Skip to content
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions get-started/connect/environment-variables.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,32 @@ node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
openssl rand -hex 32
```

### FOREST_EXECUTOR_ENCRYPTION_KEY

Secret key used to encrypt the stored credentials of [OAuth-protected MCP connectors](/get-started/connect/integrations/mcp-servers). Required only when your deployment connects to such connectors.

```bash
FOREST_EXECUTOR_ENCRYPTION_KEY=your-32-byte-hex-secret
```

**Purpose:**
- Encrypts the OAuth credentials of your MCP connectors at rest (AES-256-GCM), in the database of the executor — the service that runs your MCP connectors inside workflows
- Use a **separate** secret from `FOREST_AUTH_SECRET`; do not reuse it
- Read lazily: a deployment that doesn't use OAuth-protected MCP connectors runs fine without it

**Generate a secure secret:**
```bash
openssl rand -hex 32
```

<Note>
If you run several executor instances against the same database, set the **same** `FOREST_EXECUTOR_ENCRYPTION_KEY` on every instance. Otherwise an instance cannot decrypt credentials stored by another, and the affected connector calls will fail.
</Note>

<Warning>
Treat this key as permanent: there is no managed rotation. Changing it forces every affected user to reconnect their OAuth-protected MCP connectors.
</Warning>

### NODE_ENV (Node.js only)

Environment mode for Node.js applications.
Expand Down