# Specify your API Key selection method, currently supporting `random` and `turn`. # API_KEY_SELECT_MODE=random # ####################################### # ########## Security Settings ########### # ####################################### # Control Content Security Policy headers # Set to '1' to enable X-Frame-Options and Content-Security-Policy headers # Default is '0' (enabled) # ENABLED_CSP=1 # SSRF Protection Settings # Set to '1' to allow connections to private IP addresses (disable SSRF protection) # WARNING: Only enable this in trusted environments # Default is '0' (SSRF protection enabled) # SSRF_ALLOW_PRIVATE_IP_ADDRESS=0 # Whitelist of allowed private IP addresses (comma-separated) # Only takes effect when SSRF_ALLOW_PRIVATE_IP_ADDRESS is '0' # Example: Allow specific internal servers while keeping SSRF protection # SSRF_ALLOW_IP_ADDRESS_LIST=192.168.1.100,10.0.0.50 # ####################################### # ########### Redis Settings ############ # ####################################### # Connection string for self-hosted Redis (Docker/K8s/managed). Use container hostname when running via docker-compose. # REDIS_URL=redis://localhost:6379 # Optional database index. # REDIS_DATABASE=0 # Optional authentication for managed Redis. # REDIS_USERNAME=default # REDIS_PASSWORD=yourpassword # Set to '1' to enforce TLS when connecting to managed Redis or rediss:// endpoints. # REDIS_TLS=0 # Namespace prefix for cache/queue keys. # REDIS_PREFIX=lobechat # ####################################### # ######### AI Provider Service ######### # ####################################### # ## OpenAI ### # you openai api key OPENAI_API_KEY=sk-xxxxxxxxx # use a proxy to connect to the OpenAI API # OPENAI_PROXY_URL=https://api.openai.com/v1 # add your custom model name, multi model separate by comma. for example gpt-3.5-1106,gpt-4-1106 # OPENAI_MODEL_LIST=gpt-3.5-turbo # ## Azure OpenAI ### # you can learn azure OpenAI Service on https://learn.microsoft.com/en-us/azure/ai-services/openai/overview # use Azure OpenAI Service by uncomment the following line # The API key you applied for on the Azure OpenAI account page, which can be found in the "Keys and Endpoints" section. # AZURE_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # The endpoint you applied for on the Azure OpenAI account page, which can be found in the "Keys and Endpoints" section. # AZURE_ENDPOINT=https://docs-test-001.openai.azure.com # Azure's API version, follows the YYYY-MM-DD format # AZURE_API_VERSION=2024-10-21 # ## Anthropic Service #### # ANTHROPIC_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # use a proxy to connect to the Anthropic API # ANTHROPIC_PROXY_URL=https://api.anthropic.com # ## Google AI #### # GOOGLE_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## AWS Bedrock ### # AWS_REGION=us-east-1 # AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxx # AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## Ollama AI #### # You can use ollama to get and run LLM locally, learn more about it via https://github.com/ollama/ollama # The local/remote ollama service url # OLLAMA_PROXY_URL=http://127.0.0.1:11434 # OLLAMA_MODEL_LIST=your_ollama_model_names # ## OpenRouter Service ### # OPENROUTER_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # OPENROUTER_MODEL_LIST=model1,model2,model3 # ## Mistral AI ### # MISTRAL_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## Perplexity Service ### # PERPLEXITY_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## Groq Service #### # GROQ_API_KEY=gsk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ### 01.AI Service #### # ZEROONE_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## TogetherAI Service ### # TOGETHERAI_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## ZhiPu AI ### # ZHIPU_API_KEY=xxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxx # ## Moonshot AI #### # MOONSHOT_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## Minimax AI #### # MINIMAX_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## DeepSeek AI #### # DEEPSEEK_PROXY_URL=https://api.deepseek.com/v1 # DEEPSEEK_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## Qiniu AI #### # QINIU_PROXY_URL=https://api.qnaigc.com/v1 # QINIU_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## Qwen AI #### # QWEN_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## Cloudflare Workers AI #### # CLOUDFLARE_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # CLOUDFLARE_BASE_URL_OR_ACCOUNT_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## SiliconCloud AI #### # SILICONCLOUD_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## TencentCloud AI #### # TENCENT_CLOUD_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## PPIO #### # PPIO_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## INFINI-AI ### # INFINIAI_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## 302.AI ### # AI302_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## ModelScope ### # MODELSCOPE_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## AiHubMix ### # AIHUBMIX_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## BFL ### # BFL_API_KEY=bfl-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## FAL ### # FAL_API_KEY=fal-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ####################################### # ######## AI Image Settings ############ # ####################################### # Default image generation count (range: 1-20, default: 4) # AI_IMAGE_DEFAULT_IMAGE_NUM=4 # ## Nebius ### # NEBIUS_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ## NewAPI Service ### # NEWAPI_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # NEWAPI_PROXY_URL=https://your-newapi-server.com # ## Vercel AI Gateway ### # VERCELAIGATEWAY_API_KEY=your_vercel_ai_gateway_api_key # ####################################### # ########### Market Service ############ # ####################################### # The LobeChat agents market index url # AGENTS_INDEX_URL=https://chat-agents.lobehub.com # ####################################### # ########### Plugin Service ############ # ####################################### # The LobeChat plugins store index url # PLUGINS_INDEX_URL=https://chat-plugins.lobehub.com # set the plugin settings # the format is `plugin-identifier:key1=value1;key2=value2`, multiple settings fields are separated by semicolons `;`, multiple plugin settings are separated by commas `,`. # PLUGIN_SETTINGS=search-engine:SERPAPI_API_KEY=xxxxx # ####################################### # ###### Doc / Changelog Service ######## # ####################################### # Use in Changelog / Document service cdn url prefix # DOC_S3_PUBLIC_DOMAIN=https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # Use in dev cdn workflow # DOC_S3_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # DOC_S3_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ####################################### # #### S3 Object Storage Service ######## # ####################################### # S3 keys # S3_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # S3_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # Bucket name # S3_BUCKET=lobechat # Bucket request endpoint # S3_ENDPOINT=https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.r2.cloudflarestorage.com # Bucket region, such as us-west-1, generally not needed to add # but some service providers may require configuration # S3_REGION=us-west-1 # ####################################### # ########### Auth Service ############## # ####################################### # Auth Secret (use `openssl rand -base64 32` to generate) # AUTH_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # Require email verification before allowing users to sign in (default: false) # Set to '1' to force users to verify their email before signing in # AUTH_EMAIL_VERIFICATION=0 # SSO Providers Configuration (for Better-Auth) # Comma-separated list of enabled OAuth providers # Supported providers: auth0, authelia, authentik, casdoor, cloudflare-zero-trust, cognito, generic-oidc, github, google, keycloak, logto, microsoft, microsoft-entra-id, okta, zitadel # Example: AUTH_SSO_PROVIDERS=google,github,auth0,microsoft-entra-id # AUTH_SSO_PROVIDERS= # Email whitelist for registration (comma-separated) # Supports full email (user@example.com) or domain (example.com) # Leave empty to allow all emails # AUTH_ALLOWED_EMAILS=example.com,admin@other.com # Disable email/password authentication (SSO-only mode) # Set to '1' to disable email/password sign-in and registration, only allowing SSO login # AUTH_DISABLE_EMAIL_PASSWORD=0 # Google OAuth Configuration (for Better-Auth) # Get credentials from: https://console.cloud.google.com/apis/credentials # Authorized redirect URIs: # - Development: http://localhost:3210/api/auth/callback/google # - Production: https://yourdomain.com/api/auth/callback/google # GOOGLE_CLIENT_ID=xxxxx.apps.googleusercontent.com # GOOGLE_CLIENT_SECRET=GOCSPX-xxxxxxxxxxxxxxxxxxxx # GitHub OAuth Configuration (for Better-Auth) # Get credentials from: https://github.com/settings/developers # Create a new OAuth App with: # Authorized callback URL: # - Development: http://localhost:3210/api/auth/callback/github # - Production: https://yourdomain.com/api/auth/callback/github # GITHUB_CLIENT_ID=Ov23xxxxxxxxxxxxx # GITHUB_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # AWS Cognito OAuth Configuration (for Better-Auth) # Get credentials from: https://console.aws.amazon.com/cognito # Setup steps: # 1. Create a User Pool with App Client # 2. Configure Hosted UI domain # 3. Enable "Authorization code grant" OAuth flow # 4. Set OAuth scopes: openid, profile, email # Authorized callback URL: # - Development: http://localhost:3210/api/auth/callback/cognito # - Production: https://yourdomain.com/api/auth/callback/cognito # COGNITO_CLIENT_ID=xxxxxxxxxxxxxxxxxxxxx # COGNITO_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # COGNITO_DOMAIN=your-app.auth.us-east-1.amazoncognito.com # COGNITO_REGION=us-east-1 # COGNITO_USERPOOL_ID=us-east-1_xxxxxxxxx # Microsoft OAuth Configuration (for Better-Auth) # Get credentials from: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade # Create a new App Registration in Microsoft Entra ID (Azure AD) # Authorized redirect URL: # - Development: http://localhost:3210/api/auth/callback/microsoft # - Production: https://yourdomain.com/api/auth/callback/microsoft # MICROSOFT_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # MICROSOFT_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ####################################### # ########## Email Service ############## # ####################################### # SMTP Server Configuration (required for email verification with Better-Auth) # SMTP server hostname (e.g., smtp.gmail.com, smtp.office365.com) # SMTP_HOST=smtp.example.com # SMTP server port (usually 587 for TLS, or 465 for SSL) # SMTP_PORT=587 # Use secure connection (set to 'true' for port 465, 'false' for port 587) # SMTP_SECURE=false # SMTP authentication username (usually your email address) # SMTP_USER=your-email@example.com # SMTP authentication password (use app-specific password for Gmail) # SMTP_PASS=your-password-or-app-specific-password # Sender email address (optional, defaults to SMTP_USER) # Required for AWS SES where SMTP_USER is not a valid email address # SMTP_FROM=noreply@example.com # ####################################### # ######### Server Database ############# # ####################################### # Postgres database URL # DATABASE_URL=postgres://username:password@host:port/database # use `openssl rand -base64 32` to generate a key for the encryption of the database # we use this key to encrypt the user api key and proxy url # KEY_VAULTS_SECRET=xxxxx/xxxxxxxxxxxxxx= # Specify the Embedding model and Reranker model(unImplemented) # DEFAULT_FILES_CONFIG="embedding_model=openai/embedding-text-3-small,reranker_model=cohere/rerank-english-v3.0,query_mode=full_text" # ####################################### # ######### MCP Service Config ########## # ####################################### # MCP tool call timeout (milliseconds) # MCP_TOOL_TIMEOUT=60000 # ####################################### # ######### Klavis Service ############## # ####################################### # Klavis API Key for accessing Strata hosted MCP servers # Get your API key from: https://klavis.io # IMPORTANT: This key is stored server-side only and NEVER exposed to the client # When this key is set, Klavis integration will be automatically enabled # KLAVIS_API_KEY=your_klavis_api_key_here