Skip to main content

Environment Variables

GenKitKraft is configured entirely through environment variables. No config files needed.

Reference Table

VariableDescriptionDefaultRequired
PORTHTTP server port8080No
DATABASE_PATHPath to SQLite database file/data/app.dbNo
ENCRYPTION_KEYSecret key for encrypting provider API keys at restYes
AUTH_CREDENTIALSComma-separated username:password pairs(unset — auth disabled)No
PUBLIC_API_KEYComma-separated API keys for deploy endpoints(unset — deploy is public)No

PORT

The port the HTTP server listens on. Both the API and the embedded UI are served on this port.

DATABASE_PATH

File path for the SQLite database. When running in Docker, ensure this path is on a persistent volume (/data by default) to prevent data loss on container recreation.

ENCRYPTION_KEY

A secret string used to encrypt LLM provider API keys before storing them in the database. The server will refuse to start if this variable is not set.

Tips:

  • Generate a strong key: openssl rand -base64 32
  • Keep it safe — if lost, existing provider configurations become unreadable
  • Changing this key requires re-creating all provider configurations

AUTH_CREDENTIALS

Controls login-based authentication. Format: username:password pairs separated by commas.

AUTH_CREDENTIALS=admin:changeme,readonly:viewer123
  • When set: all UI and API access requires authentication
  • When unset: authentication is disabled entirely
  • Also controls authentication for the MCP endpoint — when set, the MCP server requires HTTP Basic Auth with the same credentials
  • See Authentication for more details

PUBLIC_API_KEY

Controls API key authentication for the Deploy API endpoints (both stateless and stateful sessions). Format: one or more keys separated by commas.

PUBLIC_API_KEY=sk-my-secret-key
# Or multiple keys:
PUBLIC_API_KEY=sk-key-one,sk-key-two
  • When set: deploy requests must include Authorization: Bearer <key>
  • When unset: all deploy endpoints are publicly accessible (no authentication required)
  • This is separate from AUTH_CREDENTIALS — deploy API keys are for external integrations, while auth credentials protect the management UI