lobe-chat/.env.example

# Specify your API Key selection method, currently supporting `random` and `turn`.
# API_KEY_SELECT_MODE=random

# #######################################
# ########## Security Settings ###########
# #######################################

# Control Content Security Policy headers
# Set to '1' to enable X-Frame-Options and Content-Security-Policy headers
# Default is '0' (enabled)
# ENABLED_CSP=1

# SSRF Protection Settings
# Set to '1' to allow connections to private IP addresses (disable SSRF protection)
# WARNING: Only enable this in trusted environments
# Default is '0' (SSRF protection enabled)
# SSRF_ALLOW_PRIVATE_IP_ADDRESS=0

# Whitelist of allowed private IP addresses (comma-separated)
# Only takes effect when SSRF_ALLOW_PRIVATE_IP_ADDRESS is '0'
# Example: Allow specific internal servers while keeping SSRF protection
# SSRF_ALLOW_IP_ADDRESS_LIST=192.168.1.100,10.0.0.50

# #######################################
# ########### Redis Settings ############
# #######################################

# Connection string for self-hosted Redis (Docker/K8s/managed). Use container hostname when running via docker-compose.
# REDIS_URL=redis://localhost:6379

# Optional database index.
# REDIS_DATABASE=0

# Optional authentication for managed Redis.
# REDIS_USERNAME=default
# REDIS_PASSWORD=yourpassword

# Set to '1' to enforce TLS when connecting to managed Redis or rediss:// endpoints.
# REDIS_TLS=0

# Namespace prefix for cache/queue keys.
# REDIS_PREFIX=lobechat

# #######################################
# ######### AI Provider Service #########
# #######################################

# ## OpenAI ###

# you openai api key
OPENAI_API_KEY=sk-xxxxxxxxx

# use a proxy to connect to the OpenAI API
# OPENAI_PROXY_URL=https://api.openai.com/v1

# add your custom model name, multi model separate by comma. for example gpt-3.5-1106,gpt-4-1106
# OPENAI_MODEL_LIST=gpt-3.5-turbo

# ## Azure OpenAI ###

# you can learn azure OpenAI Service on https://learn.microsoft.com/en-us/azure/ai-services/openai/overview
# use Azure OpenAI Service by uncomment the following line

# The API key you applied for on the Azure OpenAI account page, which can be found in the "Keys and Endpoints" section.
# AZURE_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# The endpoint you applied for on the Azure OpenAI account page, which can be found in the "Keys and Endpoints" section.
# AZURE_ENDPOINT=https://docs-test-001.openai.azure.com

# Azure's API version, follows the YYYY-MM-DD format
# AZURE_API_VERSION=2024-10-21

# ## Anthropic Service ####

# ANTHROPIC_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# use a proxy to connect to the Anthropic API
# ANTHROPIC_PROXY_URL=https://api.anthropic.com

# Anthropic SDK client timeout in milliseconds
# ANTHROPIC_CLIENT_TIMEOUT=295000

# ## Google AI  ####

# GOOGLE_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## AWS Bedrock  ###

# AWS_REGION=us-east-1
# AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxx
# AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## Ollama AI ####

# You can use ollama to get and run LLM locally, learn more about it via https://github.com/ollama/ollama

# The local/remote ollama service url
# OLLAMA_PROXY_URL=http://127.0.0.1:11434

# OLLAMA_MODEL_LIST=your_ollama_model_names

# ## OpenRouter Service ###

# OPENROUTER_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# OPENROUTER_MODEL_LIST=model1,model2,model3

# ## Mistral AI ###

# MISTRAL_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## Perplexity Service ###

# PERPLEXITY_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## Groq Service ####

# GROQ_API_KEY=gsk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ### 01.AI Service ####

# ZEROONE_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## TogetherAI Service ###

# TOGETHERAI_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## ZhiPu AI ###

# ZHIPU_API_KEY=xxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxx

# ## Moonshot AI  ####

# MOONSHOT_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## Kimi Code Plan  ####

# KIMICODINGPLAN_PROXY_URL=https://api.kimi.com/coding
# KIMICODINGPLAN_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## Minimax AI  ####

# MINIMAX_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## DeepSeek AI  ####

# DEEPSEEK_PROXY_URL=https://api.deepseek.com/v1
# DEEPSEEK_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## Qiniu AI  ####

# QINIU_PROXY_URL=https://api.qnaigc.com/v1
# QINIU_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## Qwen AI  ####

# QWEN_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## Cloudflare Workers AI  ####

# CLOUDFLARE_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# CLOUDFLARE_BASE_URL_OR_ACCOUNT_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## SiliconCloud AI  ####

# SILICONCLOUD_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## TencentCloud AI  ####

# TENCENT_CLOUD_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## PPIO ####

# PPIO_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## INFINI-AI ###

# INFINIAI_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## 302.AI ###

# AI302_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## ModelScope ###

# MODELSCOPE_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## AiHubMix ###

# AIHUBMIX_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## BFL ###

# BFL_API_KEY=bfl-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## FAL ###

# FAL_API_KEY=fal-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# #######################################
# ######## AI Image Settings ############
# #######################################

# Default image generation count (range: 1-20, default: 4)
# AI_IMAGE_DEFAULT_IMAGE_NUM=4

# ## Nebius ###

# NEBIUS_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ## NewAPI Service ###

# NEWAPI_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# NEWAPI_PROXY_URL=https://your-newapi-server.com

# ## Vercel AI Gateway ###

# VERCELAIGATEWAY_API_KEY=your_vercel_ai_gateway_api_key

# #######################################
# ########### Market Service ############
# #######################################

# The LobeChat agents market index url
# AGENTS_INDEX_URL=https://chat-agents.lobehub.com

# #######################################
# ######### Cloud Sandbox Service #######
# #######################################

# Sandbox provider for built-in code execution, shell, file operations, and export.
# Supported values: market, onlyboxes
# SANDBOX_PROVIDER=market

# Required when SANDBOX_PROVIDER=onlyboxes. Base URL of the Onlyboxes console API, without /api/v1.
# ONLYBOXES_BASE_URL=https://onlyboxes.example.com

# Required when SANDBOX_PROVIDER=onlyboxes. Must match Onlyboxes CONSOLE_JIT_SIGNING_KEY.
# ONLYBOXES_JIT_SIGNING_KEY=onlyboxes-jit-signing-secret

# Optional JIT token issuer. Defaults to APP_URL.
# ONLYBOXES_JIT_ISSUER=https://lobehub.example.com

# Optional JIT token TTL in seconds.
# ONLYBOXES_JIT_TTL_SEC=1800

# Optional terminal session lease in seconds for the Onlyboxes provider.
# ONLYBOXES_LEASE_TTL_SEC=900

# #######################################
# ########### Plugin Service ############
# #######################################

# The LobeChat plugins store index url
# PLUGINS_INDEX_URL=https://chat-plugins.lobehub.com

# set the plugin settings
# the format is `plugin-identifier:key1=value1;key2=value2`, multiple settings fields are separated by semicolons `;`, multiple plugin settings are separated by commas `,`.
# PLUGIN_SETTINGS=search-engine:SERPAPI_API_KEY=xxxxx

# #######################################
# ###### Doc / Changelog Service ########
# #######################################

# Use in Changelog / Document service cdn url prefix
# DOC_S3_PUBLIC_DOMAIN=https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# Use in dev cdn workflow
# DOC_S3_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# DOC_S3_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# #######################################
# ### Mobile SPA S3 Workflow ############
# #######################################

# Used by `bun run workflow:mobile-spa` to build mobile SPA, upload assets to S3, and generate template
# MOBILE_S3_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# MOBILE_S3_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# MOBILE_S3_BUCKET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# MOBILE_S3_ENDPOINT=https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# MOBILE_S3_REGION=auto
# MOBILE_S3_PUBLIC_DOMAIN=https://cdn.example.com
# MOBILE_S3_KEY_PREFIX=mobile/latest  # optional, S3 key path prefix

# #######################################
# #### S3 Object Storage Service ########
# #######################################

# S3 keys
# S3_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# S3_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# Bucket name
# S3_BUCKET=lobechat

# Bucket request endpoint
# S3_ENDPOINT=https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.r2.cloudflarestorage.com

# Bucket region, such as us-west-1, generally not needed to add
# but some service providers may require configuration
# S3_REGION=us-west-1

# #######################################
# ########### Auth Service ##############
# #######################################

# Auth Secret (use `openssl rand -base64 32` to generate)
# AUTH_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# Require email verification before allowing users to sign in (default: false)
# Set to '1' to force users to verify their email before signing in
# AUTH_EMAIL_VERIFICATION=0

# SSO Providers Configuration (for Better-Auth)
# Comma-separated list of enabled OAuth providers
# Supported providers: auth0, authelia, authentik, casdoor, cloudflare-zero-trust, cognito, generic-oidc, github, google, keycloak, logto, microsoft, microsoft-entra-id, okta, zitadel
# Example: AUTH_SSO_PROVIDERS=google,github,auth0,microsoft-entra-id
# AUTH_SSO_PROVIDERS=

# Email whitelist for registration (comma-separated)
# Supports full email (user@example.com) or domain (example.com)
# Leave empty to allow all emails
# AUTH_ALLOWED_EMAILS=example.com,admin@other.com

# Disable email/password authentication (SSO-only mode)
# Set to '1' to disable email/password sign-in and registration, only allowing SSO login
# AUTH_DISABLE_EMAIL_PASSWORD=0

# Google OAuth Configuration (for Better-Auth)
# Get credentials from: https://console.cloud.google.com/apis/credentials
# Authorized redirect URIs:
# - Development: http://localhost:3210/api/auth/callback/google
# - Production: https://yourdomain.com/api/auth/callback/google
# GOOGLE_CLIENT_ID=xxxxx.apps.googleusercontent.com
# GOOGLE_CLIENT_SECRET=GOCSPX-xxxxxxxxxxxxxxxxxxxx

# GitHub OAuth Configuration (for Better-Auth)
# Get credentials from: https://github.com/settings/developers
# Create a new OAuth App with:
# Authorized callback URL:
# - Development: http://localhost:3210/api/auth/callback/github
# - Production: https://yourdomain.com/api/auth/callback/github
# GITHUB_CLIENT_ID=Ov23xxxxxxxxxxxxx
# GITHUB_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# AWS Cognito OAuth Configuration (for Better-Auth)
# Get credentials from: https://console.aws.amazon.com/cognito
# Setup steps:
# 1. Create a User Pool with App Client
# 2. Configure Hosted UI domain
# 3. Enable "Authorization code grant" OAuth flow
# 4. Set OAuth scopes: openid, profile, email
# Authorized callback URL:
# - Development: http://localhost:3210/api/auth/callback/cognito
# - Production: https://yourdomain.com/api/auth/callback/cognito
# COGNITO_CLIENT_ID=xxxxxxxxxxxxxxxxxxxxx
# COGNITO_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# COGNITO_DOMAIN=your-app.auth.us-east-1.amazoncognito.com
# COGNITO_REGION=us-east-1
# COGNITO_USERPOOL_ID=us-east-1_xxxxxxxxx

# Microsoft OAuth Configuration (for Better-Auth)
# Get credentials from: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
# Create a new App Registration in Microsoft Entra ID (Azure AD)
# Authorized redirect URL:
# - Development: http://localhost:3210/api/auth/callback/microsoft
# - Production: https://yourdomain.com/api/auth/callback/microsoft
# MICROSOFT_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
# MICROSOFT_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# #######################################
# ########## Email Service ##############
# #######################################

# SMTP Server Configuration (required for email verification with Better-Auth)

# SMTP server hostname (e.g., smtp.gmail.com, smtp.office365.com)
# SMTP_HOST=smtp.example.com

# SMTP server port (usually 587 for TLS, or 465 for SSL)
# SMTP_PORT=587

# Use secure connection (set to 'true' for port 465, 'false' for port 587)
# SMTP_SECURE=false

# SMTP authentication username (usually your email address)
# SMTP_USER=your-email@example.com

# SMTP authentication password (use app-specific password for Gmail)
# SMTP_PASS=your-password-or-app-specific-password

# Sender email address (optional, defaults to SMTP_USER)
# Required for AWS SES where SMTP_USER is not a valid email address
# SMTP_FROM=noreply@example.com

# #######################################
# ######### Server Database #############
# #######################################

# Postgres database URL
# DATABASE_URL=postgres://username:password@host:port/database

# Optional: server-side timeout (in milliseconds) for a single SQL statement.
# When set, Postgres aborts any statement/idle transaction exceeding it, so a stuck
# query can't block indefinitely. Leave unset to keep Postgres' default of no timeout.
# DATABASE_STATEMENT_TIMEOUT=300000

# use `openssl rand -base64 32` to generate a key for the encryption of the database
# we use this key to encrypt the user api key and proxy url
# KEY_VAULTS_SECRET=xxxxx/xxxxxxxxxxxxxx=

# Specify the Embedding model and Reranker model(unImplemented)
# DEFAULT_FILES_CONFIG="embedding_model=openai/embedding-text-3-small,reranker_model=cohere/rerank-english-v3.0,query_mode=full_text"

# Embedding batch size for processing (default: 50)
# EMBEDDING_BATCH_SIZE=50

# Embedding concurrency for parallel processing (default: 10)
# EMBEDDING_CONCURRENCY=10

# #######################################
# ######### MCP Service Config ##########
# #######################################

# MCP tool call timeout (milliseconds)
# MCP_TOOL_TIMEOUT=60000

# #######################################
# ######### Klavis Service ##############
# #######################################

# Klavis API Key for accessing Strata hosted MCP servers
# Get your API key from: https://klavis.io
# IMPORTANT: This key is stored server-side only and NEVER exposed to the client
# When this key is set, Klavis integration will be automatically enabled
# KLAVIS_API_KEY=your_klavis_api_key_here

# #######################################
# #### Message Gateway (IM Integration) ##
# #######################################

# External message-gateway for unified IM platform connection management.
# Set ENABLED=1 to activate. To migrate away, remove ENABLED first (keep URL/TOKEN)
# so LobeHub can automatically disconnect leftover gateway connections.
# MESSAGE_GATEWAY_ENABLED=1
# MESSAGE_GATEWAY_URL=https://message-gateway.lobehub.com
# MESSAGE_GATEWAY_SERVICE_TOKEN=your_service_token_here

# #######################################
# ########### Messenger Bot #############
# #######################################

# LobeHub-operated bots that users link their account to once and then chat
# with any of their agents from. Credentials (Telegram / Slack / Discord) are
# now managed in dc-center → Agent → System Bots and stored in the
# `system_bot_providers` table. See docs/development/messenger/managed-by-dc-center.md.
#
# Webhook URLs are registered against APP_URL:
#   Telegram: <APP_URL>/api/agent/messenger/webhooks/telegram
#   Slack:    <APP_URL>/api/agent/messenger/webhooks/slack
#   Discord:  <APP_URL>/api/agent/messenger/webhooks/discord
#
# For local dev with bot platforms, point APP_URL at your tunnel
# (ngrok / cloudflared) so platforms can reach your machine.

# Verify-im link token TTL in seconds (default 1800 = 30 min)
# LOBE_LINK_TOKEN_TTL_SECONDS=1800