Reference
Configuration Environment variables and configuration options for Skilder deployments — backend, frontend, runtime, and infrastructure.
This reference covers the environment variables for each Skilder component.
The backend runs a Fastify server with Apollo GraphQL.
Variable Description Default PORTHTTP port 3000PRIVATE_DGRAPH_URLDgraph database endpoint (internal network) localhost:8080NATS_SERVERSNATS server address (this service's own bus connection target) localhost:4222PUBLIC_NATS_SERVERSNATS server list advertised to external runtimes -- ENCRYPTION_KEYKey for encrypting secrets (API keys, OAuth tokens, MCP server configs). Required. -- JWT_PRIVATE_KEY_PATHPath to Ed25519 private key for signing JWTs -- JWT_PUBLIC_KEY_PATHPath to Ed25519 public key for verifying JWTs -- JWT_ISSUERIssuer claim for JWT tokens skilder-platformJWT_ACCESS_TOKEN_TTLAccess token TTL in seconds 900 (15 min)JWT_REFRESH_TOKEN_TTLRefresh token TTL in seconds 604800 (7 days)LOG_LEVELLogging verbosity: trace, debug, info, warn, error infoCORS_ORIGINSAllowed CORS origins (comma-separated) http://localhost:8888,http://localhost:3000PRIVATE_MCP_URLRuntime MCP endpoint reached over the internal network http://localhost:3001/mcpPUBLIC_BACKEND_URLExternally-reachable backend base URL (OAuth issuer/endpoints, MCP server URLs, signed file URLs). Must never be an internal service name. Required in production. http://localhost:3000PUBLIC_FRONTEND_URLPublic frontend URL (used for email links, OAuth callbacks) http://localhost:8888PUBLIC_MCP_URLPublic, externally-reachable MCP URL of the runtime (RFC 8707 resource identifier advertised in OAuth metadata) http://localhost:3001/mcpEMAIL_PROVIDEREmail provider: log (console), brevo (EU), or resend (US) logBREVO_API_KEYBrevo API key (when EMAIL_PROVIDER=brevo) -- RESEND_API_KEYResend API key (when EMAIL_PROVIDER=resend) -- EMAIL_FROMSender email (when EMAIL_PROVIDER=brevo or resend) -- EMAIL_FROM_NAMESender display name (used by Brevo) The Skilder TeamBREVO_TIMEOUT_SECONDSPer-request timeout for the Brevo API, in seconds 10
PORT = 3000
PRIVATE_DGRAPH_URL = localhost:8080
NATS_SERVERS = localhost:4222
ENCRYPTION_KEY = your-64-char-hex-encryption-key
JWT_PRIVATE_KEY_PATH = ./keys/private.pem
JWT_PUBLIC_KEY_PATH = ./keys/public.pem
JWT_ISSUER = skilder-platform
LOG_LEVEL = info
CORS_ORIGINS = https://app.yourdomain.com
PRIVATE_MCP_URL = http://localhost:3001/mcp
PUBLIC_BACKEND_URL = https://app.yourdomain.com
PUBLIC_FRONTEND_URL = https://app.yourdomain.com
EMAIL_PROVIDER = brevo
BREVO_API_KEY = xkeysib-your_api_key_here
EMAIL_FROM = noreply@mail.skilder.ai
EMAIL_FROM_NAME = The Skilder Team
The frontend is a React + Vite application.
Variable Description Default VITE_PUBLIC_BACKEND_URLExternally-reachable backend base URL (build-time). Full URL including scheme. http://localhost:3000PUBLIC_BACKEND_URLBackend base URL (runtime, Docker). Injected into the served HTML via window.__ENV__; overrides VITE_PUBLIC_BACKEND_URL. --
The frontend derives HTTP and WebSocket URLs from the backend URL automatically.
# Build-time
VITE_PUBLIC_BACKEND_URL = https://api.yourdomain.com
# Runtime (Docker)
PUBLIC_BACKEND_URL = https://api.yourdomain.com
The runtime executes MCP servers and routes tool calls. Its mode is determined by which environment variables are set.
Variable Effect USER_KEYActivates MCP_STDIO mode (single agent, stdio transport) RUNTIME_KEY or SYSTEM_KEYActivates EDGE mode (NATS-connected tool executor) REMOTE_PORTAdds HTTP exposure (SSE + Streamable HTTP). Combined with a key = EDGE_MCP_STREAM ; alone = STANDALONE_MCP_STREAM
Variable Description Default NATS_SERVERSNATS cluster address localhost:4222REMOTE_PORTHTTP port for SSE/Streamable HTTP -- (disabled) RUNTIME_NAMEHuman-readable name (required with SYSTEM_KEY) -- LOG_LEVELLogging verbosity infoLOG_LEVELSPattern-based log levels (e.g., mcp.*=debug,tool.*=trace) -- FORWARD_STDERRForward child process stderr to runtime log falseHEARTBEAT_INTERVALHealth heartbeat interval in ms 5000PRIVATE_MCP_URLMCP endpoint (internal network) for delegate client connections http://localhost:3001/mcpPUBLIC_MCP_URLThis runtime's public, externally-reachable MCP URL (RFC 8707 resource identifier) http://localhost:3001/mcp
Variable Description Default SKILL_IDSComma-separated skill IDs to auto-disclose -- HAT_IDSComma-separated hat IDs to auto-disclose --
Variable Description Default SKILDER_WORKING_DIRWorking directory for temp files and assets /tmp/skilderSKILDER_ALLOWED_PATHSColon-separated path safelist for file access -- SKILDER_MAX_FILE_SIZE_MBMax file size for operations 10SKILDER_GC_INTERVAL_MSGarbage collection check interval 60000 (1 min)SKILDER_GC_MAX_AGE_MSMax age for temp files before cleanup 300000 (5 min)SKILDER_ASSET_CACHE_MAX_AGE_MSAsset cache TTL 3600000 (1 hour)
Variable Description Default SKILDER_ALLOWED_ORIGINSAllowed origins for HTTP transports -- SKILDER_PREVENT_DNS_REBINDINGEnable origin validation against DNS rebinding trueSKILDER_SESSION_IDLE_TIMEOUT_MSSession cleanup timeout 300000 (5 min)
# EDGE mode with HTTP exposure
RUNTIME_KEY = RTK_your_runtime_key
NATS_SERVERS = nats://nats.yourdomain.com:4222
REMOTE_PORT = 3001
LOG_LEVEL = info
SKILDER_WORKING_DIR = /tmp/skilder
SKILDER_ALLOWED_ORIGINS = https://app.yourdomain.com
Deploy with at least one Zero node and one Alpha node.
Port Description Default Alpha HTTP Query and mutation endpoint 8080Alpha gRPC Internal replication 9080Zero gRPC Cluster coordination 5080
Variable Description Default NATS_PORTClient connection port 4222NATS_HTTP_PORTHTTP monitoring port 8222NATS_JETSTREAMEnable JetStream for persistent messaging true
Never commit secrets to version control. Use a secrets manager or .env files.
Change the default ENCRYPTION_KEY immediately. The default key is for development only — using it in production compromises all encrypted data.
Generate a strong ENCRYPTION_KEY : 64-character hex string (32 random bytes).
Set up JWT keys : Generate an Ed25519 key pair for JWT signing. See agent_docs/key-management.md for details.
Restrict CORS_ORIGINS in production to your exact frontend domain.
Use TLS for NATS and Dgraph connections in production.