.env.example

# Database Configuration
DATABASE_URL=sqlite://./beacon_auth.db?mode=rwc

# Cloudflare Worker + libsql (required for beacon-worker)
# Example: libsql://<db>.turso.io
LIBSQL_URL=
LIBSQL_AUTH_TOKEN=

# Server Configuration
BIND_ADDRESS=127.0.0.1:8080

# Public Base URL
# Used for OAuth redirects, JWT issuer claim, and WebAuthn RP origin
BASE_URL=http://localhost:8080

# Logging
RUST_LOG=info

# JWT Configuration
JWT_EXPIRATION=3600

# JWT/JWKS
#
# BeaconAuth is JWKS-first: clients (including the Minecraft mod) only consume JWKS.
# The server manages the ES256 signing key internally:
# - Standalone server (`beacon`): persisted in the database (table `jwt_keys`).
# - Cloudflare Worker (`beacon-worker`): persisted in libsql (table `jwks_keys`).
#
# Optional: mirror a shared JWKS from another server. When set, the local signing key must match
# the selected key in the remote JWKS.
JWKS_URL=

# Key ID used in JWT headers and for selecting keys in JWKS
JWT_KID=beacon-auth-key-1

# CORS Origins (comma-separated)
CORS_ORIGINS=http://localhost:3000,http://localhost:5173,http://localhost:8080

# Control Socket/Pipe Configuration
# Unix: path like /tmp/beacon-auth.sock
# Windows: pipe name like beacon-auth
CONTROL_SOCKET=beacon-auth

# OAuth Configuration (Optional)
# To enable OAuth, set these environment variables

# GitHub OAuth
# Create an OAuth App at: https://github.com/settings/developers
# Authorization callback URL: http://localhost:8080/api/v1/oauth/callback
GITHUB_CLIENT_ID=your_github_client_id_here
GITHUB_CLIENT_SECRET=your_github_client_secret_here

# Google OAuth
# Create OAuth credentials at: https://console.cloud.google.com/apis/credentials
# Authorized redirect URIs: http://localhost:8080/api/v1/oauth/callback
GOOGLE_CLIENT_ID=your_google_client_id_here.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=your_google_client_secret_here


# NOTE: Older docs may mention OAUTH_REDIRECT_BASE.
# The server currently uses BASE_URL instead.