Environment variables
Reference the required local and deployment configuration for the workspace, API service, and secure runner.
This page lists the primary environment variables. Cloudflare bindings such as database access, KV, R2, service bindings, and runtime resources remain in each app's Wrangler configuration.
Web
| Variable | Purpose |
|---|---|
VITE_BRAIN_BASE_URL | API service HTTP origin |
VITE_MUSCLE_BASE_URL | Secure runner HTTP origin |
VITE_MUSCLE_WS_URL | Secure runner WebSocket origin |
Deploy builds fail when these are missing.
API service
| Variable | Purpose |
|---|---|
GITHUB_CLIENT_ID | Public GitHub OAuth application identifier |
GITHUB_CLIENT_SECRET | GitHub OAuth secret |
GITHUB_REDIRECT_URI | GitHub OAuth callback URL |
FRONTEND_URL | Post-authentication agents URL |
PRIVATE_ALPHA_ACCESS_MODE | open locally or allowlist for gated production access |
PRIVATE_ALPHA_GITHUB_LOGINS | Comma-separated approved GitHub logins |
PRIVATE_ALPHA_WAITLIST_URL | Redirect for unapproved OAuth identities |
SESSION_SECRET | Session signing material |
GITHUB_TOKEN_ENCRYPTION_KEY | GitHub token encryption material |
BYOK_CREDENTIAL_ENCRYPTION_KEY | Active provider credential encryption key |
BYOK_CREDENTIAL_ENCRYPTION_KEY_VERSION | Active encryption key version |
MUSCLE_BASE_URL | Local secure runner URL |
CORS_ALLOWED_ORIGINS | Explicit comma-separated browser origins |
DATABASE_MIGRATIONS_MODE | manual or auto; defaults to manual |
The API service also defines launch rate and concurrency limits. Keep production values in environment-specific Wrangler configuration.
Secure runner
| Variable | Purpose |
|---|---|
CORS_ALLOWED_ORIGINS | Explicit browser origins |
CORS_ALLOW_DEV_ORIGINS | Allow localhost development origins |
LAUNCH_RATE_LIMIT_REQUIRED | Require the launch limiter |
LAUNCH_EMERGENCY_SHUTOFF_MODE | Operational run shutoff mode |
INTERNAL_RUNTIME_EVENT_SECRET | Authenticates runtime-event ingestion |
Secret handling
Store local secrets in ignored .dev.vars files and production secrets with wrangler secret put. Do not place secrets in vars, committed .env files, logs, screenshots, docs examples, or CI command output.
Encryption-key rotation supports an active key and an explicitly configured previous key. Keep the previous key only for the bounded rotation window required to decrypt existing records.