.
1. Required Secrets
- 2. Storage & Database
- 3. Network & Ports
- 4. Security & Authentication
- 5. Input Sanitization & PII Protection
- 6. Tool & Routing Policies
- 7. URLs & Cloud Sync
- 8. Outbound Proxy
- 9. CLI Tool Integration
- 10. Internal Agent & MCP Integrations
- 11. OAuth Provider Credentials
- 12. Provider User-Agent Overrides
- 13. CLI Fingerprint Compatibility
- 14. API Key Providers
- 15. Timeout Settings
- 16. Logging
- 17. Memory Optimization
- 18. Pricing Sync
- 19. Model Sync (Dev)
- 20. Provider-Specific Settings
- 21. Proxy Health
- 22. Debugging
- 23. GitHub Integration
- Deployment Scenarios
- Audit: Removed / Dead Variables
must be set before the first run. Without them, the application will either refuse to start or operate with insecure defaults.
|
|
|
|
|
|
|
Yes |
(none) |
|
. |
|
Yes |
(none) |
|
. |
|
Yes |
|
| Change before first use. After login, change via Dashboard β Settings β Security. |
# Generate all three secrets at once:
echo "JWT_SECRET=$(openssl rand -base64 48)"
echo "API_KEY_SECRET=$(openssl rand -hex 32)"
echo "INITIAL_PASSWORD=$(openssl rand -base64 16)"
files with real secrets to version control. The already excludes , but verify before pushing.
SQLite (via ) for all persistence. These variables control data location, encryption, and lifecycle.
|
|
|
|
|
|
|
|
|
|
(empty = disabled) |
|
. |
|
|
, |
|
|
|
|
, skips the automatic database backup that runs before migrations on every startup. |
|
(unset) |
|
Legacy alias for . Accepted as a fallback when the primary variable is absent. |
|
(unset) |
|
Legacy alias (Base64-encoded form) accepted as a fallback. Decoded automatically before use. |
|
|
|
| Local development |
. |
| Docker |
+ mount a volume at . |
| Encrypted at rest |
+ keep backups of the key! Losing it = losing data. |
| CI/Testing |
β ephemeral, no encryption needed. |
|
|
|
|
|
|
|
|
|
|
(unset) |
|
proxy API on this separate port. |
|
|
|
|
|
(unset) |
|
|
|
|
|
|
|
|
|
|
|
(unset) |
|
when running inside Electron or other wrappers. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
flag on session cookies. Must be |
|
|
| , all proxy requests must include a valid API key. |
|
|
|
|
|
(empty) |
|
|
|
(10 MB) |
|
|
|
|
| value. Restrict for production. |
|
|
|
|
# Production security minimum:
AUTH_COOKIE_SECURE=true # Requires HTTPS
REQUIRE_API_KEY=true # Authenticate all proxy calls
ALLOW_API_KEY_REVEAL=false # Never expose keys in UI
CORS_ORIGIN=https://your.domain.com
MAX_BODY_SIZE_BYTES=5242880 # 5 MB limit
|
|
|
|
|
|
|
|
|
|
|
|
= log only, = reject request with 400, = strip suspicious patterns. |
|
(unset) |
|
β same behavior. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
= mask PII, = log only, = drop entire response. |
|
|
|
| Enterprise compliance |
, , , |
| Monitoring only |
, β logs but never blocks |
| Personal use |
|
|
|
|
|
|
|
|
|
= only listed tools, = all except listed, = no restrictions. |
|
|
|
|
|
|
|
|
. |
|
(empty) |
|
|
|
|
|
|
|
|
| Must match your public URL behind reverse proxy. |
|
(empty) |
| . |
|
(unset) |
|
. |
must be set to your public URL (e.g., ). Without this, OAuth callbacks will fail because the redirect_uri won't match.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(unset) |
|
|
|
(unset) |
|
|
|
(unset) |
| ). |
|
(unset) |
|
|
|
|
|
|
|
|
|
| SOCKS5 through SSH tunnel |
, |
| Corporate HTTP proxy |
, , |
| Anti-fingerprint |
β requires (included) |
|
|
|
|
|
|
|
|
= search system PATH; = use explicit paths only. |
|
(unset) |
|
|
|
(unset) |
|
, ). |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Mount host binaries into the container and tell OmniRoute where they are:
CLI_EXTRA_PATHS=/host-cli/bin
CLI_CONFIG_HOME=/root
CLI_ALLOW_CONFIG_WRITES=true
CLI_CLAUDE_BIN=/host-cli/bin/claude
|
|
|
|
|
|
| |
|
|
(unset) |
|
|
|
(unset) |
|
|
|
(unset) |
| . |
|
|
|
|
|
(all) |
|
, , , , , , , , , . |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
by bootstrap script after initial setup. Controls setup wizard visibility. |
|
|
|
|
|
|
|
|
|
|
| |
|
|
(unset) |
|
|
|
|
|
|
|
(unset) |
|
. |
|
(unset) |
|
. |
|
(unset) |
|
. |
localhost development. For remote deployments, register your own at each provider's developer console.
Google OAuth (Antigravity, Gemini CLI) credentials only work on localhost. For remote servers:
Google Cloud Console β Credentials
-
-
- .
header sent to each upstream provider. This is dynamically resolved at runtime by the executor base class:
Source: β
any provider using the pattern . The executor dynamically constructs the env var name.
Source: ,
Preferred setup: Dashboard β Providers β Add API Key.
milliseconds. Centralized resolution in .
|
|
|
|
|
(unset) |
and defaults. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
bridge requests. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Long-running code generation |
(15 min) |
| Fast-fail for production API |
|
| Extended thinking models |
(5 min between chunks) |
.
|
|
|
|
|
|
, , , . |
|
|
(human-readable) or (structured). |
|
|
|
|
|
). |
|
|
, , , or plain bytes. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQLite table before pruning. |
|
|
. |
|
|
. |
|
|
SQLite table before pruning. |
|
|
|
|
|
(Docker) / system default |
. |
|
|
|
|
(2 MB) |
|
|
(5 min) |
|
|
|
|
|
(4 MB) |
|
|
(30 min) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| without a hash. Use only in controlled local development. |
OMNIROUTE_MEMORY_MB=128
PROMPT_CACHE_MAX_SIZE=20
PROMPT_CACHE_MAX_BYTES=524288 # 512 KB
SEMANTIC_CACHE_MAX_SIZE=25
SEMANTIC_CACHE_MAX_BYTES=1048576 # 1 MB
STREAM_HISTORY_MAX=10
|
|
|
|
|
|
(24h) |
|
|
|
|
|
|
|
|
|
|
|
(unset) |
|
|
|
| |
binary. |
|
(5 min) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(empty) |
|
|
is only for third-party relays that accept Claude Code clients
exclusively. OmniRoute rewrites requests so those relays accept them. If you only want to use
Claude Code CLI, or you are not sure what these relays are, keep this disabled and add a regular
Anthropic-compatible provider instead.
verbose output and may leak sensitive data. Never enable in production.
|
|
|
|
|
|
(unset) |
|
to dump Cursor protobuf decode/encode details. |
|
(unset) |
|
to dump raw Cursor SSE stream data. |
|
(unset) |
|
to log Responses API SSEβJSON translation details. |
|
(unset) |
| to enable E2E test mode (relaxed auth, test hooks). |
|
|
|
|
|
|
(unset) |
|
format. |
|
(unset) |
|
scope. |
JWT_SECRET=$(openssl rand -base64 48)
API_KEY_SECRET=$(openssl rand -hex 32)
INITIAL_PASSWORD=dev123
PORT=20128
NODE_ENV=development
JWT_SECRET=<generated>
API_KEY_SECRET=<generated>
INITIAL_PASSWORD=<generated>
STORAGE_ENCRYPTION_KEY=<generated>
DATA_DIR=/data
PORT=20128
API_PORT=20129
NODE_ENV=production
AUTH_COOKIE_SECURE=true
REQUIRE_API_KEY=true
NEXT_PUBLIC_BASE_URL=https://omniroute.example.com
BASE_URL=http://localhost:20128
OMNIROUTE_MEMORY_MB=512
CORS_ORIGIN=https://your-frontend.example.com
JWT_SECRET=test-jwt-secret-for-ci
API_KEY_SECRET=test-api-key-secret-for-ci
INITIAL_PASSWORD=testpass
NODE_ENV=production
OMNIROUTE_DISABLE_BACKGROUND_SERVICES=true
APP_LOG_TO_FILE=false
JWT_SECRET=<generated>
API_KEY_SECRET=<generated>
STORAGE_ENCRYPTION_KEY=<generated>
PORT=20128
AUTH_COOKIE_SECURE=true
REQUIRE_API_KEY=true
NEXT_PUBLIC_BASE_URL=https://omniroute.example.com
BASE_URL=http://127.0.0.1:20128
CORS_ORIGIN=https://omniroute.example.com
ENABLE_TLS_FINGERPRINT=true
CLI_COMPAT_ALL=1
but have no runtime references in the current codebase. They have been removed:
|
|
|
|
|
|
|
|
|
|
|
|
. |
|
(Kimi Coding uses OAuth, not a CLI binary). |
/ |
|
|
| Value |
|
|
|
|
|
as default |
|
|
|
as default |