Server
| Variable | Required | Description |
|---|---|---|
TOOLSHED_API_SECRET | Yes | Bearer token for API authentication |
BETTER_AUTH_SECRET | Yes | Secret key for Better Auth (min 32 chars). Also used as the encryption key for stored secrets. |
DATABASE_URL | Yes | Neon Postgres connection string |
AUTH_BASE_URL | No | Better Auth base URL (default: http://localhost:3000) |
TRUSTED_ORIGINS | No | Comma-separated list of additional trusted origins for CORS |
OAuth providers
Only providers with bothCLIENT_ID and CLIENT_SECRET set will be registered. All are optional. The connector availability endpoint reports which ones are currently wired up.
github, google, slack, and linear register as Better Auth social providers. quickbooks, gcp, docusign, and carta register via the genericOAuth plugin. The frontend uses different sign-in APIs for each — see Auth Routes.
| Variable | Description |
|---|---|
GITHUB_CLIENT_ID | GitHub OAuth app client ID |
GITHUB_CLIENT_SECRET | GitHub OAuth app client secret |
GOOGLE_CLIENT_ID | Google OAuth client ID |
GOOGLE_CLIENT_SECRET | Google OAuth client secret |
SLACK_CLIENT_ID | Slack app client ID |
SLACK_CLIENT_SECRET | Slack app client secret |
LINEAR_CLIENT_ID | Linear OAuth app client ID |
LINEAR_CLIENT_SECRET | Linear OAuth app client secret |
QUICKBOOKS_CLIENT_ID | QuickBooks OAuth app client ID |
QUICKBOOKS_CLIENT_SECRET | QuickBooks OAuth app client secret |
GCP_CLIENT_ID | Google Cloud Platform OAuth client ID. May mirror GOOGLE_CLIENT_ID to reuse the same OAuth client for both Google Workspace and GCP scopes — see OAuth Setup. |
GCP_CLIENT_SECRET | GCP OAuth client secret |
DOCUSIGN_CLIENT_ID | DocuSign OAuth app client ID |
DOCUSIGN_CLIENT_SECRET | DocuSign OAuth app client secret |
CARTA_CLIENT_ID | Carta OAuth app client ID |
CARTA_CLIENT_SECRET | Carta OAuth app client secret |
Built-in tool API keys
Built-in tools resolve their credentials via a fall-through to environment variables (see Token Vending). The variable name is${UPPER(provider).replace(/-/g, "_")}_API_KEY.
| Variable | Description |
|---|---|
ATTIO_API_KEY | Attio workspace access token. Create in Attio → Settings → Developers; OAuth is only needed for distributing apps via build.attio.com. |
BROWSERBASE_API_KEY | Browserbase API key (required for the Browserbase plugin) |
FIRECRAWL_API_KEY | Firecrawl API key |
PERPLEXITY_API_KEY | Perplexity API key |
GRANOLA_API_KEY | Granola API key. Currently unused by the runtime (Granola tokens are user-supplied via the dashboard’s Granola tiles), but reserved as a fallback. Earlier versions of .env.example had this misnamed GRANOLIA_API_KEY — fix it if you encounter the typo. |
Web app
| Variable | Default | Description |
|---|---|---|
VITE_API_URL | http://localhost:3000 | Toolshed server URL |
CLI
| Variable | Default | Description |
|---|---|---|
TOOLSHED_RUNTIME | local | Runtime backend: local or vercel |
Vercel runtime
Required whenTOOLSHED_RUNTIME=vercel:
| Variable | Description |
|---|---|
VERCEL_TEAM_ID | Vercel team ID |
VERCEL_PROJECT_ID | Vercel project ID |
VERCEL_TOKEN | Vercel API token |
TOOLSHED_SNAPSHOT_ID | Optional Vercel sandbox snapshot ID |