
# Google
|
|
GOOGLE_CLIENT_ID=
|
|
GOOGLE_CLIENT_SECRET=
|
|
GOOGLE_CALLBACK_URL=/oauth/google/callback
|
|
|
|
# Apple
|
|
APPLE_CLIENT_ID=
|
|
APPLE_TEAM_ID=
|
|
APPLE_KEY_ID=
|
|
APPLE_PRIVATE_KEY_PATH=
|
|
APPLE_CALLBACK_URL=/oauth/apple/callback
|
|
|
|
# OpenID
|
|
OPENID_CLIENT_ID=
|
|
OPENID_CLIENT_SECRET=
|
|
OPENID_ISSUER=
|
|
OPENID_SESSION_SECRET=
|
|
OPENID_SCOPE="openid profile email"
|
|
OPENID_CALLBACK_URL=/oauth/openid/callback
|
|
# Admin panel SSO uses ${DOMAIN_SERVER}/api/admin/oauth/openid/callback as the
|
|
# OpenID provider redirect URI.
|
|
OPENID_REQUIRED_ROLE=
|
|
OPENID_REQUIRED_ROLE_TOKEN_KIND=
|
|
OPENID_REQUIRED_ROLE_PARAMETER_PATH=
|
|
OPENID_ADMIN_ROLE=
|
|
OPENID_ADMIN_ROLE_PARAMETER_PATH=
|
|
OPENID_ADMIN_ROLE_TOKEN_KIND=
|
|
# Generic OpenID role sync maps non-admin IdP roles/groups to one LibreChat role.
|
|
# ADMIN cannot be assigned by generic role sync; use OPENID_ADMIN_ROLE for admin elevation.
|
|
# Role priority is ordered from most important to least important.
|
|
OPENID_ROLE_SYNC_ENABLED=false
|
|
OPENID_ROLE_SYNC_API_ENABLED=false
|
|
OPENID_ROLE_SYNC_SOURCE=id
|
|
OPENID_ROLE_SYNC_CLAIM=
|
|
OPENID_ROLE_SYNC_ROLE_PRIORITY=
|
|
# Fallback is authoritative when configured: if no priority role matches, this role is assigned.
|
|
OPENID_ROLE_SYNC_FALLBACK_ROLE=
|
|
# Set to determine which user info property returned from OpenID Provider to store as the User's username
|
|
OPENID_USERNAME_CLAIM=
|
|
# Set to determine which user info property returned from OpenID Provider to store as the User's name
|
|
OPENID_NAME_CLAIM=
|
|
# Set to determine which user info claim to use as the email/identifier for user matching (e.g., "upn" for Entra ID)
|
|
# When not set, defaults to: email -> preferred_username -> upn
|
|
OPENID_EMAIL_CLAIM=
|
|
# Optional audience parameter for OpenID authorization requests
|
|
OPENID_AUDIENCE=
|
|
# Optional audience parameter for OpenID refresh token requests.
|
|
# Some providers, such as Auth0 custom APIs, require this to preserve
|
|
# the intended access-token audience during refresh. Usually matches OPENID_AUDIENCE.
|
|
OPENID_REFRESH_AUDIENCE=
|
|
|
|
OPENID_BUTTON_LABEL=
|
|
OPENID_IMAGE_URL=
|
|
# Set to true to automatically redirect to the OpenID provider when a user visits the login page
|
|
# This will bypass the login form completely for users, only use this if OpenID is your only authentication method
|
|
OPENID_AUTO_REDIRECT=false
|
|
# Set to true to use PKCE (Proof Key for Code Exchange) for OpenID authentication.
|
|
# For public clients (no client secret), leave OPENID_CLIENT_SECRET empty and set this to true.
|
|
OPENID_USE_PKCE=false
|
|
#Set to true to reuse openid tokens for authentication management instead of using the mongodb session and the custom refresh token.
|
|
OPENID_REUSE_TOKENS=
|
|
#By default, signing key verification results are cached in order to prevent excessive HTTP requests to the JWKS endpoint.
|
|
#If a signing key matching the kid is found, this will be cached and the next time this kid is requested the signing key will be served from the cache.
|
|
#Default is true.
|
|
OPENID_JWKS_URL_CACHE_ENABLED=
|
|
OPENID_JWKS_URL_CACHE_TIME= # 600000 ms eq to 10 minutes leave empty to disable caching
|
|
#Set to true to trigger token exchange flow to acquire access token for the userinfo endpoint.
|
|
OPENID_ON_BEHALF_FLOW_FOR_USERINFO_REQUIRED=
|
|
OPENID_ON_BEHALF_FLOW_USERINFO_SCOPE="user.read" # example for Scope Needed for Microsoft Graph API
|
|
# Set to true to use the OpenID Connect end session endpoint for logout
|
|
OPENID_USE_END_SESSION_ENDPOINT=
|
|
# URL to redirect to after OpenID logout (defaults to ${DOMAIN_CLIENT}/login)
|
|
OPENID_POST_LOGOUT_REDIRECT_URI=
|
|
# Maximum logout URL length before using logout_hint instead of id_token_hint (default: 2000)
|
|
OPENID_MAX_LOGOUT_URL_LENGTH=
|
|
|
|
#========================#
|
|
# SharePoint Integration #
|
|
#========================#
|
|
# Requires Entra ID (OpenID) authentication to be configured
|
|
|
|
# Enable SharePoint file picker in chat and agent panels
|
|
# ENABLE_SHAREPOINT_FILEPICKER=true
|
|
|
|
# SharePoint tenant base URL (e.g., https://yourtenant.sharepoint.com)
|
|
# SHAREPOINT_BASE_URL=https://yourtenant.sharepoint.com
|
|
|
|
# Microsoft Graph API And SharePoint scopes for file picker
|
|
# SHAREPOINT_PICKER_SHAREPOINT_SCOPE==https://yourtenant.sharepoint.com/AllSites.Read
|
|
# SHAREPOINT_PICKER_GRAPH_SCOPE=Files.Read.All
|
|
#========================#
|
|
|
|
# SAML
|
|
# Note: If OpenID is enabled, SAML authentication will be automatically disabled.
|
|
SAML_ENTRY_POINT=
|
|
SAML_ISSUER=
|
|
SAML_CERT=
|
|
SAML_CALLBACK_URL=/oauth/saml/callback
|
|
SAML_SESSION_SECRET=
|
|
|
|
# Attribute mappings (optional)
|
|
SAML_EMAIL_CLAIM=
|
|
SAML_USERNAME_CLAIM=
|
|
SAML_GIVEN_NAME_CLAIM=
|
|
SAML_FAMILY_NAME_CLAIM=
|
|
SAML_PICTURE_CLAIM=
|
|
SAML_NAME_CLAIM=
|
|
|
|
# Logint buttion settings (optional)
|
|
SAML_BUTTON_LABEL=
|
|
SAML_IMAGE_URL=
|
|
|
|
# Whether the SAML Response should be signed.
|
|
# - If "true", the entire `SAML Response` will be signed.
|
|
# - If "false" or unset, only the `SAML Assertion` will be signed (default behavior).
|
|
# SAML_USE_AUTHN_RESPONSE_SIGNED=
|
|
|
|
|
|
#===============================================#
|
|
# Microsoft Graph API / Entra ID Integration #
|
|
#===============================================#
|
|
|
|
# Enable Entra ID people search integration in permissions/sharing system
|
|
# When enabled, the people picker will search both local database and Entra ID
|
|
USE_ENTRA_ID_FOR_PEOPLE_SEARCH=false
|
|
|
|
# When enabled, entra id groups owners will be considered as members of the group
|
|
ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS=false
|
|
|
|
# Microsoft Graph API scopes needed for people/group search
|
|
# Default scopes provide access to user profiles and group memberships
|
|
OPENID_GRAPH_SCOPES=User.Read,People.Read,GroupMember.Read.All
|
|
|
|
# LDAP
|
|
LDAP_URL=
|
|
LDAP_BIND_DN=
|
|
LDAP_BIND_CREDENTIALS=
|
|
LDAP_USER_SEARCH_BASE=
|
|
#LDAP_SEARCH_FILTER="mail="
|
|
LDAP_CA_CERT_PATH=
|
|
# LDAP_TLS_REJECT_UNAUTHORIZED=
|
|
# LDAP_STARTTLS=
|
|
# LDAP_LOGIN_USES_USERNAME=true
|
|
# LDAP_ID=
|
|
# LDAP_USERNAME=
|
|
# LDAP_EMAIL=
|
|
# LDAP_FULL_NAME=
|
|
|
|
#========================#
|
|
# Email Password Reset #
|
|
#========================#
|
|
|
|
EMAIL_SERVICE=
|
|
EMAIL_HOST=
|
|
EMAIL_PORT=25
|
|
EMAIL_ENCRYPTION=
|
|
EMAIL_ENCRYPTION_HOSTNAME=
|
|
EMAIL_ALLOW_SELFSIGNED=
|
|
# Leave both empty for SMTP servers that do not require authentication
|
|
EMAIL_USERNAME=
|
|
EMAIL_PASSWORD=
|
|
EMAIL_FROM_NAME=
|
|
EMAIL_FROM=noreply@librechat.ai
|
|
|
|
#========================#
|
|
# Mailgun API #
|
|
#========================#
|
|
|
|
# MAILGUN_API_KEY=your-mailgun-api-key
|
|
# MAILGUN_DOMAIN=mg.yourdomain.com
|
|
# EMAIL_FROM=noreply@yourdomain.com
|
|
# EMAIL_FROM_NAME="LibreChat"
|
|
|
|
# # Optional: For EU region
|
|
# MAILGUN_HOST=https://api.eu.mailgun.net
|
|
|
|
#========================#
|
|
# Firebase CDN #
|
|
#========================#
|
|
|
|
FIREBASE_API_KEY=
|
|
FIREBASE_AUTH_DOMAIN=
|
|
FIREBASE_PROJECT_ID=
|
|
FIREBASE_STORAGE_BUCKET=
|
|
FIREBASE_MESSAGING_SENDER_ID=
|
|
FIREBASE_APP_ID=
|
|
|
|
#========================#
|
|
# S3 AWS Bucket #
|
|
#========================#
|
|
|
|
AWS_ENDPOINT_URL=
|
|
AWS_ACCESS_KEY_ID=
|
|
AWS_SECRET_ACCESS_KEY=
|
|
AWS_REGION=
|
|
AWS_BUCKET_NAME=
|
|
# Required for path-style S3-compatible providers (MinIO, Hetzner, Backblaze B2, etc.)
|
|
# that don't support virtual-hosted-style URLs (bucket.endpoint). Not needed for AWS S3.
|
|
# AWS_FORCE_PATH_STYLE=false
|
|
# Required for CloudFront signed cookies and signed download URLs
|
|
# CLOUDFRONT_KEY_PAIR_ID=
|
|
# CLOUDFRONT_PRIVATE_KEY=
|
|
|
|
#========================#
|
|
# Azure Blob Storage #
|
|
#========================#
|
|
|
|
AZURE_STORAGE_CONNECTION_STRING=
|
|
AZURE_STORAGE_PUBLIC_ACCESS=false
|
|
AZURE_CONTAINER_NAME=files
|
|
|
|
#========================#
|
|
# Shared Links #
|
|
#========================#
|
|
|
|
ALLOW_SHARED_LINKS=true
|
|
# Allows unauthenticated access to shared links. Defaults to false (auth required) if not set.
|
|
ALLOW_SHARED_LINKS_PUBLIC=false
|
|
|
|
#==============================#
|
|
# Static File Cache Control #
|
|
#==============================#
|
|
|
|
# Leave commented out to use defaults: 1 day (86400 seconds) for s-maxage and 2 days (172800 seconds) for max-age
|
|
# NODE_ENV must be set to production for these to take effect
|
|
# STATIC_CACHE_MAX_AGE=172800
|
|
# STATIC_CACHE_S_MAX_AGE=86400
|
|
|
|
# If you have another service in front of your LibreChat doing compression, disable express based compression here
|
|
# DISABLE_COMPRESSION=true
|
|
|
|
# If you have gzipped version of uploaded image images in the same folder, this will enable gzip scan and serving of these images
|
|
# Note: The images folder will be scanned on startup and a ma kept in memory. Be careful for large number of images.
|
|
# ENABLE_IMAGE_OUTPUT_GZIP_SCAN=true
|
|
|
|
#===================================================#
|
|
# UI #
|
|
#===================================================#
|
|
|
|
APP_TITLE=LibreChat
|
|
# CUSTOM_FOOTER="My custom footer"
|
|
HELP_AND_FAQ_URL=https://librechat.ai
|
|
|
|
# SHOW_BIRTHDAY_ICON=true
|
|
|
|
# Google tag manager id
|
|
#ANALYTICS_GTM_ID=user provided google tag manager id
|
|
|
|
# limit conversation file imports to a certain number of bytes in size to avoid the container
|
|
# maxing out memory limitations by unremarking this line and supplying a file size in bytes
|
|
# such as the below example of 250 mib
|
|
# CONVERSATION_IMPORT_MAX_FILE_SIZE_BYTES=262144000
|
|
|
|
|
|
#===============#
|
|
# REDIS Options #
|
|
#===============#
|
|
|
|
# Enable Redis for caching and session storage
|
|
# USE_REDIS=true
|
|
# Enable Redis for resumable LLM streams (defaults to USE_REDIS value if not set)
|
|
# Set to false to use in-memory storage for streams while keeping Redis for other caches
|
|
# USE_REDIS_STREAMS=true
|
|
|
|
# Single Redis instance
|
|
# REDIS_URI=redis://127.0.0.1:6379
|
|
|
|
# Redis cluster (multiple nodes)
|
|
# REDIS_URI=redis://127.0.0.1:7001,redis://127.0.0.1:7002,redis://127.0.0.1:7003
|
|
# Enable Redis cluster mode when connecting to a cluster through a single URI
|
|
# USE_REDIS_CLUSTER=true
|
|
|
|
# Managed Redis services with a single endpoint may shard keys internally and reject multi-key DEL
|
|
# Set to true to delete keys individually and avoid CROSSSLOT errors while keeping single-node mode
|
|
# REDIS_CLUSTER_SAFE_DELETE=true
|
|
|
|
# Redis with TLS/SSL encryption and CA certificate
|
|
# REDIS_URI=rediss://127.0.0.1:6380
|
|
# REDIS_CA=/path/to/ca-cert.pem
|
|
|
|
# Elasticache may need to use an alternate dnsLookup for TLS connections. see "Special Note: Aws Elasticache Clusters with TLS" on this webpage: https://www.npmjs.com/package/ioredis
|
|
# Enable alternative dnsLookup for redis
|
|
# REDIS_USE_ALTERNATIVE_DNS_LOOKUP=true
|
|
|
|
# Redis authentication (if required)
|
|
# REDIS_USERNAME=your_redis_username
|
|
# REDIS_PASSWORD=your_redis_password
|
|
|
|
# Redis key prefix configuration
|
|
# Use environment variable name for dynamic prefix (recommended for cloud deployments)
|
|
# REDIS_KEY_PREFIX_VAR=K_REVISION
|
|
# Or use static prefix directly
|
|
# REDIS_KEY_PREFIX=librechat
|
|
|
|
# Redis connection limits
|
|
# REDIS_MAX_LISTENERS=40
|
|
|
|
# Redis ping interval in seconds (0 = disabled, >0 = enabled)
|
|
# When set to a positive integer, Redis clients will ping the server at this interval to keep connections alive
|
|
# When unset or 0, no pinging is performed (recommended for most use cases)
|
|
# REDIS_PING_INTERVAL=300
|
|
|
|
# Force specific cache namespaces to use in-memory storage even when Redis is enabled
|
|
# Comma-separated list of CacheKeys
|
|
# Defaults to CONFIG_STORE,APP_CONFIG so YAML-derived config stays per-container (safe for blue/green deployments)
|
|
# Set to empty string to force all namespaces through Redis: FORCED_IN_MEMORY_CACHE_NAMESPACES=
|
|
# FORCED_IN_MEMORY_CACHE_NAMESPACES=CONFIG_STORE,APP_CONFIG
|
|
|
|
# Leader Election Configuration (for multi-instance deployments with Redis)
|
|
# Duration in seconds that the leader lease is valid before it expires (default: 25)
|
|
# LEADER_LEASE_DURATION=25
|
|
# Interval in seconds at which the leader renews its lease (default: 10)
|
|
# LEADER_RENEW_INTERVAL=10
|
|
# Maximum number of retry attempts when renewing the lease fails (default: 3)
|
|
# LEADER_RENEW_ATTEMPTS=3
|
|
# Delay in seconds between retry attempts when renewing the lease (default: 0.5)
|
|
# LEADER_RENEW_RETRY_DELAY=0.5
|
|
|
|
#==================================================#
|
|
# Others #
|
|
#==================================================#
|
|
# You should leave the following commented out #
|
|
|
|
# NODE_ENV=
|
|
|
|
# E2E_USER_EMAIL=
|
|
# E2E_USER_PASSWORD=
|
|
|
|
#=====================================================#
|
|
# Cache Headers #
|
|
#=====================================================#
|
|
# Headers that control caching of the index.html #
|
|
# Default configuration prevents caching to ensure #
|
|
# users always get the latest version. Customize #
|
|
# only if you understand caching implications. #
|
|
|
|
# INDEX_CACHE_CONTROL=no-cache, no-store, must-revalidate
|
|
# INDEX_PRAGMA=no-cache
|
|
# INDEX_EXPIRES=0
|
|
|
|
# no-cache: Forces validation with server before using cached version
|
|
# no-store: Prevents storing the response entirely
|
|
# must-revalidate: Prevents using stale content when offline
|
|
|
|
#=====================================================#
|
|
# OpenWeather #
|
|
#=====================================================#
|
|
OPENWEATHER_API_KEY=
|
|
|
|
#======================#
|
|
# Web Search #
|
|
#======================#
|
|
|
|
# Note: All of the following variable names can be customized.
|
|
# Omit values to allow user to provide them.
|
|
|
|
# For more information on configuration values, see:
|
|
# https://librechat.ai/docs/features/web_search
|
|
|
|
# Search Provider (Required)
|
|
# SERPER_API_KEY=your_serper_api_key
|
|
|
|
# Tavily (Search Provider and/or Scraper)
|
|
# TAVILY_API_KEY=your_tavily_api_key
|
|
|
|
# Scraper (Required)
|
|
# FIRECRAWL_API_KEY=your_firecrawl_api_key
|
|
# Optional: Custom Firecrawl API URL
|
|
# FIRECRAWL_API_URL=your_firecrawl_api_url
|
|
|
|
# Reranker (Required)
|
|
# JINA_API_KEY=your_jina_api_key
|
|
# or
|
|
# COHERE_API_KEY=your_cohere_api_key
|
|
|
|
#======================#
|
|
# MCP Configuration #
|
|
#======================#
|
|
|
|
# Treat 401/403 responses as OAuth requirement when no oauth metadata found
|
|
# MCP_OAUTH_ON_AUTH_ERROR=true
|
|
|
|
# Timeout for OAuth detection requests in milliseconds
|
|
# MCP_OAUTH_DETECTION_TIMEOUT=5000
|
|
|
|
# Cache connection status checks for this many milliseconds to avoid expensive verification
|
|
# MCP_CONNECTION_CHECK_TTL=60000
|
|
|
|
# Max bytes allowed in a non-GET streamable HTTP MCP response before rejecting it.
|
|
# Set to 0 to disable. Default: 16777216 (16 MiB)
|
|
# MCP_STREAMABLE_HTTP_MAX_RESPONSE_BYTES=16777216
|
|
|
|
# Max bytes allowed in a single SSE line for non-GET streamable HTTP MCP responses.
|
|
# Set to 0 to disable. Default: 5242880 (5 MiB)
|
|
# MCP_STREAMABLE_HTTP_MAX_LINE_BYTES=5242880
|
|
|
|
# Skip code challenge method validation (e.g., for AWS Cognito that supports S256 but doesn't advertise it)
|
|
# When set to true, forces S256 code challenge even if not advertised in .well-known/openid-configuration
|
|
# MCP_SKIP_CODE_CHALLENGE_CHECK=false
|
|
|
|
# Circuit breaker: max connect/disconnect cycles before tripping (per server)
|
|
# MCP_CB_MAX_CYCLES=7
|
|
|
|
# Circuit breaker: sliding window (ms) for counting cycles
|
|
# MCP_CB_CYCLE_WINDOW_MS=45000
|
|
|
|
# Circuit breaker: cooldown (ms) after the cycle breaker trips
|
|
# MCP_CB_CYCLE_COOLDOWN_MS=15000
|
|
|
|
# Circuit breaker: max consecutive failed connection rounds before backoff
|
|
# MCP_CB_MAX_FAILED_ROUNDS=3
|
|
|
|
# Circuit breaker: sliding window (ms) for counting failed rounds
|
|
# MCP_CB_FAILED_WINDOW_MS=120000
|
|
|
|
# Circuit breaker: base backoff (ms) after failed round threshold is reached
|
|
# MCP_CB_BASE_BACKOFF_MS=30000
|
|
|
|
# Circuit breaker: max backoff cap (ms) for exponential backoff
|
|
# MCP_CB_MAX_BACKOFF_MS=300000
|