Skip to main content

Configuration of Environment Variables

Agenta encodes the same nesting at three layers: the environment variable name, the Python env.py attribute path, and the Helm values.yaml path. Every section below lists the canonical names in those three forms.

For deprecated/legacy environment variable names that still work via fallback, see Deprecated environment variables at the bottom.

Kubernetes / Helm

For Helm deployments, set the values.yaml path instead of the env var. The chart maps every value to the same canonical env var internally.

Helm-only — pre-existing Secret

The Helm chart accepts a single Helm-only key, secrets.existingSecret, that points at a pre-created Kubernetes Secret. When set, the chart will not create or update the Secret object; it just wires envFrom/secretKeyRef references to the name you provide. Your Secret must contain the canonical env-var keys (AGENTA_AUTH_KEY, AGENTA_CRYPT_KEY, POSTGRES_PASSWORD, and any optional keys such as SUPERTOKENS_API_KEY, OPENAI_API_KEY, OAuth client secrets, etc.) — see Deploy to Kubernetes — Secrets. This key has no env-var or env.py equivalent.

Agenta — core

Env varenv.py pathvalues.yaml path
AGENTA_LICENSEagenta.licenseagenta.license
AGENTA_WEB_URLagenta.web_urlagenta.webUrl
AGENTA_SERVICES_URLagenta.services_urlagenta.servicesUrl
AGENTA_API_URLagenta.api_urlagenta.apiUrl
AGENTA_API_INTERNAL_URLagenta.api_internal_urlagenta.apiInternalUrl
AGENTA_AUTH_KEYagenta.auth_keyagenta.authKey
AGENTA_CRYPT_KEYagenta.crypt_keyagenta.cryptKey

Agenta — access

The first four variables (allowed/blocked domains and emails, allowed owner emails) apply to both the open source and Enterprise editions. See Restrict Sign-ups and Organization Creation for how they behave. The plan and role variables are Enterprise-only; see Dynamic Access Controls.

Env varenv.py pathvalues.yaml path
AGENTA_ACCESS_ALLOWED_DOMAINSagenta.access.allowed_domainsagenta.access.allowedDomains
AGENTA_ACCESS_ALLOWED_OWNER_EMAILSagenta.access.allowed_owner_emailsagenta.access.allowedOwnerEmails
AGENTA_ACCESS_BLOCKED_DOMAINSagenta.access.blocked_domainsagenta.access.blockedDomains
AGENTA_ACCESS_BLOCKED_EMAILSagenta.access.blocked_emailsagenta.access.blockedEmails
AGENTA_ACCESS_DEFAULT_PLANagenta.access.default_planagenta.access.defaultPlan
AGENTA_ACCESS_DEFAULT_PLAN_OVERLAYagenta.access.default_plan_overlayagenta.access.defaultPlanOverlay
AGENTA_ACCESS_EMAIL_DISABLEDagenta.access.email_disabledagenta.access.emailDisabled
AGENTA_ACCESS_PLANSagenta.access.plansagenta.access.plans
AGENTA_ACCESS_ROLESagenta.access.rolesagenta.access.roles
AGENTA_ACCESS_ROLES_OVERLAYagenta.access.roles_overlayagenta.access.rolesOverlay

Agenta — AI services

Env varenv.py pathvalues.yaml path
AGENTA_AI_SERVICES_API_KEYagenta.ai_services.api_keyagenta.aiServices.apiKey
AGENTA_AI_SERVICES_API_URLagenta.ai_services.api_urlagenta.aiServices.apiUrl
AGENTA_AI_SERVICES_ENVIRONMENT_SLUGagenta.ai_services.environment_slugagenta.aiServices.environmentSlug
AGENTA_AI_SERVICES_REFINE_PROMPT_KEYagenta.ai_services.refine_prompt_keyagenta.aiServices.refinePromptKey

Agenta — billing

Env varenv.py pathvalues.yaml path
AGENTA_BILLING_CATALOGagenta.billing.catalogagenta.billing.catalog
AGENTA_BILLING_PRICINGagenta.billing.pricingagenta.billing.pricing

Agenta — API

Env varenv.py pathvalues.yaml path
AGENTA_API_CACHING_ENABLEDagenta.api.caching.enabledagenta.api.caching.enabled

Agenta — extras

Env varenv.py pathvalues.yaml path
AGENTA_EXTRAS_DEMOSagenta.extras.demosagenta.extras.demos

Agenta — logging

Env varenv.py pathvalues.yaml path
AGENTA_LOGGING_CONSOLE_ENABLEDagenta.logging.console_enabledagenta.logging.consoleEnabled
AGENTA_LOGGING_CONSOLE_LEVELagenta.logging.console_levelagenta.logging.consoleLevel
AGENTA_LOGGING_FILE_ENABLEDagenta.logging.file_enabledagenta.logging.fileEnabled
AGENTA_LOGGING_FILE_LEVELagenta.logging.file_levelagenta.logging.fileLevel
AGENTA_LOGGING_FILE_PATHagenta.logging.file_pathagenta.logging.filePath
AGENTA_LOGGING_OTLP_ENABLEDagenta.logging.otlp_enabledagenta.logging.otlpEnabled
AGENTA_LOGGING_OTLP_LEVELagenta.logging.otlp_levelagenta.logging.otlpLevel

Agenta — OTLP

Env varenv.py pathvalues.yaml path
AGENTA_OTLP_MAX_BATCH_BYTESagenta.otlp.max_batch_bytesagenta.otlp.maxBatchBytes

Agenta — services

Env varenv.py pathvalues.yaml path
AGENTA_SERVICES_CODE_SANDBOX_RUNNERagenta.services.code.sandbox_runneragenta.services.code.sandboxRunner
AGENTA_SERVICES_HOOK_ALLOW_INSECUREagenta.services.hook.allow_insecureagenta.services.hook.allowInsecure
AGENTA_SERVICES_MIDDLEWARE_AUTH_ENABLEDn/a (SDK-side)agenta.services.middleware.authEnabled
AGENTA_SERVICES_MIDDLEWARE_CACHING_ENABLEDagenta.services.middleware.caching_enabledagenta.services.middleware.cachingEnabled

Agent runner

These variables configure agent workflows. AGENTA_RUNNER_* variables are read by the Services API. SANDBOX_AGENT_* variables are read by the separate runner service. See Deploy the agent runner.

Env varComponentvalues.yaml path
AGENTA_RUNNER_URLServices APIagentRunner.externalUrl or generated from agentRunner.enabled
AGENTA_RUNNER_TIMEOUT_SECONDSServices API / SDKn/a
AGENTA_AGENT_MCPS_ENABLEDServices APIagentRunner.enableMcp
SANDBOX_AGENT_PROVIDERrunneragentRunner.provider
SANDBOX_AGENT_LOG_LEVELrunneragentRunner.logLevel
DAYTONA_API_KEYrunneragentRunner.daytona.apiKey
DAYTONA_API_URLrunneragentRunner.daytona.apiUrl
DAYTONA_TARGETrunneragentRunner.daytona.target
DAYTONA_SNAPSHOTrunneragentRunner.daytona.snapshot
DAYTONA_IMAGErunneragentRunner.daytona.image
DAYTONA_AUTOSTOPrunneragentRunner.daytona.autostopDelay
AGENTA_AGENT_SANDBOX_PI_INSTALLEDrunneragentRunner.daytona.installPi
Custom-code evaluator runner

AGENTA_SERVICES_CODE_SANDBOX_RUNNER selects how custom-code evaluators execute:

  • restricted (default) — in-process Python sandbox with limited builtins and an allowlist of pure-standard-library imports. No filesystem, network, or host access.
  • local — raw execution in the services process with no sandbox. Any author who can create a custom-code evaluator can run arbitrary code on the host. Use only for trusted, single-tenant deployments.
  • daytona — isolated remote sandbox (strongest). Recommended when evaluator authors are not fully trusted. Requires the daytona credentials below.

The legacy AGENTA_SERVICES_SANDBOX_RUNNER is still accepted as a fallback.

Store (durable object store)

Backs the durable working directory for sessions and agents. Files written by an agent run survive sandbox teardown and reappear in the next turn. The store is disabled until ACCESS_KEY and SECRET_KEY are set. Point these at any S3-compatible store: the bundled SeaweedFS, AWS S3, or MinIO. ENDPOINT_URL is always explicit (SeaweedFS defaults it to http://seaweedfs:8333; a remote store must set it).

The API holds the master credentials and never passes them to the runner. At run start it mints short-lived, prefix-scoped credentials and only those reach the sandbox, which mounts the durable prefix as its working directory. The STS mechanism depends on the backend (see the two-backend note below): bundled SeaweedFS uses AssumeRoleWithWebIdentity; a remote S3 store uses GetFederationToken.

Env varenv.py pathvalues.yaml path
AGENTA_STORE_ENDPOINT_URLstore.endpoint_urlstore.endpointUrl (auto-populated when store.seaweedfs.enabled=true)
AGENTA_STORE_STS_ENDPOINT_URLstore.sts_endpoint_urlstore.stsEndpointUrl
AGENTA_STORE_ACCESS_KEYstore.access_keystore.accessKey
AGENTA_STORE_SECRET_KEYstore.secret_keystore.secretKey
AGENTA_STORE_REGIONstore.regionstore.region
AGENTA_STORE_BUCKETstore.bucketstore.bucket
AGENTA_STORE_NAMESPACEstore.namespacestore.namespace
AGENTA_STORE_SIGNING_KEYstore.signing_keystore.signingKey
AGENTA_STORE_JWT_ISSUERstore.jwt_issuerstore.jwtIssuer
AGENTA_STORE_JWT_PRIVATE_KEYstore.jwt_private_keystore.jwtPrivateKey
store.seaweedfs.enabled

store.seaweedfs.enabled=true bundles a SeaweedFS StatefulSet and auto-populates store.endpointUrl. Set it to false and supply store.endpointUrl to use an external S3-compatible store. This toggle mirrors postgresql.enabled.

AGENTA_STORE_NAMESPACE — sharing one bucket across environments

The key layout treats the store as a small database: the bucket is the cluster, an optional namespace is the database, the entity prefix (mounts/) is the table, and <project>/<mount> is the row — so a full key is <bucket>/[<namespace>/]mounts/<project_id>/<mount_id>/....

Leave NAMESPACE unset for a dedicated bucket; the key layout is then identical to a single-tenant store (no empty leading segment). Set it — typically to a deployment or environment id — when several ephemeral environments share one bucket. Each environment's keys are prefixed with its namespace, and the short-lived credentials the API signs are scoped to that namespace, so one environment can never read or write another's objects even though they live in the same bucket. The namespace narrows the credential scope; it never widens it, and it is orthogonal to the store backend (it works on remote S3 and on bundled SeaweedFS alike).

Two STS backends (selected by SIGNING_KEY presence)

The API narrows the master credentials to one mount prefix per run with an inline session policy. How it signs that scoped credential depends on the backend, and the backend is chosen by whether AGENTA_STORE_SIGNING_KEY is set — not by the endpoint:

  • SIGNING_KEY set → bundled SeaweedFS. SeaweedFS authorizes scoped credentials only through its OIDC IAM engine: the API acts as the OIDC issuer, mints a short-lived RS256 web-identity token, and serves the matching public JWKS at /.well-known/jwks.json; SeaweedFS fetches that JWKS to verify the token on each AssumeRoleWithWebIdentity call.
  • SIGNING_KEY unset → remote S3-compatible store (AWS S3, MinIO). The API already holds S3 credentials, so it signs a GetFederationToken request (SigV4) with them — no OIDC provider, no role. Cloudflare R2 is not supported: it does not implement AWS STS GetFederationToken.

AGENTA_STORE_STS_ENDPOINT_URL is the STS endpoint for the remote-S3 path. It defaults to the S3 endpoint (MinIO co-locates STS there); set it only when the store splits STS onto another host — AWS: https://sts.<region>.amazonaws.com. It is ignored on the SeaweedFS path.

The SeaweedFS-only settings (SIGNING_KEY, JWT_ISSUER, JWT_PRIVATE_KEY):

  • AGENTA_STORE_SIGNING_KEY — base64 of exactly 32 bytes; the HMAC key SeaweedFS signs its own STS session tokens with (head -c 32 /dev/urandom | base64). Its presence also selects the SeaweedFS backend, so leave it unset for a remote S3 store.
  • AGENTA_STORE_JWT_ISSUER — the in-network API URL SeaweedFS fetches the JWKS from (e.g. http://api:8000).
  • AGENTA_STORE_JWT_PRIVATE_KEY — a stable RSA private key (PKCS#8 PEM) the API signs the web-identity token with. Required in production: every API replica must share one key, or SeaweedFS's cached JWKS desyncs and token validation fails intermittently. Generate with openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048. Local dev falls back to a built-in key when unset.

The bundled store and the API must agree on ACCESS_KEY and SECRET_KEY; in the Helm chart and docker-compose this is wired automatically.

Remote sandboxes (Daytona) need a reachable store endpoint

A local sandbox mounts durable storage on the runner host against the in-network store. A remote sandbox mounts from inside the cloud sandbox, so the store endpoint must be publicly reachable. Enable the ngrok tunnel (the compose remote profile) or point AGENTA_STORE_ENDPOINT_URL at a public S3 URL. Only the scoped, short-lived credentials ever cross into a remote sandbox.

Agenta — webhooks

Env varenv.py pathvalues.yaml path
AGENTA_WEBHOOKS_ALLOW_INSECUREagenta.webhooks.allow_insecureagenta.webhooks.allowInsecure

alembic

Env varenv.py pathvalues.yaml path
ALEMBIC_AUTO_MIGRATIONSalembic.auto_migrationsalembic.autoMigrations
ALEMBIC_CFG_PATH_COREalembic.cfg_path_corealembic.cfgPathCore
ALEMBIC_CFG_PATH_TRACINGalembic.cfg_path_tracingalembic.cfgPathTracing

cloudflare

Env varenv.py pathvalues.yaml path
CLOUDFLARE_TURNSTILE_ALLOWED_HOSTNAMEScloudflare.turnstile.allowed_hostnamescloudflare.turnstile.allowedHostnames
CLOUDFLARE_TURNSTILE_SECRET_KEYcloudflare.turnstile.secret_keycloudflare.turnstile.secretKey
CLOUDFLARE_TURNSTILE_SITE_KEYcloudflare.turnstile.site_keycloudflare.turnstile.siteKey

composio

Env varenv.py pathvalues.yaml path
COMPOSIO_API_KEYcomposio.api_keycomposio.apiKey
COMPOSIO_API_URLcomposio.api_urlcomposio.apiUrl

crisp

Env varenv.py pathvalues.yaml path
CRISP_WEBSITE_IDcrisp.website_idcrisp.websiteId

daytona

Env varenv.py pathvalues.yaml path
DAYTONA_API_KEYdaytona.api_keydaytona.apiKey
DAYTONA_API_URLdaytona.api_urldaytona.apiUrl
DAYTONA_SNAPSHOTdaytona.snapshotdaytona.snapshot
DAYTONA_TARGETdaytona.targetdaytona.target

docker

Env varenv.py pathvalues.yaml path
DOCKER_NETWORK_MODEdocker.network_modedocker.networkMode

identity (OIDC providers)

Env varenv.py pathvalues.yaml path
APPLE_OAUTH_CLIENT_IDidentity.apple.client_ididentity.apple.clientId
APPLE_OAUTH_CLIENT_SECRETidentity.apple.client_secretidentity.apple.clientSecret
APPLE_KEY_IDidentity.apple.key_ididentity.apple.keyId
APPLE_PRIVATE_KEYidentity.apple.private_keyidentity.apple.privateKey
APPLE_TEAM_IDidentity.apple.team_ididentity.apple.teamId
AZURE_AD_OAUTH_CLIENT_IDidentity.azure_ad.client_ididentity.azureAd.clientId
AZURE_AD_OAUTH_CLIENT_SECRETidentity.azure_ad.client_secretidentity.azureAd.clientSecret
AZURE_AD_DIRECTORY_IDidentity.azure_ad.directory_ididentity.azureAd.directoryId
BITBUCKET_OAUTH_CLIENT_IDidentity.bitbucket.client_ididentity.bitbucket.clientId
BITBUCKET_OAUTH_CLIENT_SECRETidentity.bitbucket.client_secretidentity.bitbucket.clientSecret
BOXY_SAML_OAUTH_CLIENT_IDidentity.boxy_saml.client_ididentity.boxySaml.clientId
BOXY_SAML_OAUTH_CLIENT_SECRETidentity.boxy_saml.client_secretidentity.boxySaml.clientSecret
BOXY_SAML_URLidentity.boxy_saml.urlidentity.boxySaml.url
DISCORD_OAUTH_CLIENT_IDidentity.discord.client_ididentity.discord.clientId
DISCORD_OAUTH_CLIENT_SECRETidentity.discord.client_secretidentity.discord.clientSecret
FACEBOOK_OAUTH_CLIENT_IDidentity.facebook.client_ididentity.facebook.clientId
FACEBOOK_OAUTH_CLIENT_SECRETidentity.facebook.client_secretidentity.facebook.clientSecret
GITHUB_OAUTH_CLIENT_IDidentity.github.client_ididentity.github.clientId
GITHUB_OAUTH_CLIENT_SECRETidentity.github.client_secretidentity.github.clientSecret
GITLAB_BASE_URLidentity.gitlab.base_urlidentity.gitlab.baseUrl
GITLAB_OAUTH_CLIENT_IDidentity.gitlab.client_ididentity.gitlab.clientId
GITLAB_OAUTH_CLIENT_SECRETidentity.gitlab.client_secretidentity.gitlab.clientSecret
GOOGLE_OAUTH_CLIENT_IDidentity.google.client_ididentity.google.clientId
GOOGLE_OAUTH_CLIENT_SECRETidentity.google.client_secretidentity.google.clientSecret
GOOGLE_WORKSPACES_OAUTH_CLIENT_IDidentity.google_workspaces.client_ididentity.googleWorkspaces.clientId
GOOGLE_WORKSPACES_OAUTH_CLIENT_SECRETidentity.google_workspaces.client_secretidentity.googleWorkspaces.clientSecret
GOOGLE_WORKSPACES_HDidentity.google_workspaces.hdidentity.googleWorkspaces.hd
LINKEDIN_OAUTH_CLIENT_IDidentity.linkedin.client_ididentity.linkedin.clientId
LINKEDIN_OAUTH_CLIENT_SECRETidentity.linkedin.client_secretidentity.linkedin.clientSecret
OKTA_OAUTH_CLIENT_IDidentity.okta.client_ididentity.okta.clientId
OKTA_OAUTH_CLIENT_SECRETidentity.okta.client_secretidentity.okta.clientSecret
OKTA_DOMAINidentity.okta.domainidentity.okta.domain
TWITTER_OAUTH_CLIENT_IDidentity.twitter.client_ididentity.twitter.clientId
TWITTER_OAUTH_CLIENT_SECRETidentity.twitter.client_secretidentity.twitter.clientSecret

llm (provider API keys)

Env varenv.py pathvalues.yaml path
ALEPHALPHA_API_KEYllm.alephalphallm.alephalpha
ANTHROPIC_API_KEYllm.anthropicllm.anthropic
ANYSCALE_API_KEYllm.anyscalellm.anyscale
COHERE_API_KEYllm.coherellm.cohere
DEEPINFRA_API_KEYllm.deepinfrallm.deepinfra
GEMINI_API_KEYllm.geminillm.gemini
GROQ_API_KEYllm.groqllm.groq
MINIMAX_API_KEYllm.minimaxllm.minimax
MISTRAL_API_KEYllm.mistralllm.mistral
OPENAI_API_KEYllm.openaillm.openai
OPENROUTER_API_KEYllm.openrouterllm.openrouter
PERPLEXITYAI_API_KEYllm.perplexityaillm.perplexityai
TOGETHERAI_API_KEYllm.togetheraillm.togetherai

loops

Env varenv.py pathvalues.yaml path
LOOPS_API_KEYloops.api_keyloops.apiKey

newrelic

Env varenv.py pathvalues.yaml path
NEWRELIC_LICENSE_KEYnewrelic.license_keynewrelic.licenseKey

postgres

Env varenv.py pathvalues.yaml path
POSTGRES_USERpostgres.userpostgres.user
POSTGRES_PASSWORDpostgres.passwordpostgres.password
POSTGRES_PORTpostgres.portpostgres.port
POSTGRES_URI_COREpostgres.uri_corepostgres.uriCore
POSTGRES_URI_SUPERTOKENSpostgres.uri_supertokenspostgres.uriSupertokens
POSTGRES_URI_TRACINGpostgres.uri_tracingpostgres.uriTracing

posthog

Env varenv.py pathvalues.yaml path
POSTHOG_API_KEYposthog.api_keyposthog.apiKey
POSTHOG_API_URLposthog.api_urlposthog.apiUrl

redis

Env varenv.py pathvalues.yaml path
REDIS_URIredis.uriredis.uri
REDIS_URI_DURABLEredis.uri_durableredis.uriDurable
REDIS_URI_VOLATILEredis.uri_volatileredis.uriVolatile

smtp

SMTP is preferred for email delivery. It is enabled only when host, port, and sender are configured. SendGrid remains supported as a fallback when SMTP is not fully configured.

For local Mailpit from an API container, use SMTP_HOST=host.docker.internal when Mailpit runs on the host, or SMTP_HOST=mailpit only when Mailpit is on the same Docker network.

Env varenv.py pathvalues.yaml path
SMTP_HOSTsmtp.host(not mapped)
SMTP_PORTsmtp.port(not mapped)
SMTP_USERNAMEsmtp.username(not mapped)
SMTP_PASSWORDsmtp.password(not mapped)
SMTP_FROM_EMAILsmtp.from_email(not mapped)
SMTP_USE_TLSsmtp.use_tls(not mapped)
SMTP_USE_SSLsmtp.use_ssl(not mapped)
SMTP_TIMEOUTsmtp.timeout(not mapped)

sendgrid

SendGrid is used only when SMTP is not fully configured.

Env varenv.py pathvalues.yaml path
SENDGRID_API_KEYsendgrid.api_keysendgrid.apiKey
SENDGRID_FROM_EMAILsendgrid.from_emailsendgrid.fromEmail

stripe

Env varenv.py pathvalues.yaml path
STRIPE_API_KEYstripe.api_keystripe.apiKey
STRIPE_WEBHOOK_SECRETstripe.webhook_secretstripe.webhookSecret
STRIPE_WEBHOOK_TARGETstripe.webhook_targetstripe.webhookTarget

supertokens

Env varenv.py pathvalues.yaml path
SUPERTOKENS_API_KEYsupertokens.api_keysupertokens.apiKey
SUPERTOKENS_APPLICATIONsupertokens.applicationsupertokens.application
SUPERTOKENS_PASSWORD_MAX_LENGTHsupertokens.password_max_lengthsupertokens.passwordMaxLength
SUPERTOKENS_PASSWORD_MIN_LENGTHsupertokens.password_min_lengthsupertokens.passwordMinLength
SUPERTOKENS_PASSWORD_POLICYsupertokens.password_policysupertokens.passwordPolicy
SUPERTOKENS_PASSWORD_REGEXsupertokens.password_regexsupertokens.passwordRegex
SUPERTOKENS_TENANTsupertokens.tenantsupertokens.tenant
SUPERTOKENS_URI_COREsupertokens.uri_coresupertokens.uriCore

Deprecated environment variables

The following legacy names still work via fallback (the Pydantic env loader reads the new name first, then the legacy one). They will be removed in a future major release.

Legacy env varCanonical replacement
AGENTA_ALLOWED_DOMAINSAGENTA_ACCESS_ALLOWED_DOMAINS
AGENTA_ORG_CREATION_ALLOWLISTAGENTA_ACCESS_ALLOWED_OWNER_EMAILS
AGENTA_ACCESS_ORG_CREATION_ALLOWLISTAGENTA_ACCESS_ALLOWED_OWNER_EMAILS
AGENTA_ACCESS_ALLOWED_ORGANIZATION_OWNERSAGENTA_ACCESS_ALLOWED_OWNER_EMAILS
AGENTA_BLOCKED_DOMAINSAGENTA_ACCESS_BLOCKED_DOMAINS
AGENTA_BLOCKED_EMAILSAGENTA_ACCESS_BLOCKED_EMAILS
AGENTA_DEFAULT_PLANAGENTA_ACCESS_DEFAULT_PLAN
SUPERTOKENS_EMAIL_DISABLEDAGENTA_ACCESS_EMAIL_DISABLED
AGENTA_PRICINGAGENTA_BILLING_PRICING
STRIPE_PRICINGAGENTA_BILLING_PRICING
AGENTA_CACHE_ENABLEDAGENTA_API_CACHING_ENABLED
AGENTA_CACHING_ENABLEDAGENTA_API_CACHING_ENABLED
AGENTA_DEMOSAGENTA_EXTRAS_DEMOS
AGENTA_LOG_CONSOLE_ENABLEDAGENTA_LOGGING_CONSOLE_ENABLED
AGENTA_LOG_CONSOLE_LEVELAGENTA_LOGGING_CONSOLE_LEVEL
AGENTA_LOG_FILE_ENABLEDAGENTA_LOGGING_FILE_ENABLED
AGENTA_LOG_FILE_LEVELAGENTA_LOGGING_FILE_LEVEL
AGENTA_LOG_FILE_PATHAGENTA_LOGGING_FILE_PATH
AGENTA_LOG_OTLP_ENABLEDAGENTA_LOGGING_OTLP_ENABLED
AGENTA_LOG_OTLP_LEVELAGENTA_LOGGING_OTLP_LEVEL
AGENTA_SERVICES_SANDBOX_RUNNERAGENTA_SERVICES_CODE_SANDBOX_RUNNER
AGENTA_SERVICE_MIDDLEWARE_AUTH_ENABLED (singular SERVICE)AGENTA_SERVICES_MIDDLEWARE_AUTH_ENABLED
AGENTA_SERVICE_MIDDLEWARE_CACHE_ENABLED (singular SERVICE)AGENTA_SERVICES_MIDDLEWARE_CACHING_ENABLED
AGENTA_WEBHOOK_ALLOW_INSECUREAGENTA_WEBHOOKS_ALLOW_INSECURE (API), AGENTA_SERVICES_HOOK_ALLOW_INSECURE (SDK)
AGENTA_AUTO_MIGRATIONSALEMBIC_AUTO_MIGRATIONS
AGENTA_RUNTIME_PREFIX(removed; no consumer in API)
ACTIVE_DIRECTORY_OAUTH_CLIENT_IDAZURE_AD_OAUTH_CLIENT_ID
ACTIVE_DIRECTORY_OAUTH_CLIENT_SECRETAZURE_AD_OAUTH_CLIENT_SECRET
ACTIVE_DIRECTORY_DIRECTORY_IDAZURE_AD_DIRECTORY_ID
NEW_RELIC_LICENSE_KEYNEWRELIC_LICENSE_KEY
NRIA_LICENSE_KEYNEWRELIC_LICENSE_KEY
POSTHOG_HOSTPOSTHOG_API_URL
AGENTA_AUTHN_EMAIL_FROMSMTP_FROM_EMAIL (preferred) or SENDGRID_FROM_EMAIL fallback
AGENTA_SEND_EMAIL_FROM_ADDRESSSMTP_FROM_EMAIL (preferred) or SENDGRID_FROM_EMAIL fallback
STRIPE_TARGETSTRIPE_WEBHOOK_TARGET
SUPERTOKENS_CONNECTION_URISUPERTOKENS_URI_CORE