- Streamable HTTP transport (MCP_TRANSPORT=http) with mandatory auth: static bearer tokens or OIDC resource-server mode (JWT via JWKS, or RFC 7662 introspection), RFC 9728 protected-resource metadata, and DNS-rebinding protection - secrets loadable from files via *_FILE variants - timeouts on all outbound requests; JORTT_READ_ONLY tool filtering - OpenAPI spec committed and bundled; no implicit network fetches - Nix flake: sandboxed package build + hardened NixOS module taking an EnvironmentFile (agenix-friendly) Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
36 lines
1.4 KiB
Text
36 lines
1.4 KiB
Text
# Copy to .env and fill in credentials from your registered Jortt API application:
|
|
# https://app.jortt.nl/new_profile/api/jortt/oauth_applications/list
|
|
# Every secret below can alternatively be read from a file via <NAME>_FILE,
|
|
# e.g. JORTT_CLIENT_SECRET_FILE=/run/agenix/jortt-client-secret
|
|
JORTT_CLIENT_ID=
|
|
JORTT_CLIENT_SECRET=
|
|
|
|
# Optional: space-separated scopes to request (defaults to all registered scopes)
|
|
# JORTT_SCOPES=invoices:read customers:read reports:read
|
|
|
|
# Optional: expose only GET (list/get) tools
|
|
# JORTT_READ_ONLY=1
|
|
|
|
# --- HTTP transport (default is stdio) ---
|
|
# MCP_TRANSPORT=http
|
|
# MCP_HOST=127.0.0.1
|
|
# MCP_PORT=3910
|
|
|
|
# Authentication for incoming MCP requests: "token" or "oidc" (required for http)
|
|
# MCP_AUTH_MODE=token
|
|
# MCP_AUTH_TOKEN= # generate with: openssl rand -hex 32
|
|
|
|
# OIDC resource-server mode (auth by an external OAuth provider / proxy):
|
|
# MCP_AUTH_MODE=oidc
|
|
# MCP_OIDC_ISSUER=https://auth.example.com
|
|
# MCP_RESOURCE_URL=https://jortt-mcp.example.com/mcp
|
|
# MCP_OIDC_AUDIENCE= # defaults to MCP_RESOURCE_URL
|
|
# MCP_OIDC_ALLOWED_SUBJECTS=kate,kate@example.com
|
|
# For issuers with opaque tokens (e.g. Authelia), use RFC 7662 introspection:
|
|
# MCP_OIDC_INTROSPECTION_URL= # discovered from the issuer when omitted
|
|
# MCP_OIDC_CLIENT_ID=
|
|
# MCP_OIDC_CLIENT_SECRET=
|
|
|
|
# DNS-rebinding protection: exact Host / Origin header allowlists
|
|
# MCP_ALLOWED_HOSTS=jortt-mcp.example.com
|
|
# MCP_ALLOWED_ORIGINS=
|