Environment Variables
All environment variables across TAP components. On managed hosting, environment variables are configured in the dashboard. These are only needed for self-hosted deployments.
Proxy (Required)
| Variable | Description |
|---|---|
AGENTSEC_ENCRYPTION_KEY | 64 hex chars (32 bytes). Used for HMAC-SHA256 agent key hashing and AES-256-GCM credential encryption. Generate with openssl rand -hex 32 |
TELEGRAM_BOT_TOKEN | Telegram bot token from @BotFather |
Proxy (Optional)
| Variable | Default | Description |
|---|---|---|
TELEGRAM_CHAT_ID | Default Telegram chat ID for approval messages. Teams can configure their own via the admin API | |
AGENTSEC_DB_PATH | ./agentsec.db | Path to the SQLite database |
AGENTSEC_AUDIT_LOG | ./audit.jsonl | Path to audit log file |
AGENTSEC_LISTEN_ADDR | 0.0.0.0:3100 | Listen address |
AGENTSEC_FORWARD_TIMEOUT_SECS | 30 | Timeout for upstream API requests (seconds) |
AGENTSEC_APPROVAL_TIMEOUT_SECS | 300 | Timeout waiting for human approval (seconds) |
AGENTSEC_CACHE_TTL_SECS | 30 | Cache TTL for DB lookups (seconds) |
Stripe Billing (Managed Hosting)
Required only if you are running managed hosting with Stripe subscriptions. Not needed for self-hosted deployments.
| Variable | Description |
|---|---|
STRIPE_SECRET_KEY | Stripe secret API key (starts with sk_live_ or sk_test_) |
STRIPE_WEBHOOK_SECRET | Webhook signing secret from Stripe Dashboard (starts with whsec_) |
STRIPE_PRICE_STARTER | Stripe Price ID for the Starter tier (starts with price_) |
STRIPE_PRICE_PRO | Stripe Price ID for the Pro tier (starts with price_) |
AGENTSEC_BASE_URL | Base URL for Stripe redirect URLs (default: https://toolsec.org) |
WebAuthn (Optional)
For passkey-based approval (Face ID, fingerprint, YubiKey):
| Variable | Description |
|---|---|
WEBAUTHN_RP_ID | Relying party ID (e.g., toolsec.org) |
WEBAUTHN_RP_ORIGIN | Relying party origin (e.g., https://proxy.toolsec.org) |
WEBAUTHN_BASE_URL | Base URL for WebAuthn endpoints |
OAuth 1.0a Signer (Per-Credential)
| Variable | Description |
|---|---|
OAUTH_CRED_{NAME}_CONSUMER_KEY | OAuth consumer key |
OAUTH_CRED_{NAME}_CONSUMER_SECRET | OAuth consumer secret |
OAUTH_CRED_{NAME}_ACCESS_TOKEN | OAuth access token |
OAUTH_CRED_{NAME}_ACCESS_TOKEN_SECRET | OAuth access token secret |
Example: Credential twitter uses OAUTH_CRED_TWITTER_CONSUMER_KEY, etc.
The signer auto-discovers credentials by scanning for OAUTH_CRED_*_CONSUMER_KEY env vars at startup.
OAuth 1.0a Signer (Optional)
| Variable | Default | Description |
|---|---|---|
OAUTH_SIGNER_PORT | 8080 | Signer listen port |
Naming Convention
For AGENTSEC_CRED_* environment variables (used during migration from env-based setup):
- Take the credential name (e.g.,
twitter-holonym) - Convert to uppercase (
TWITTER-HOLONYM) - Replace hyphens with underscores (
TWITTER_HOLONYM) - Prepend the prefix (
AGENTSEC_CRED_TWITTER_HOLONYM)
Note: In the current multi-tenant architecture, credential values are stored encrypted in the SQLite database via the admin API. The AGENTSEC_CRED_* env var pattern is only relevant for the CLI add command in self-hosted setups.