Environment variables
Reference for operators self-hosting or integrating with Molar Cloud APIs.
Secrets: Never commit
.envfiles. Use your secret manager in production.
CLI & local config
Prefer ~/.config/molar/config.toml where noted. Env vars override file config.
| Variable | Required | Description |
|---|---|---|
MOLAR_API_URL | For cloud | API base (default cloud: https://api.molar.it) |
MOLAR_TOKEN | For cloud | Personal or service access token |
MOLAR_TELEMETRY | No | 1 to enable anonymized CLI telemetry (default off) |
XDG_CONFIG_HOME | No | Config directory (default ~/.config) |
Molar API
App: @molar/control-plane — default port 3100
| Variable | Required | Description |
|---|---|---|
DATABASE_URL | Yes | Postgres connection string |
REDIS_URL | Yes | Redis for sessions, streams, OAuth cache |
BETTER_AUTH_SECRET | Yes | Session encryption secret |
BETTER_AUTH_URL | Yes | Public URL for auth callbacks |
OAUTH_ISSUER_URL | Prod | AS issuer (e.g. https://api.molar.it) |
MCP_RESOURCE_URL | Prod | MCP resource id (https://mcp.molar.cloud) |
SEAWEEDFS_MASTER | On-prem | Blob store master URL |
GUARD_API_URL | No | Guard worker API (default internal) |
CARTOGRAPHER_API_URL | No | Cartographer API for crawl triggers |
AGENT_SIGNUP_ENABLED | Prod | 1/true to expose /api/v1/agent-signup/* (off in production when unset) |
RESEND_API_KEY | Prod | Verification email for agent signup |
MOLAR_EMAIL_FROM | Prod | from address for agent signup email |
MCP_RESOURCE_URL | Prod | MCP base URL for install links (https://mcp.molar.cloud) |
Billing profile (optional)
| Variable | Description |
|---|---|
LAGO_API_URL | Lago API (local dev: http://localhost:3000) |
LAGO_API_KEY | Lago organization API key |
RAZORPAY_KEY_ID | Razorpay key |
RAZORPAY_KEY_SECRET | Razorpay secret |
STRIPE_SECRET_KEY | Stripe secret (US/EU) |
STRIPE_WEBHOOK_SECRET | Stripe webhook verification |
Lago docker profile also needs LAGO_SECRET_KEY_BASE and LAGO_RSA_PRIVATE_KEY — see control-plane/docker-compose.yml.
All-in-one dashboard
App: @molar/dashboard — default port 3200
| Variable | Required | Default | Description |
|---|---|---|---|
DATABASE_URL | Yes | — | Shared Postgres (auth + org tables) |
BETTER_AUTH_SECRET | Yes | — | Session encryption |
BETTER_AUTH_URL | Yes | — | Public dashboard URL |
PLUMBING_CONTROL_PLANE_URL | Combined mode | — | Molar API proxy target (http://127.0.0.1:3100) |
CARTOGRAPHER_API_URL | No | :8000 | Trace ingest / Cartographer proxy |
GUARD_API_URL | No | :4000 | Guard health probe |
CLONES_CONTROL_URL | No | :8600 | Clones control API |
PLUMBING_LLM_GATEWAY_URL | No | :8787 | LLM metrics probe |
WORKOS_API_KEY | SSO | — | WorkOS SSO/SCIM (optional) |
WORKOS_CLIENT_ID | SSO | — | WorkOS OAuth client |
Standalone mode: unset PLUMBING_CONTROL_PLANE_URL — local routes only.
LLM gateway
App: @molar/llm-gateway — port 8787
| Variable | Required | Description |
|---|---|---|
MOLAR_LLM_SERVICE_KEY | Yes | Service auth for workers |
LITELLM_PROXY_URL | No | Upstream LiteLLM (Cartographer compose: :4000) |
| Provider keys | Managed | Platform vendor keys in compose / secret store — not org-visible |
Workers (Cartographer, etc.):
| Variable | Description |
|---|---|
MOLAR_LLM_BASE_URL | Gateway URL (e.g. http://localhost:8787) |
BFF_JWT_SECRET | dashboard API JWT signing (min 32 chars) |
Agent comms
Package: @molar/agent-comms-core — port 8790
| Variable | Required | Default | Description |
|---|---|---|---|
MOLAR_AGENT_COMMS_API_KEY | Yes | — | Agent comms API key |
MOLAR_AGENT_COMMS_SIGNING_KEY | Yes* | — | Webhook HMAC secret (*required when signature verification on) |
MOLAR_AGENT_COMMS_TUNNEL_NAME | Yes | molar-agent | Tunnel subdomain |
MOLAR_AGENT_COMMS_TUNNEL_ZONE | No | molar.it | Tunnel parent domain |
MOLAR_AGENT_COMMS_API_BASE | No | https://api.molar.it | Agent comms API base |
LISTEN_PORT | No | 8790 | HTTP port |
MOLAR_AGENT_COMMS_REQUIRE_SIGNATURE | No | true | Verify webhook signatures |
OPENAI_API_KEY | OTP/voice | — | LLM OTP extraction / voice demo |
MOLAR_OTP_POLL_SECRET | Prod | — | Bearer secret for /otp/poll |
USE_OPENAI_REALTIME | No | false | Phone WS → OpenAI Realtime bridge |
MCP server (local stdio)
| Variable | Description |
|---|---|
MOLAR_API_URL | Cloud API for --cloud-access tools |
MOLAR_TOKEN | PAT for cloud tools |
Credentials may also live in ~/.config/molar/config.toml; refresh tokens use OS keyring when molar login is available.
Guard / run ingest
| Variable | Description |
|---|---|
MOLAR_INTERNAL_TOKEN | Shared secret for run ingest webhooks |
x-internal-token header | Sent by Guard worker to dashboard ingest route |
Cartographer stack (when paired)
See Cartographer docs for full list. Minimum for LLM routing:
export MOLAR_LLM_BASE_URL=http://localhost:8787
export MOLAR_LLM_SERVICE_KEY=dev-molar-llm-service-key
export BFF_JWT_SECRET=dev-bff-jwt-secret-min-32-characters-long