Configuration Reference

Complete environment variable reference for all MCP Hub Platform services, organized by component.

6 min read

This page documents every environment variable used across the MCP Hub Platform. Variables are organized by the service they configure. All services read configuration from environment variables; there are no separate configuration files for the server-side components.

Hub Web Server

The hub web server (mcp-hub web) serves the dashboard, REST API, and handles authentication.

Server

Variable	Required	Default	Description
`SERVER_HOST`	No	`0.0.0.0`	HTTP listen address
`SERVER_PORT`	No	`8080`	HTTP listen port
`APP_ENV`	No	`production`	Environment: `development` or `production`
`ENV`	No	`production`	Alias for `APP_ENV`
`LOG_LEVEL`	No	`info`	Log verbosity: `debug`, `info`, `warn`, `error`
`TRUSTED_ORIGINS`	No	–	Comma-separated list of trusted origins for CORS/CSRF

Database

Variable	Required	Default	Description
`DATABASE_URL`	Yes*	–	Full PostgreSQL connection string (preferred)
`DB_HOST`	Yes*	`localhost`	PostgreSQL host
`DB_PORT`	Yes*	`5432`	PostgreSQL port
`DB_USER`	Yes*	`mcphub`	PostgreSQL user
`DB_PASSWORD`	Yes*	–	PostgreSQL password
`DB_NAME`	Yes*	`mcphub`	Database name
`DB_SSLMODE`	No	`disable`	SSL mode: `disable`, `require`, `verify-full`

*Either DATABASE_URL or the individual DB_* variables must be set.

Redis

Variable	Required	Default	Description
`REDIS_URL`	Yes*	–	Full Redis connection string (preferred)
`REDIS_HOST`	Yes*	`localhost`	Redis host
`REDIS_PORT`	Yes*	`6379`	Redis port
`REDIS_PASSWORD`	No	–	Redis password
`REDIS_DB`	No	`0`	Redis database number

Redis Port

The Docker Compose setup uses port 6390, not the default 6379. When using REDIS_URL, ensure the port matches: redis://redis:6390.

S3 / Object Storage

Variable	Required	Default	Description
`S3_ENDPOINT`	Yes	–	S3 endpoint URL (e.g., `http://minio:9000`)
`S3_ACCESS_KEY_ID`	Yes	–	S3 access key
`S3_SECRET_ACCESS_KEY`	Yes	–	S3 secret key
`S3_REGION`	No	`us-east-1`	S3 region
`S3_BUCKET`	No	`mcp-hub-sources`	Bucket for source code uploads
`S3_BUCKET_SOURCES`	No	`mcp-hub-sources`	Bucket for source tarballs
`S3_BUCKET_ANALYSIS`	No	`mcp-hub-analysis`	Bucket for analysis results
`S3_USE_PATH_STYLE`	No	`false`	Use path-style URLs (required for MinIO)

AMQP / Message Queue

Variable	Required	Default	Description
`AMQP_URL`	Yes	–	AMQP connection string (e.g., `amqp://guest:guest@lavinmq:5672/`)
`AMQP_EXCHANGE`	No	`mcp.jobs`	AMQP exchange name for job distribution

Authentication (Auth0)

Variable	Required	Default	Description
`AUTH0_DOMAIN`	Yes	–	Auth0 tenant domain (e.g., `your-tenant.auth0.com`)
`AUTH0_CLIENT_ID`	Yes	–	Auth0 application client ID
`AUTH0_CLIENT_SECRET`	Yes	–	Auth0 application client secret
`AUTH0_CALLBACK_URL`	Yes	–	OAuth callback URL (e.g., `https://hub.example.com/auth/callback`)
`AUTH0_AUDIENCE`	No	–	Auth0 API audience
`SESSION_SECRET`	Yes	–	Session encryption key (minimum 32 characters)

Billing (Stripe)

Variable	Required	Default	Description
`STRIPE_SECRET_KEY`	No	–	Stripe API secret key
`STRIPE_PUBLISHABLE_KEY`	No	–	Stripe publishable key (for frontend)
`STRIPE_WEBHOOK_SECRET`	No	–	Stripe webhook signing secret
`STRIPE_PRICE_PRO_MONTHLY`	No	–	Stripe Price ID for PRO monthly plan
`STRIPE_PRICE_PRO_YEARLY`	No	–	Stripe Price ID for PRO yearly plan

Registry Integration

Variable	Required	Default	Description
`REGISTRY_URL`	Yes	–	Internal registry URL (e.g., `http://registry:8081`)
`REGISTRY_SERVICE_TOKEN`	Yes	–	Service token for hub-to-registry API calls
`REGISTRY_TIMEOUT`	No	`60s`	Timeout for registry API calls

Git OAuth (Optional)

Variable	Required	Default	Description
`GITHUB_OAUTH_CLIENT_ID`	No	–	GitHub OAuth app client ID
`GITHUB_OAUTH_CLIENT_SECRET`	No	–	GitHub OAuth app client secret
`GITHUB_TOKEN`	No	–	GitHub PAT for repository ingestion
`GITLAB_OAUTH_CLIENT_ID`	No	–	GitLab OAuth app client ID
`GITLAB_OAUTH_CLIENT_SECRET`	No	–	GitLab OAuth app client secret

Administration

Variable	Required	Default	Description
`ADMIN_USERS`	No	–	Comma-separated email addresses of platform administrators
`SKIP_MIGRATIONS`	No	`false`	Skip database migrations on startup

Hub Workers

Hub workers (ingest-worker and results-worker) share the same image as the web server and use the same database, Redis, S3, and AMQP variables listed above. Additional worker-specific variables:

Ingestion Worker

Variable	Required	Default	Description
`WORKER_WORKSPACE`	No	`/workspace`	Directory for temporary code processing
`WORKER_MAX_CONCURRENT`	No	`10`	Maximum concurrent ingestion jobs
`WORKER_POLL_INTERVAL`	No	`10s`	Polling interval for new jobs
`WORKER_CONCURRENCY`	No	`2`	Number of concurrent worker goroutines
`WORKER_PREFETCH`	No	`1`	AMQP prefetch count

Results Worker

The results worker uses the same base configuration as the web server. It has no additional variables beyond the standard database, Redis, S3, AMQP, and registry settings.

Scan Worker

The scan worker (mcp-scan worker) processes security analysis jobs.

Variable	Alias	Required	Default	Description
`AMQP_URL`	`MCP_SCAN_WORKER_AMQP_URL`	Yes	–	AMQP connection string
`S3_ENDPOINT`	`MCP_SCAN_WORKER_S3_ENDPOINT`	Yes	–	S3 endpoint URL
`S3_ACCESS_KEY_ID`	`MCP_SCAN_WORKER_S3_ACCESS_KEY`	Yes	–	S3 access key
`S3_SECRET_ACCESS_KEY`	`MCP_SCAN_WORKER_S3_SECRET_KEY`	Yes	–	S3 secret key
`S3_BUCKET_SOURCES`	`MCP_SCAN_WORKER_S3_BUCKET_SOURCES`	No	`mcp-hub-sources`	Bucket for source tarballs
`S3_BUCKET_ANALYSIS`	`MCP_SCAN_WORKER_S3_BUCKET_ANALYSIS`	No	`mcp-hub-analysis`	Bucket for analysis results
`S3_REGION`	`MCP_SCAN_WORKER_S3_REGION`	No	`us-east-1`	S3 region
`SCAN_MODE`	`MCP_SCAN_WORKER_SCAN_MODE`	No	`deep`	Analysis mode: `fast` or `deep`
`SCAN_TIMEOUT`	`MCP_SCAN_WORKER_SCAN_TIMEOUT`	No	`30m`	Maximum time per analysis
`MAX_CONCURRENT`	`MCP_SCAN_WORKER_MAX_CONCURRENT`	No	`5`	Maximum concurrent analyses
`LOG_LEVEL`	`MCP_SCAN_WORKER_LOG_LEVEL`	No	`info`	Log verbosity
`MCP_SCAN_WORKER_HEALTH_PORT`	–	No	`8083`	Health check endpoint port

The scan worker accepts both standard environment variable names and MCP_SCAN_WORKER_ prefixed names. Standard names take precedence when both are set.

Registry

The registry (mcp-registry) handles artifact storage and distribution.

Server

Variable	Required	Default	Description
`MCP_REGISTRY_SERVER_LISTEN`	No	`:8081`	Listen address and port
`MCP_REGISTRY_LOGGING_JSON`	No	`false`	Enable JSON structured logging

Database

Variable	Required	Default	Description
`MCP_REGISTRY_DB_DSN`	Yes	–	PostgreSQL connection string for the `mcp_registry` database

Storage

Variable	Required	Default	Description
`MCP_REGISTRY_STORAGE_TYPE`	No	`s3`	Storage backend: `s3` or `filesystem`
`MCP_REGISTRY_STORAGE_S3_BUCKET`	Yes	–	S3 bucket for artifact storage
`MCP_REGISTRY_STORAGE_S3_REGION`	No	`us-east-1`	S3 region
`MCP_REGISTRY_STORAGE_S3_ENDPOINT`	Yes	–	S3 endpoint URL
`MCP_REGISTRY_STORAGE_S3_ACCESS_KEY`	Yes	–	S3 access key
`MCP_REGISTRY_STORAGE_S3_SECRET_KEY`	Yes	–	S3 secret key

Authentication

Variable	Required	Default	Description
`MCP_REGISTRY_AUTH_MODE`	No	`oss`	Auth mode: `oss` (self-contained JWT) or `enterprise` (external OIDC)
`MCP_REGISTRY_AUTH_OSS_ISSUER`	No	`mcp-registry-oss`	JWT issuer for OSS mode
`MCP_REGISTRY_AUTH_OSS_AUDIENCE`	No	`mcp-registry`	JWT audience for OSS mode
`MCP_REGISTRY_AUTH_OSS_ISSUER_SECRET`	Yes*	–	JWT signing secret for OSS mode
`MCP_REGISTRY_AUTH_OSS_ENABLE_BASIC`	No	`false`	Enable HTTP Basic auth (OSS mode)

*Required when MCP_REGISTRY_AUTH_MODE is oss.

Access Control

Variable	Required	Default	Description
`MCP_REGISTRY_PUBLIC_READ_CATALOG`	No	`false`	Allow unauthenticated catalog browsing
`MCP_REGISTRY_PUBLIC_DOWNLOAD_ARTIFACTS`	No	`false`	Allow unauthenticated artifact downloads
`MCP_REGISTRY_REPO_POLICY_ALLOW_DOMAINS`	No	–	Allowed publisher domains (`*` for all)

Infrastructure Defaults

PostgreSQL

Variable	Default in Docker Compose	Description
`POSTGRES_USER`	`mcphub`	Database superuser
`POSTGRES_PASSWORD`	(see compose file)	Superuser password
`POSTGRES_DB`	`mcphub`	Default database

The PostgreSQL init scripts (in postgres-init/) create two databases: mcphub (for the hub) and mcp_registry (for the registry).

MinIO

Variable	Default in Docker Compose	Description
`MINIO_ROOT_USER`	`minioadmin`	MinIO admin username
`MINIO_ROOT_PASSWORD`	`minioadmin`	MinIO admin password

Three buckets are created by the minio-init container: mcp-hub-sources, mcp-hub-analysis, and mcp-registry.

Redis

Redis is configured via command-line arguments in the Docker Compose file:

command: ["redis-server", "--port", "6390"]

No environment variables are needed for the Redis server itself.

LavinMQ

Variable	Default in Docker Compose	Description
`LAVINMQ_DEFAULT_USER`	`guest`	Default AMQP user
`LAVINMQ_DEFAULT_PASS`	`guest`	Default AMQP password

Environment Variable Precedence

When the same setting can be configured through multiple variables (e.g., the scan worker’s aliases), the precedence order is:

Standard name (e.g., AMQP_URL)
Prefixed name (e.g., MCP_SCAN_WORKER_AMQP_URL)
Default value

For the hub services, DATABASE_URL takes precedence over individual DB_* variables.

Security Notes

Never commit .env files containing real credentials to version control
Use Docker Compose .env files only for local development
In production (Kubernetes), use Secrets or an external secrets manager
Rotate tokens and passwords periodically, especially the REGISTRY_SERVICE_TOKEN and SESSION_SECRET
Set DB_SSLMODE=require or verify-full when connecting to remote databases
The AUTH0_CALLBACK_URL must match exactly what is configured in your Auth0 application settings