diff --git a/get-started/connect/environment-variables.mdx b/get-started/connect/environment-variables.mdx index 4cd24d9..65f7b0d 100644 --- a/get-started/connect/environment-variables.mdx +++ b/get-started/connect/environment-variables.mdx @@ -64,6 +64,32 @@ node -e "console.log(require('crypto').randomBytes(32).toString('hex'))" openssl rand -hex 32 ``` +### FOREST_EXECUTOR_ENCRYPTION_KEY + +Secret key used to encrypt the stored credentials of [OAuth-protected MCP connectors](/get-started/connect/integrations/mcp-servers). Required only when your deployment connects to such connectors. + +```bash +FOREST_EXECUTOR_ENCRYPTION_KEY=your-32-byte-hex-secret +``` + +**Purpose:** +- Encrypts the OAuth credentials of your MCP connectors at rest (AES-256-GCM), in the database of the executor — the service that runs your MCP connectors inside workflows +- Use a **separate** secret from `FOREST_AUTH_SECRET`; do not reuse it +- Read lazily: a deployment that doesn't use OAuth-protected MCP connectors runs fine without it + +**Generate a secure secret:** +```bash +openssl rand -hex 32 +``` + + +If you run several executor instances against the same database, set the **same** `FOREST_EXECUTOR_ENCRYPTION_KEY` on every instance. Otherwise an instance cannot decrypt credentials stored by another, and the affected connector calls will fail. + + + +Treat this key as permanent: there is no managed rotation. Changing it forces every affected user to reconnect their OAuth-protected MCP connectors. + + ### NODE_ENV (Node.js only) Environment mode for Node.js applications.