Skip to main content

Documentation Index

Fetch the complete documentation index at: https://noradocs.solomontsao.com/llms.txt

Use this file to discover all available pages before exploring further.

Every Nora deployment is configured through environment variables. Start by copying .env.example to .env in your project root, then replace all <REPLACE_...> placeholders with real values before starting the stack. The sections below describe every variable Nora reads, grouped by function.
Generate cryptographic secrets with the following command. Never reuse secrets across deployments or commit them to version control.
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

Required

These three variables must be set before the stack will start. Without them, JWTs cannot be signed, stored credentials cannot be encrypted, and NextAuth cannot construct correct redirect URLs.
VariableRequiredDefaultDescription
JWT_SECRETYesSecret used to sign all JWTs. Minimum 32 characters. Generate with the command above.
ENCRYPTION_KEYYes32-byte hex key (64 hex characters) for AES-256-GCM encryption of stored credentials. Generate with the command above.
NEXTAUTH_URLYeshttp://localhost:8080The canonical browser-facing URL of your Nora deployment. Set to your public https:// URL when exposing on a domain.

Bootstrap admin account

These two optional variables seed a first administrator account on the very first boot. They are ignored on subsequent starts once the account exists. Both must be set together — setting only one has no effect.
VariableRequiredDefaultDescription
DEFAULT_ADMIN_EMAILNoEmail address for the bootstrap admin account.
DEFAULT_ADMIN_PASSWORDNoPassword for the bootstrap admin account. Minimum 12 characters. No insecure defaults are accepted.
Do not set a weak or well-known password here. This account has full operator access from the moment the database is seeded.

Access and URL

These variables control the nginx configuration file used and which port the reverse proxy listens on.
VariableRequiredDefaultDescription
NGINX_CONFIG_FILENonginx.confNginx configuration file to mount. Use nginx.conf for local-only mode and nginx.public.conf for public-domain mode.
NGINX_HTTP_PORTNo8080Host port mapped to the nginx HTTP listener. Use 8080 locally and 80 when deploying on a public domain.

OAuth

OAuth login is disabled by default. Set OAUTH_LOGIN_ENABLED=true and NEXT_PUBLIC_OAUTH_LOGIN_ENABLED=true along with your provider credentials to enable it. You must complete provider verification in the respective developer consoles before these values take effect.
VariableRequiredDefaultDescription
OAUTH_LOGIN_ENABLEDNofalseSet to true to activate OAuth login buttons in the backend.
NEXT_PUBLIC_OAUTH_LOGIN_ENABLEDNofalseSet to true to display OAuth login buttons in the frontend.
GOOGLE_CLIENT_IDNoOAuth 2.0 client ID from Google Cloud Console.
GOOGLE_CLIENT_SECRETNoOAuth 2.0 client secret from Google Cloud Console.
GITHUB_CLIENT_IDNoOAuth App client ID from GitHub Developer Settings.
GITHUB_CLIENT_SECRETNoOAuth App client secret from GitHub Developer Settings.
NEXTAUTH_SECRETNoSecret used by NextAuth.js for session encryption. Required when OAuth is enabled. Generate with the command above.

Platform mode

VariableRequiredDefaultDescription
PLATFORM_MODENoselfhostedOperating mode. selfhosted uses operator-defined resource limits with no billing. paas enables Stripe billing and locks resources to subscription plan tiers. See Platform modes for full details.

Self-hosted resource limits

These variables are only read when PLATFORM_MODE=selfhosted. They define the maximum resources any single user can request when deploying an agent.
VariableRequiredDefaultDescription
MAX_VCPUNo16Maximum vCPUs a user may allocate to a single agent.
MAX_RAM_MBNo32768Maximum RAM in megabytes a user may allocate to a single agent.
MAX_DISK_GBNo500Maximum disk space in gigabytes a user may allocate to a single agent.
MAX_AGENTSNo50Maximum number of agents a single user may deploy.

Billing / Stripe

These variables are only read when PLATFORM_MODE=paas. See Platform modes for a full explanation of PaaS mode.
VariableRequiredDefaultDescription
BILLING_ENABLEDNofalseSet to true to enforce Stripe subscription limits. When false in PaaS mode, deployments are unlimited.
STRIPE_SECRET_KEYNoStripe secret key. Use sk_test_... for testing and sk_live_... for production.
STRIPE_WEBHOOK_SECRETNoStripe webhook signing secret (whsec_...) for verifying incoming webhook events.
STRIPE_PRICE_PRONoStripe Price ID (price_...) for the Pro subscription tier.
STRIPE_PRICE_ENTERPRISENoStripe Price ID (price_...) for the Enterprise subscription tier.

Provisioner

These variables select and configure the backend used to provision agent runtime environments. See Provisioner backends for a comparison of all three options.
VariableRequiredDefaultDescription
PROVISIONER_BACKENDNodockerBackend for provisioning agent runtimes. Accepted values: docker, proxmox, k8s.
K8S_NAMESPACENoopenclaw-agentsKubernetes namespace where agent workloads are created. Only read when PROVISIONER_BACKEND=k8s.
K8S_EXPOSURE_MODENocluster-ipHow agent services are exposed inside Kubernetes. Use cluster-ip for standard deployments and node-port for local kind-based verification. Only read when PROVISIONER_BACKEND=k8s.
K8S_RUNTIME_NODE_PORTNoNode port for the agent runtime service. Only used with node-port exposure mode.
K8S_GATEWAY_NODE_PORTNoNode port for the agent gateway service. Only used with node-port exposure mode.
K8S_RUNTIME_HOSTNoHostname or IP that the control plane uses to reach agent runtimes in node-port mode.

Proxmox

These variables are only read when PROVISIONER_BACKEND=proxmox.
VariableRequiredDefaultDescription
PROXMOX_API_URLNoFull URL to the Proxmox API, for example https://proxmox.local:8006/api2/json.
PROXMOX_TOKEN_IDNoProxmox API token ID in user@pam!tokenname format.
PROXMOX_TOKEN_SECRETNoSecret associated with the Proxmox API token.
PROXMOX_NODENopveName of the Proxmox node where VMs are created.
PROXMOX_TEMPLATENoubuntu-22.04-standardVM template name used as the base image for new agent VMs.

NemoClaw / NVIDIA

NemoClaw provides NVIDIA-backed sandboxed agent environments. It is disabled by default.
VariableRequiredDefaultDescription
NEMOCLAW_ENABLEDNofalseSet to true to allow deploying NemoClaw sandboxed agents.
NVIDIA_API_KEYNoAPI key from build.nvidia.com for accessing NVIDIA-hosted models.
NEMOCLAW_DEFAULT_MODELNonvidia/nemotron-3-super-120b-a12bDefault NVIDIA model used by NemoClaw agents.
NEMOCLAW_SANDBOX_IMAGENoghcr.io/nvidia/openshell-community/sandboxes/openclawContainer image used for NemoClaw sandbox environments.

Security

VariableRequiredDefaultDescription
CORS_ORIGINSNohttp://localhost:8080Comma-separated list of allowed CORS origins. Update to your public origin when Nora is exposed on a domain, for example https://app.example.com.

LLM key storage

VariableRequiredDefaultDescription
KEY_STORAGENodatabaseWhere LLM provider keys are stored. database encrypts and persists keys in PostgreSQL. env reads keys from environment variables instead.

Backups and TLS

VariableRequiredDefaultDescription
TLS_CERT_PATHNoPath to the TLS certificate file on the host. Used when nginx is configured to terminate TLS.
TLS_KEY_PATHNoPath to the TLS private key file on the host.
AWS_S3_BUCKETNoS3 bucket name for automated backups.
AWS_ACCESS_KEY_IDNoAWS access key ID with write permissions to the backup bucket.
AWS_SECRET_ACCESS_KEYNoAWS secret access key corresponding to the access key ID above.