Reference

Configuration reference

Maskin is configured through environment variables. Only DATABASE_URL is strictly required to boot; everything else has sensible dev defaults and is opt-in for production and integrations.

i In this monorepo, env vars must be declared in turbo.json's globalPassThroughEnv or they're filtered out of builds. This page lists the runtime variables; check the repo for the current canonical list.

Core

Variable	Default	Purpose
`DATABASE_URL`	—	Required. PostgreSQL connection string.
`POSTGRES_URL`	—	Optional override for `DATABASE_URL`.
`DATABASE_URL_DIRECT`	—	Non-pooled connection for PG LISTEN/NOTIFY when you run behind a pooler.
`PORT`	`3000`	API server port.
`NODE_ENV`	—	Set to `production` for prod builds (logging, error handling).
`MASKIN_AUTO_BOOTSTRAP`	`true`	Auto-create a dev actor, workspace, and API key on a fresh DB. Set `false` to disable.

Object storage (S3-compatible)

Variable	Default	Purpose
`S3_ENDPOINT`	`http://localhost:8333`	S3 endpoint (SeaweedFS in dev; any S3-compatible store in prod).
`S3_BUCKET`	`agent-files`	Bucket name.
`S3_ACCESS_KEY` · `S3_SECRET_KEY`	`admin`	Credentials.
`S3_REGION`	`us-east-1`	Region.

Integrations

Variable	Purpose
`INTEGRATION_ENCRYPTION_KEY`	32-byte hex (64 chars) for encrypting stored OAuth tokens (auto-generated by `pnpm dev`).
`GITHUB_APP_ID`, `GITHUB_CLIENT_ID`, `GITHUB_CLIENT_SECRET`, `GITHUB_APP_WEBHOOK_SECRET`, `GITHUB_APP_PRIVATE_KEY`, `GITHUB_APP_SLUG`	GitHub App / OAuth credentials.
`SLACK_CLIENT_ID`, `SLACK_CLIENT_SECRET`, `SLACK_SIGNING_SECRET`, `MASKIN_MACHINE_ICON_URL`	Slack OAuth + signing; optional agent avatar URL.
`LINEAR_CLIENT_ID`, `LINEAR_CLIENT_SECRET`, `LINEAR_WEBHOOK_SECRET`	Linear OAuth + webhook signing.
`GMAIL_CLIENT_ID`, `GMAIL_CLIENT_SECRET`, `GMAIL_PUBSUB_TOPIC`, `GMAIL_PUBSUB_AUDIENCE`, `GMAIL_PUBSUB_SERVICE_ACCOUNT`	Gmail OAuth + Pub/Sub push config.

Full per-provider setup is on the Integrations setup page.

LLM

The Anthropic API key and any workspace custom-LLM endpoint are configured in the app (Settings → Integrations / LLM keys), stored encrypted per workspace — not via environment. The environment only configures the optional system fallback used when a workspace has no model configured:

Variable	Default	Purpose
`MASKIN_FALLBACK_OPENROUTER_KEY`	—	Enables the OpenRouter-based fallback model.
`MASKIN_FALLBACK_BASE_URL`	`https://openrouter.ai/api`	Fallback provider base URL.
`MASKIN_FALLBACK_MODEL` · `MASKIN_FALLBACK_SMALL_MODEL`	`deepseek/deepseek-v4-flash`	Fallback main / small models.
`MASKIN_FALLBACK_DAILY_TOKEN_LIMIT`	`550000`	Per-actor daily token cap on the fallback.

Agent execution

Variable	Default	Purpose
`AGENT_BASE_IMAGE`	`agent-base:latest`	OCI image for agent sessions; use a full registry path in prod.
`AGENT_SERVERS`	—	Comma-separated `url\|secret` list to distribute sessions to remote agent servers.
`AGENT_SERVER_SECRET` · `MASKIN_AGENT_SERVER_PUBLIC_HOST` · `AGENT_SERVER_MAX_SESSIONS`	—	Agent-server auth, public host, and concurrency cap.
`AGENT_SESSION_ROOT`	—	Root directory for agent session storage.
`WARM_POOL_IMAGE` · `WARM_POOL_REFRESH_MINUTES`	—	Warm-pool image and refresh interval to cut cold starts.
`MASKIN_BACKEND_URL`	`http://host.docker.internal:3000`	Backend URL injected into agent containers.

Security & network

Variable	Default	Purpose
`WEBHOOK_BASE_URL`	—	Public base URL providers call back to (`/api/webhooks/<provider>`).
`CORS_ORIGIN`	`http://localhost:5173`	Comma-separated allowed origins.
`TRUSTED_PROXY_CIDRS`	`127.0.0.1/32,::1/128`	CIDRs allowed to set `X-Forwarded-For` (set to your CDN/proxy in prod).
`FRONTEND_URL` · `API_BASE_URL`	—	Frontend URL for redirects; backend URL for MCP agents.

Analytics (optional)

Variable	Default	Purpose
`POSTHOG_API_KEY` · `POSTHOG_HOST`	· `https://eu.i.posthog.com`	Backend analytics (runtime telemetry).
`VITE_POSTHOG_KEY` · `VITE_POSTHOG_HOST`	· `https://eu.i.posthog.com`	Frontend analytics (blank in dev → console only).