Use this file to discover all available pages before exploring further.
Environment variables configure the server daemon, CLI behavior, and runtime sandboxing. Variables prefixed OMNIGENT_ are Omnigent-specific; model credentials use provider-native names recognized by the underlying harness SDKs. Most variables have sensible defaults for local development — only deployments that need auth, a remote database, or cloud sandboxes need to set them.
The CLI stores model credentials in the OS keychain via omnigent setup. Environment variables are a convenient override for CI/automated environments where the keychain is not available.
Variables that control server daemon behavior. Set these when running omnigent server or in docker-compose.yaml.
Variable
Default
Description
PORT / OMNIGENT_PORT
6767
TCP port the server listens on. OMNIGENT_PORT is used by Docker Compose; PORT by some platform environments.
OMNIGENT_AUTH_ENABLED
0 (local), 1 (Docker)
Master auth switch. 1 enables accounts or OIDC auth. 0 uses header mode with a single "local" user.
OMNIGENT_AUTH_PROVIDER
(auto-detected)
Explicit auth mode override: accounts, oidc, or header. When not set, the mode is auto-detected from OMNIGENT_OIDC_ISSUER (sets OIDC) or falls back to accounts.
OMNIGENT_LOCAL_SINGLE_USER
(auto-set)
Set to 1 automatically for loopback-bound servers in header mode; prevents 401s on headerless local traffic. Typically not set manually.
DATABASE_URL
sqlite:///<data-dir>/chat.db
SQLAlchemy database URL. Supports sqlite:/// and postgresql:///postgres://.
OMNIGENT_DATABASE_URI
(same as DATABASE_URL)
Alternative name for the database URI recognized by the daemon’s environment allowlist.
OMNIGENT_CONFIG_HOME
~/.omnigent
Override the user-level config home directory. Tests and CI use this to isolate per-invocation config from the developer’s real ~/.omnigent. Not typically needed in production.
OMNIGENT_DATA_DIR
~/.omnigent
Override the per-user state directory (config, pidfiles, logs, session state). Used internally for test isolation and git-worktree scenarios; not typically set manually in production.
OMNIGENT_CONFIG
<data_dir>/config.yaml
Path to the server’s YAML config file (admins, allowed_domains, policy_modules, artifact_location, etc.).
OMNIGENT_SERVER_SHUTDOWN_TIMEOUT_S
30
Seconds Uvicorn waits for active WebSocket / SSE connections to drain after SIGTERM before force-closing them.
OMNIGENT_RUNNER_TUNNEL_TOKEN
—
Pre-shared token that binds a specific runner’s tunnel at server startup. Used by the daemon’s local-server spawn path; typically not set manually.
OMNIGENT_ADMIN_LIST_PATH
<data_dir>/admins
Path to a plaintext file of admin identities (union’d with the config’s admins: list).
Active when OMNIGENT_AUTH_ENABLED=1 and no OIDC issuer is set (or OMNIGENT_AUTH_PROVIDER=accounts).
Variable
Default
Description
OMNIGENT_ACCOUNTS_COOKIE_SECRET
(auto-generated)
32-byte hex cookie secret. bootstrap.sh generates this; or openssl rand -hex 32. Persisted to the artifact dir on auto-generate so it survives restarts.
OMNIGENT_ACCOUNTS_BASE_URL
http://<host>:<port>
Public URL where users reach the server. Used to build magic-redeem URLs and to decide whether session cookies use the __Host- prefix. Must be set for any deploy behind a public domain.
OMNIGENT_ACCOUNTS_INIT_ADMIN_PASSWORD
—
Pre-seed the initial admin password non-interactively. Only takes effect on the very first boot; ignored with a warning if an admin already exists. Equivalent to omnigent server --admin-password.
OMNIGENT_ACCOUNTS_SESSION_TTL_HOURS
8
Session cookie lifetime in hours.
OMNIGENT_ACCOUNTS_INVITE_TTL_HOURS
72
Invite link lifetime in hours.
OMNIGENT_ACCOUNTS_MAGIC_TTL_MINUTES
10
Magic-redeem link lifetime in minutes.
OMNIGENT_ACCOUNTS_AUTO_OPEN
1
When 1, opens the magic-redeem URL in the browser on first boot. Set to 0 for headless / SSH / Docker deployments.
Active when OMNIGENT_AUTH_ENABLED=1 and OMNIGENT_OIDC_ISSUER is set (or OMNIGENT_AUTH_PROVIDER=oidc).
Variable
Default
Description
OMNIGENT_OIDC_ISSUER
—
OIDC provider issuer URL, e.g. https://accounts.google.com, https://github.com, or your Okta/Entra/Keycloak URL. The presence of this variable (with auth enabled) selects OIDC mode automatically.
OMNIGENT_OIDC_CLIENT_ID
—
OAuth app client ID from your identity provider.
OMNIGENT_OIDC_CLIENT_SECRET
—
OAuth app client secret from your identity provider.
OMNIGENT_OIDC_COOKIE_SECRET
—
32-byte hex cookie secret for OIDC sessions. bootstrap.sh generates this.
OMNIGENT_DOMAIN
—
Your server’s public domain (e.g. agents.yourcompany.com). Used to derive the OIDC callback URL (https://<domain>/auth/callback). Register this URL as the callback in your IdP app.
OMNIGENT_OIDC_ALLOWED_DOMAINS
—
Comma-separated list of email domains allowed to sign in, e.g. example.com,subsidiary.example.com. Union’d with the config’s allowed_domains: list and the <data_dir>/allowed_domains file.
OMNIGENT_OIDC_ALLOWED_DOMAINS_PATH
<data_dir>/allowed_domains
Override path for the allowed-domains file.
OMNIGENT_OIDC_SCOPES
openid email profile
OIDC scopes to request. Override only if your provider requires non-standard scopes.
OMNIGENT_OIDC_SESSION_TTL_HOURS
8
OIDC session cookie lifetime in hours.
OMNIGENT_OIDC_LOGOUT_REDIRECT_URI
—
URL to redirect to after OIDC logout.
OMNIGENT_OIDC_ALLOW_INVITES
—
Set to 1 to enable single-use invite links (POST /auth/invite) for letting external collaborators in past ALLOWED_DOMAINS.
Passed through to harness SDKs. The CLI stores these in the OS keychain via omnigent setup; set them as environment variables to override or for CI environments.
Variable
Description
ANTHROPIC_API_KEY
Anthropic API key for Claude SDK and Claude-native harnesses.
ANTHROPIC_AUTH_TOKEN
Alternative bearer token for Anthropic API access.
ANTHROPIC_BASE_URL
Override the Anthropic API base URL (e.g. for a gateway proxy).
CLAUDE_CODE_OAUTH_TOKEN
Long-lived OAuth token for Claude Code (from claude setup-token). Used when authenticating via a Claude subscription instead of an API key.
OPENAI_API_KEY
OpenAI API key for the OpenAI Agents and Codex harnesses.
OPENAI_BASE_URL
Override the OpenAI API base URL (e.g. for an OpenAI-compatible gateway).
CODEX_ACCESS_TOKEN
Codex access token for ChatGPT Business/Enterprise plan users.
Required when using cloud sandboxes for managed host sessions.
Daytona
Install: pip install 'omnigent[daytona]'
Variable
Description
DAYTONA_API_KEY
Daytona API key for provisioning cloud sandboxes.
OMNIGENT_DAYTONA_HOST_IMAGE
Override the host image used for Daytona sandboxes. Defaults to the official prebaked host image.
Modal
Install: pip install 'omnigent[modal]'Modal credentials are configured with modal token new (stores ~/.modal.toml) or via the variables below for server-side managed sandboxes.
Variable
Description
MODAL_TOKEN_ID
Modal token ID for server-side sandbox provisioning.
MODAL_TOKEN_SECRET
Modal token secret.
OMNIGENT_MODAL_HOST_IMAGE
Override the Modal host image ref for CLI-launched sandboxes.
OMNIGENT_MODAL_REGISTRY_SECRET
Name of a Modal secret holding REGISTRY_USERNAME / REGISTRY_PASSWORD for private registries.
OpenTelemetry OTLP endpoint. When set, the server initializes OpenTelemetry observability. No-op when unset.
MLflow tracing support is available via the omnigent[tracing] extra. After installing it, traces are emitted automatically when MLFLOW_TRACKING_URI is configured and the omnigent[tracing] package is present.
These variables are used internally by the CLI and daemon process management. They are not typically set manually.
Variable
Description
OMNIGENT_CLAUDE_STARTUP_PROFILE
Set to 1 to print Claude startup timing marks to stderr. Equivalent to omnigent claude --profile-startup.
OMNIGENT_RUNNER_ENV_PASSTHROUGH
Comma-separated list of extra environment variable names the host should forward to runner subprocesses, e.g. NAME1,NAME2. Useful for gateway credentials or custom vars beyond the standard set when using managed sandboxes.
RUNNER_SERVER_URL
Server URL injected into runner subprocess environments by the CLI.
