Auth and Environment¶
Generated projects use .env values for runtime configuration.
Base URL¶
The generated runtime needs TARGET_API_BASE_URL.
Resolution order:
- explicit
--target-api-base-url - values from
--env-source - generated
.env/.env.example - current process environment
If no real base URL can be resolved, startup fails.
If the base URL is present but not an absolute http or https URL, startup also fails.
--env-source formats¶
Accepted by run and test-server:
- JSON string
- path to
.json - path to
.env
Examples:
--env-source '{"TARGET_API_BASE_URL":"https://example.com/api"}'
--env-source ./runtime.env
--env-source ./runtime.json
Generated auth env vars¶
Auth env var placeholders are derived from OpenAPI security schemes.
Examples:
AUTH_HEADERAPIKEY_API_KEYAUTH_QUERYAPIKEY_API_KEYAUTH_COOKIEAPIKEY_API_KEYAUTH_BEARERAUTH_TOKEN
Supported mapping today:
apiKeyinheaderapiKeyinqueryapiKeyincookie- HTTP bearer auth
- OAuth2 token injection
- OpenID Connect token injection
Optional raw auth header¶
Generated .env.example also includes:
#TARGET_API_AUTH_HEADER=Authorization: Bearer YOUR_TOKEN
Use this only when a raw header fallback is more practical than the generated scheme-specific variables.
Generated runtime env keys¶
Current generated .env.example includes:
TARGET_API_BASE_URLTARGET_API_AUTH_HEADERMCP_HTTP_HOSTMCP_HTTP_PORTMCP_HTTP_ENDPOINTMCP_ALLOWED_ORIGINSMCP_ALLOWED_HOSTSMCP_MAX_CONCURRENCYMCP_PER_TOOL_MAX_CONCURRENCYMCP_MAX_QUEUE_SIZEMCP_QUEUE_TIMEOUT_MSMCP_TOOL_TIMEOUT_MS- auth env vars derived from the OpenAPI security schemes
Invalid runtime-control values fail fast at startup instead of silently using defaults.
Security behavior¶
Generated auth wiring is covered by generated-server E2E tests against a local mock API, including missing-credential failure paths.