Skip to content
ReArch DOCS

Configuration Reference

This page lists all environment variables used to configure the ReArch backend, frontend, and supporting services. Variables are grouped by function.

Backend

Section titled “Backend”

Core

Section titled “Core”
VariableDefaultDescription
MONGODB_URImongodb://localhost:27017/rearchMongoDB connection string.
PORT5000HTTP port the backend listens on.
DATA_PATH./dataLocal path for temporary file storage.
LOG_LEVELLogging verbosity.

Authentication

Section titled “Authentication”
VariableDefaultDescription
AUTH_MODELOCALAuthentication mode. One of LOCAL, OAUTH, KEYCLOAK_FIREWALL, or NONE.
JWT_SECRETRequired. Secret key for signing JWT tokens. Use a strong random string (at least 32 characters).
JWT_EXPIRY24hJWT token lifetime. Accepts values like 1h, 24h, 7d.
ADMIN_EMAILadmin@example.comEmail for the bootstrap admin user. Created on first startup if no users exist.
ADMIN_PASSWORDPassword for the bootstrap admin user. Required in LOCAL mode.

OAuth / OpenID Connect (AUTH_MODE=OAUTH)

Section titled “OAuth / OpenID Connect (AUTH_MODE=OAUTH)”
VariableDefaultDescription
OAUTH_CLIENT_IDOIDC client ID from your identity provider.
OAUTH_CLIENT_SECRETOIDC client secret.
OAUTH_REDIRECT_URICallback URL where the provider redirects after login (e.g., https://app.example.com/auth/callback).
OAUTH_ISSUER_URLOIDC issuer URL. Used to discover the .well-known/openid-configuration endpoint.

No Auth (AUTH_MODE=NONE)

Section titled “No Auth (AUTH_MODE=NONE)”

No additional variables are required. All requests are granted full admin access without credentials.

Keycloak (AUTH_MODE=KEYCLOAK_FIREWALL)

Section titled “Keycloak (AUTH_MODE=KEYCLOAK_FIREWALL)”
VariableDefaultDescription
KEYCLOAK_REALM_URLFull URL to the Keycloak realm (e.g., https://auth.example.com/realms/rearch).
KEYCLOAK_CLIENT_IDBackend client ID in Keycloak (confidential client).
KEYCLOAK_CLIENT_SECRETBackend client secret from the Keycloak admin console.

Docker / Swarm

Section titled “Docker / Swarm”
VariableDefaultDescription
DOCKER_NETWORKOverlay network name for container routing. Used in Swarm mode.
APP_DOMAINBase domain for dynamic subdomain routing of conversation containers.
FRONTEND_URLPublic URL of the frontend. Used for CORS and redirect configuration.
CONVERSATION_CONTAINER_IMAGEDefault Docker image for conversation containers.

Redis

Section titled “Redis”

Configure Redis using either a URL or individual parameters:

VariableDefaultDescription
REDIS_URLredis://localhost:6379Redis connection URL. Takes precedence over individual parameters.
REDIS_HOSTlocalhostRedis hostname. Used when REDIS_URL is not set.
REDIS_PORT6379Redis port.
REDIS_PASSWORDRedis password.
REDIS_TLSfalseEnable TLS for Redis connections.

LLM Provider Encryption

Section titled “LLM Provider Encryption”
VariableDefaultDescription
ENCRYPTION_KEY64-character hex string (32 bytes) for AES-256-GCM encryption of API keys stored in the database. Generate with: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))". Falls back to deriving a key from JWT_SECRET if not set.

Rate Limiting

Section titled “Rate Limiting”
VariableDefaultDescription
RATE_LIMIT_AUTH_MAX10Maximum login/register requests per window per IP.
RATE_LIMIT_AUTH_WINDOW_MS900000Rate limit window duration in milliseconds (default: 15 minutes).

MCP Proxy

Section titled “MCP Proxy”
VariableDefaultDescription
MCP_PROXY_URLhttp://localhost:3100URL of the MCP proxy service. The backend uses this for health checks and reload commands.
MCP_PROXY_SECRETShared secret for container-to-proxy authentication. Leave empty to disable authentication (development only).

MCP Proxy Service

Section titled “MCP Proxy Service”
VariableDefaultDescription
MCP_PROXY_PORT3100Port the proxy HTTP server listens on.
MCP_PROXY_SECRETShared secret for request authentication via X-MCP-Secret header.
MONGODB_URImongodb://localhost:27017/rearchMongoDB connection string for reading MCP server configurations.

Docker Swarm Stack

Section titled “Docker Swarm Stack”

These variables are used in the docker-compose-traefik.yml file for production deployments:

VariableDescription
DOMAINBase domain. Subdomains are derived: app.<DOMAIN>, api.<DOMAIN>, auth.<DOMAIN>.
JWT_SECRETJWT signing key for the backend.
JWT_EXPIRYJWT token lifetime.
ADMIN_EMAILBootstrap admin email.
ADMIN_PASSWORDBootstrap admin password.
KEYCLOAK_ADMINKeycloak admin console username.
KEYCLOAK_ADMIN_PASSWORDKeycloak admin console password.
KEYCLOAK_DB_PASSWORDPostgreSQL password for the Keycloak database.
KEYCLOAK_BACKEND_CLIENT_SECRETClient secret for the rearch-backend Keycloak client.
OAUTH2_PROXY_CLIENT_SECRETClient secret for the rearch-proxy Keycloak client.
OAUTH2_PROXY_COOKIE_SECRETRandom 32-byte base64-encoded string for cookie encryption. Generate with: openssl rand -base64 32 | tr -- '+/' '-_'
CONVERSATION_CONTAINER_IMAGEDocker image used for conversation containers.
MCP_PROXY_SECRETShared secret for MCP proxy authentication.

Frontend Runtime Configuration

Section titled “Frontend Runtime Configuration”

The frontend is a static SPA served by nginx. Runtime configuration is injected at container startup via window.__RUNTIME_CONFIG__:

VariableDefaultDescription
VITE_API_URL/apiBackend API URL.
VITE_SOCKET_URLWebSocket URL for real-time events.
VITE_KEYCLOAK_URLKeycloak base URL (only when using Keycloak auth).
VITE_KEYCLOAK_REALMKeycloak realm name.
VITE_KEYCLOAK_CLIENT_IDKeycloak public client ID for the frontend SPA.

Generating Secrets

Section titled “Generating Secrets”

Use these commands to generate the secrets required by ReArch:

Terminal window
# JWT secret, Keycloak passwords, MCP proxy secret
openssl rand -base64 32


# OAuth2 Proxy cookie secret (URL-safe)
openssl rand -base64 32 | tr -- '+/' '-_'


# Encryption key for LLM API keys (64-char hex)
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"