forked from bigwolfeman/Document-MCP
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
40 lines (35 loc) · 1.46 KB
/
.env.example
File metadata and controls
40 lines (35 loc) · 1.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# JWT authentication
JWT_SECRET_KEY=your-secret-key-here
# GitHub OAuth
GITHUB_CLIENT_ID=your-github-client-id
GITHUB_CLIENT_SECRET=your-github-client-secret
# Base URL (for widget asset URLs, production deployment)
BASE_URL=http://localhost:8000
# Vault storage
VAULT_BASE_PATH=./data/vaults
# ElevenLabs TTS integration
ELEVENLABS_API_KEY=your-elevenlabs-api-key
ELEVENLABS_VOICE_ID=your-elevenlabs-voice-id
ELEVENLABS_MODEL=eleven_multilingual_v2
# ⚠️ SECURITY WARNING - MCP AUTHENTICATION BYPASS ⚠️
# ENABLE_NOAUTH_MCP is EXTREMELY DANGEROUS and should NEVER be enabled in production!
#
# When enabled (true), this setting:
# - Bypasses ALL authentication for MCP endpoints
# - Allows ANYONE to access, modify, and delete user data
# - Allows ANYONE to consume paid API resources (Oracle/RAG/TTS)
# - Exposes sensitive information without any access control
#
# This setting exists ONLY for isolated development/testing environments where:
# - The server is NOT exposed to any network (localhost only)
# - You are the ONLY user accessing the system
# - You understand the security implications
#
# PRODUCTION DEPLOYMENT CHECKLIST:
# ✓ Ensure this is set to "false" (or unset, which defaults to false)
# ✓ Verify JWT_SECRET_KEY is set to a strong, random secret
# ✓ Never expose unauthenticated endpoints to the internet
# ✓ Use proper OAuth/JWT authentication for all users
#
# Default: false (KEEP IT THIS WAY IN PRODUCTION!)
ENABLE_NOAUTH_MCP=false