Runtime config keys

Resolution order

PlatformSetting row with the matching settingKey
process.env[KEY]
Caller’s fallback

30-second in-process cache per key, invalidated on save so operator changes flow through within one cache window.

Routing keys

ANTHROPIC_API_KEY · direct Claude access for the Anthropic proxy
OPENAI_API_KEY · direct GPT access
GEMINI_API_KEY · direct Gemini access
OPENROUTER_API_KEY · reseller fallback (unlocks shape-translation flows)
FIREWORKS_API_KEY · open-source model execution (llama / deepseek / mistral)

Connector OAuth pairs

GITHUB_CLIENT_ID + GITHUB_CLIENT_SECRET
GITLAB_CLIENT_ID + GITLAB_CLIENT_SECRET
BITBUCKET_CLIENT_ID + BITBUCKET_CLIENT_SECRET
JIRA_CLIENT_ID + JIRA_CLIENT_SECRET (shared with Confluence · Atlassian OAuth covers both)
LINEAR_CLIENT_ID + LINEAR_CLIENT_SECRET
NOTION_CLIENT_ID + NOTION_CLIENT_SECRET

Security

CONNECTOR_VAULT_KEY · 32-byte base64 master key for AES-256-GCM encryption of every stored connector credential. Rotate by re-encrypting all credentials; there is a dev-mode fallback that logs a loud warning.

Email

SENDGRID_API_KEY · outbound email (invites, alerts)
EMAIL_FROM · sender address, defaults to noreply@tokenone.io

Cold storage

COLD_STORAGE_ADAPTER · fs (default) or s3
AWS_S3_COLD_BUCKET · bucket when adapter=s3
COLD_STORAGE_DIR · path when adapter=fs (default ./.token-cold-storage)
COLD_SWEEP_MIN_AGE_DAYS · default 30
COLD_SWEEP_CRON · default 17 3 * * * (03:17 UTC)

TokenOne Delivery flip

SMART_ROUTER_FLIP_ENABLED · 1 to allow proxy-sync full-engine decisions for families that pass the confidence threshold (env-var name kept for backwards compatibility; the underlying capability is TokenOne Delivery's confidence promotion gate)
SMART_ROUTER_FLIP_THRESHOLD · agreement rate required (default 0.85)
SMART_ROUTER_FLIP_MIN_SAMPLE · graded samples required before promotion (default 50)

Check the current status at /runtime-config in the admin console. Values are never returned to the UI · only { configured, source } flags.