From db97a296992e8c3555c47ef0355056565d8cd354 Mon Sep 17 00:00:00 2001 From: Brian Fox Date: Mon, 29 Jun 2026 21:57:42 +0200 Subject: [PATCH] docs(env-vars): document FOREST_EXECUTOR_ENCRYPTION_KEY Add an environment-variables entry for FOREST_EXECUTOR_ENCRYPTION_KEY, the secret that encrypts stored OAuth credentials for OAuth-protected MCP connectors. Operators set it when their deployment connects to such connectors. Refs: PRD-626 Co-Authored-By: Claude Opus 4.8 (1M context) --- get-started/connect/environment-variables.mdx | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/get-started/connect/environment-variables.mdx b/get-started/connect/environment-variables.mdx index 4cd24d9..65f7b0d 100644 --- a/get-started/connect/environment-variables.mdx +++ b/get-started/connect/environment-variables.mdx @@ -64,6 +64,32 @@ node -e "console.log(require('crypto').randomBytes(32).toString('hex'))" openssl rand -hex 32 ``` +### FOREST_EXECUTOR_ENCRYPTION_KEY + +Secret key used to encrypt the stored credentials of [OAuth-protected MCP connectors](/get-started/connect/integrations/mcp-servers). Required only when your deployment connects to such connectors. + +```bash +FOREST_EXECUTOR_ENCRYPTION_KEY=your-32-byte-hex-secret +``` + +**Purpose:** +- Encrypts the OAuth credentials of your MCP connectors at rest (AES-256-GCM), in the database of the executor — the service that runs your MCP connectors inside workflows +- Use a **separate** secret from `FOREST_AUTH_SECRET`; do not reuse it +- Read lazily: a deployment that doesn't use OAuth-protected MCP connectors runs fine without it + +**Generate a secure secret:** +```bash +openssl rand -hex 32 +``` + + +If you run several executor instances against the same database, set the **same** `FOREST_EXECUTOR_ENCRYPTION_KEY` on every instance. Otherwise an instance cannot decrypt credentials stored by another, and the affected connector calls will fail. + + + +Treat this key as permanent: there is no managed rotation. Changing it forces every affected user to reconnect their OAuth-protected MCP connectors. + + ### NODE_ENV (Node.js only) Environment mode for Node.js applications.