jortt-mcp/.env.example
Claude a73af353d4 Harden server; add authenticated Streamable HTTP transport and Nix module
- Streamable HTTP transport (MCP_TRANSPORT=http) with mandatory auth:
  static bearer tokens or OIDC resource-server mode (JWT via JWKS, or
  RFC 7662 introspection), RFC 9728 protected-resource metadata, and
  DNS-rebinding protection
- secrets loadable from files via *_FILE variants
- timeouts on all outbound requests; JORTT_READ_ONLY tool filtering
- OpenAPI spec committed and bundled; no implicit network fetches
- Nix flake: sandboxed package build + hardened NixOS module taking an
  EnvironmentFile (agenix-friendly)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-11 19:10:55 +02:00

36 lines
1.4 KiB
Text

# Copy to .env and fill in credentials from your registered Jortt API application:
# https://app.jortt.nl/new_profile/api/jortt/oauth_applications/list
# Every secret below can alternatively be read from a file via <NAME>_FILE,
# e.g. JORTT_CLIENT_SECRET_FILE=/run/agenix/jortt-client-secret
JORTT_CLIENT_ID=
JORTT_CLIENT_SECRET=
# Optional: space-separated scopes to request (defaults to all registered scopes)
# JORTT_SCOPES=invoices:read customers:read reports:read
# Optional: expose only GET (list/get) tools
# JORTT_READ_ONLY=1
# --- HTTP transport (default is stdio) ---
# MCP_TRANSPORT=http
# MCP_HOST=127.0.0.1
# MCP_PORT=3910
# Authentication for incoming MCP requests: "token" or "oidc" (required for http)
# MCP_AUTH_MODE=token
# MCP_AUTH_TOKEN= # generate with: openssl rand -hex 32
# OIDC resource-server mode (auth by an external OAuth provider / proxy):
# MCP_AUTH_MODE=oidc
# MCP_OIDC_ISSUER=https://auth.example.com
# MCP_RESOURCE_URL=https://jortt-mcp.example.com/mcp
# MCP_OIDC_AUDIENCE= # defaults to MCP_RESOURCE_URL
# MCP_OIDC_ALLOWED_SUBJECTS=kate,kate@example.com
# For issuers with opaque tokens (e.g. Authelia), use RFC 7662 introspection:
# MCP_OIDC_INTROSPECTION_URL= # discovered from the issuer when omitted
# MCP_OIDC_CLIENT_ID=
# MCP_OIDC_CLIENT_SECRET=
# DNS-rebinding protection: exact Host / Origin header allowlists
# MCP_ALLOWED_HOSTS=jortt-mcp.example.com
# MCP_ALLOWED_ORIGINS=