# Copy to .env and fill in credentials from your registered Jortt API application: # https://app.jortt.nl/new_profile/api/jortt/oauth_applications/list # Every secret below can alternatively be read from a file via _FILE, # e.g. JORTT_CLIENT_SECRET_FILE=/run/agenix/jortt-client-secret JORTT_CLIENT_ID= JORTT_CLIENT_SECRET= # Optional: space-separated scopes to request (defaults to all registered scopes) # JORTT_SCOPES=invoices:read customers:read reports:read # Optional: expose only GET (list/get) tools # JORTT_READ_ONLY=1 # --- HTTP transport (default is stdio) --- # MCP_TRANSPORT=http # MCP_HOST=127.0.0.1 # MCP_PORT=3910 # Authentication for incoming MCP requests: "token" or "oidc" (required for http) # MCP_AUTH_MODE=token # MCP_AUTH_TOKEN= # generate with: openssl rand -hex 32 # OIDC resource-server mode (auth by an external OAuth provider / proxy): # MCP_AUTH_MODE=oidc # MCP_OIDC_ISSUER=https://auth.example.com # MCP_RESOURCE_URL=https://jortt-mcp.example.com/mcp # MCP_OIDC_AUDIENCE= # defaults to MCP_RESOURCE_URL # MCP_OIDC_ALLOWED_SUBJECTS=kate,kate@example.com # For issuers with opaque tokens (e.g. Authelia), use RFC 7662 introspection: # MCP_OIDC_INTROSPECTION_URL= # discovered from the issuer when omitted # MCP_OIDC_CLIENT_ID= # MCP_OIDC_CLIENT_SECRET= # DNS-rebinding protection: exact Host / Origin header allowlists # MCP_ALLOWED_HOSTS=jortt-mcp.example.com # MCP_ALLOWED_ORIGINS=