Configuration
Obsidian’s components are configured through environment variables and flags. This page lists the ones you will commonly set.
Aggregation API (crypto-discovery-api)
| Variable / flag | Purpose |
|---|---|
--listen | HTTP bind address. |
--db | SQLite database path. |
CRYPTO_DISCOVERY_INITIAL_ADMIN_SETUP_TOKEN / --initial-admin-setup-token | One-time token to create the first admin. Generated and logged if omitted on an empty database. |
CRYPTO_DISCOVERY_SECRET_KEY / --secret-key | Base64 32-byte key encrypting stored secrets such as fine-grained PATs. |
CRYPTO_DISCOVERY_PUBLIC_BASE_URL / --public-base-url | Public web origin used for GitHub App redirects. |
--request-timeout | Request lifetime bound. |
--rate-limit-requests / --rate-limit-window | Per-IP request budget and sliding window. |
GitHub onboarding
| Variable | Purpose |
|---|---|
CRYPTO_DISCOVERY_GITHUB_APP_ID | GitHub App identifier. |
CRYPTO_DISCOVERY_GITHUB_APP_SLUG | App slug used to build install links. |
CRYPTO_DISCOVERY_GITHUB_APP_PRIVATE_KEY_PATH / …_PEM | App private key, by path or inline PEM. |
CRYPTO_DISCOVERY_GITHUB_API_BASE_URL | API override for GitHub Enterprise Server or tests. |
CRYPTO_DISCOVERY_GITHUB_ALLOWED_HOSTS | Allowlist for public-repository onboarding (defaults to github.com). |
GitHub App onboarding needs the public base URL, app ID, slug, and a private key.
Fine-grained PAT onboarding additionally needs CRYPTO_DISCOVERY_SECRET_KEY so tokens are
encrypted at rest.
Scanner CLI (crypto-discovery)
| Variable | Purpose |
|---|---|
CRYPTO_DISCOVERY_API_KEY | Node-issued credential for protected upload endpoints. |
Scan flags are covered in the CLI reference. crypto-discovery init
writes node_id, api_key, and upload_url to the user config directory.
Web app
| Variable | Purpose |
|---|---|
CRYPTO_DISCOVERY_API_BASE_URL | Absolute base URL for the backend API. |
CRYPTO_DISCOVERY_ORG | Default organization context. |
CRYPTO_DISCOVERY_CSRF_SECRET | Required in production; a random secret at least 32 bytes long. |
CRYPTO_DISCOVERY_SESSION_COOKIE_NAME | Browser session cookie name. |
CRYPTO_DISCOVERY_SESSION_COOKIE_SECURE | Set Secure on the session cookie (true behind HTTPS). |
Browser mutations flow through session-authenticated proxy routes; the web app needs no shared admin key.
MCP server (crypto-discovery-mcp)
| Variable | Purpose |
|---|---|
CRYPTO_DISCOVERY_MCP_DB | SQLite database path. |
CRYPTO_DISCOVERY_MCP_ORG | Default organization when tool input omits org_name. |
CRYPTO_DISCOVERY_MCP_ALLOWED_ORGS | Organization allowlist — set this for remote deployments. |
CRYPTO_DISCOVERY_MCP_BEARER_TOKEN | Required bearer token for the HTTP transport. |
CRYPTO_DISCOVERY_MCP_LISTEN | HTTP listen address (default 127.0.0.1:8092). |
CRYPTO_DISCOVERY_MCP_ACTOR_EMAIL | Audit actor email for remote calls (default mcp:remote). |
See Connect a coding agent for usage.