Skip to main content

Environment variables

This reference is for operators running their own ZAR instance. On the hosted app at app.zarlabs.tech, these are managed for you. A minimal instance needs four things: a GitHub App identity, a webhook secret, a private key, and an Anthropic API key.

Required

VariableWhat it does
GITHUB_APP_IDYour GitHub App’s numeric ID.
GITHUB_WEBHOOK_SECRETSecret used to verify the X-Hub-Signature-256 HMAC on every webhook.
GITHUB_PRIVATE_KEY or GITHUB_PRIVATE_KEY_PATHThe App’s private key, as PEM content (GITHUB_PRIVATE_KEY, preferred in the cloud) or a path to the .pem file (GITHUB_PRIVATE_KEY_PATH, handy locally). If both are set, the inline key wins.
ANTHROPIC_API_KEYAPI key for Claude, used to generate doc suggestions.

Claude

VariableDefaultWhat it does
ANTHROPIC_MODELclaude-3-5-sonnet-latestClaude model ID. Set to a current model (for example a Sonnet 4.x or Opus 4.x ID) for best results.

Write-back

VariableDefaultWhat it does
DOCAGENT_WRITE_COMMITStrueMaster switch for committing doc updates to GitHub. Auto-commit also requires the per-repo auto_commit_enabled setting. Accepts 1/true/yes/on/y and 0/false/no/off/n. Set to false to globally forbid all writes. See Auto-commit.

Analysis limits & cost control

VariableDefaultWhat it does
DOCAGENT_MAX_FILES50Max code files analyzed per event.
DOCAGENT_MAX_PATCH_CHARS120000Max characters of code diff sent to Claude.
DOCAGENT_MAX_DOCS_TOTAL_CHARS120000Max total characters across doc files sent to Claude.
DOCAGENT_MAX_DOC_FILE_CHARS30000Max characters per individual doc file.
DOCAGENT_MIN_CONFIDENCE0.4Floor confidence to trigger an update (distinct from the per-repo threshold).
DOCAGENT_MAX_PR_ANALYSES_PER_HOUR2Max Claude analyses per PR per hour (rolling window).

Infrastructure

VariableDefaultWhat it does
DATABASE_URLsqlite+aiosqlite:///./docagent.sqlite3SQLite (dev) or Postgres (postgresql+asyncpg://…) for production.
REDIS_URLredis://localhost:6379/0Redis for rate limiting; optional but recommended.
HOST0.0.0.0Bind host.
PORT8000Bind port.
APP_ENVdevdevelopment / production / dev. production enables JSON logs.
LOG_LEVELINFODEBUG / INFO / WARNING / ERROR.

Dashboard, OAuth & admin

VariableDefaultWhat it does
DOCAGENT_PUBLIC_URLPublic base URL, used in emails and redirects (e.g. https://app.zarlabs.tech).
GITHUB_APP_SLUGApp slug for building the github.com/apps/<slug> install URL.
DOCAGENT_DASHBOARD_PASSWORDOptional password gate for /dashboard (empty = open).
GITHUB_OAUTH_CLIENT_ID / GITHUB_OAUTH_CLIENT_SECRETGitHub OAuth app credentials for dashboard login.
GITHUB_REDIRECT_URIOAuth callback URL; must match the GitHub App settings exactly.
SESSION_SECRETchange-me-in-productionSigns session cookies/JWTs. Generate a strong value in production: python -c "import secrets; print(secrets.token_hex(32))".
DOCAGENT_ADMIN_TOKENToken for /admin endpoints.
ADMIN_SECRETHeader secret (X-Admin-Secret) for privileged actions.
DOCAGENT_MCP_SECRETAuth secret for MCP server clients.
DOCAGENT_ALLOW_DEV_TOOLSfalseEnables /admin/dev/* helpers (seed demo runs). Never enable in production.

Billing (Polar)

Only needed if you run paid plans through Polar.
VariableWhat it does
POLAR_ACCESS_TOKENPolar API token.
POLAR_WEBHOOK_SECRETVerifies Polar webhooks.
POLAR_ORGANIZATION_IDPolar organization ID.
POLAR_PRODUCT_ID_PRO / POLAR_PRODUCT_ID_TEAMProduct IDs mapped to plans.

Email (SMTP)

Optional. If unset, ZAR skips sending email rather than erroring. See Notifications.
VariableDefaultWhat it does
SMTP_HOSTSMTP server host (e.g. smtp.gmail.com). Empty disables email.
SMTP_PORT587SMTP port.
SMTP_USER / SMTP_PASSWORDSMTP credentials.
SMTP_FROMnur@zarlabs.techFrom address for transactional email.