Environment Variables
Gateway
Required
| Variable | Default | Description |
|---|---|---|
GATEWAY_AGENT_PUBLIC_KEY | none | Ed25519 public key used to verify agent WebSocket signatures |
GATEWAY_API_KEYS_JSON | none | JSON array of API key names, bcrypt hashes, and allowed capabilities |
Optional
All optional gateway variables may be omitted. Empty values are treated the same as omitted values.
| Variable | Default | Description |
|---|---|---|
GATEWAY_ADDR | :8080 | Gateway listen address |
GATEWAY_PUBLIC_URL | derived from GATEWAY_ADDR | External HTTP(S) base URL used in OpenAPI servers |
GATEWAY_CORS_ALLOWED_ORIGINS | empty | Comma-separated browser origins allowed to call the gateway with CORS; empty disables CORS headers |
GATEWAY_IP_ALLOW_LIST | empty | Comma-separated CIDRs or single IPs allowed to call protected endpoints; empty means no IP allow restriction |
GATEWAY_TRUSTED_PROXY_CIDRS | empty | CIDRs whose forwarded headers are trusted for source IP detection; empty means forwarded headers are ignored |
GATEWAY_RATE_LIMIT_REQUESTS_PER_SECOND | 10 | Per-source request rate |
GATEWAY_RATE_LIMIT_BURST | 20 | Per-source burst size |
GATEWAY_EMIT_OPENAPI_SNAPSHOT | false | When true, the gateway emits full cached OpenAPI metadata as an openapi_snapshot stdout event |
Example
# Required.
GATEWAY_AGENT_PUBLIC_KEY=TrMm87V3aET3MmGUzHf3_XKZRPEHe1bDM-POH1mrjr8
GATEWAY_API_KEYS_JSON='[{"name":"dev","key_hash":"$2a$10$INgs32pPDl8EQAOTcQ1NN.eZUpNkDtyTKXh2luqxE32vNBmaLpy7m","capabilities":["*"]}]'
# Optional. Omit these to use defaults or disabled behavior.
# GATEWAY_ADDR=:8080
# GATEWAY_PUBLIC_URL=https://gateway.example.com
# GATEWAY_CORS_ALLOWED_ORIGINS=https://cors.example.com
# GATEWAY_IP_ALLOW_LIST=203.0.113.0/24
# GATEWAY_TRUSTED_PROXY_CIDRS=172.16.0.0/12
# GATEWAY_RATE_LIMIT_REQUESTS_PER_SECOND=10
# GATEWAY_RATE_LIMIT_BURST=20
# GATEWAY_EMIT_OPENAPI_SNAPSHOT=falseAgent
Most agent runtime settings are in capability.yaml. Prefer onprest-agent --config /path/to/capability.yaml when launching the binary directly. The file path can also be selected with an environment variable.
| Variable | Default | Description |
|---|---|---|
AGENT_CAPABILITY_FILE | binary-adjacent capability.yaml | Path to the agent capability YAML file |
--config takes precedence over AGENT_CAPABILITY_FILE.
Important fields:
gateway.urlgateway.agent_private_keydatabase.driverdatabase.hostdatabase.portdatabase.namedatabase.userdatabase.passwordlogging.max_size