# Tinybird

TINYBIRD_HOST=http://localhost:7181

TINYBIRD_TOKEN=your-tinybird-token

# Database (optional)

MAPLE_DB_URL=

MAPLE_DB_AUTH_TOKEN=

# Base64-encoded 32-byte key (AES-256-GCM) used to encrypt private ingest keys at rest

MAPLE_INGEST_KEY_ENCRYPTION_KEY=

# HMAC key used to derive non-reversible ingest key lookup hashes

MAPLE_INGEST_KEY_LOOKUP_HMAC_KEY=

# Auth mode: clerk | self_hosted

MAPLE_AUTH_MODE=self_hosted

MAPLE_ROOT_PASSWORD=change-me

# Required when MAPLE_AUTH_MODE=clerk

# CLERK_SECRET_KEY=sk_test_xxx

# CLERK_PUBLISHABLE_KEY=pk_test_xxx

# Optional: networkless JWT verification

# CLERK_JWT_KEY=-----BEGIN PUBLIC KEY-----...

# Required when MAPLE_AUTH_MODE=self_hosted

MAPLE_DEFAULT_ORG_ID=default

# Web app overrides (auto-derived from above if not set)

# When running `bun dev:portless`, VITE_API_BASE_URL / VITE_INGEST_URL /

# VITE_CHAT_AGENT_URL are auto-set to https://<worktree>-<app>.localhost so

# multiple worktrees can run side by side. Values set here still win.

VITE_API_BASE_URL=http://localhost:3472

VITE_MAPLE_AUTH_MODE=self_hosted

VITE_CLERK_SIGN_IN_URL=/sign-in

VITE_CLERK_SIGN_UP_URL=/sign-up

# Landing app (Astro)

# PUBLIC_CLERK_PUBLISHABLE_KEY=pk_test_xxx

# Ingest service

INGEST_PORT=3474

INGEST_FORWARD_OTLP_ENDPOINT=http://127.0.0.1:4318

# Optional: routes orgs with active BYO Tinybird (sync_status='active') to a

# separate collector pool. Leave blank to keep them on the shared pipeline.

# INGEST_FORWARD_SELF_MANAGED_ENDPOINT=http://127.0.0.1:4418

INGEST_FORWARD_TIMEOUT_MS=10000

INGEST_MAX_REQUEST_BODY_BYTES=20971520

INGEST_REQUIRE_TLS=false

# Ingest key store backend:

# - In single-tenant local dev (MAPLE_SELF_HOSTED_MODE=single_tenant +

# MAPLE_ORG_ID_OVERRIDE set), ingest auto-selects a no-DB static KeyStore

# that resolves any well-formed key to the override org. No CF creds needed.

# - In multi-tenant / production, ingest reads from Cloudflare D1 — set

# CLOUDFLARE_ACCOUNT_ID, MAPLE_DB_ID, and CLOUDFLARE_API_TOKEN below.

# - Force a backend with INGEST_KEY_STORE_BACKEND=static|d1 (overrides the

# mode-based default).

# INGEST_KEY_STORE_BACKEND=

# CLOUDFLARE_ACCOUNT_ID=

# MAPLE_DB_ID=

# CLOUDFLARE_API_TOKEN=

# Self-managed collector reload (optional)

# Where SelfManagedCollectorConfigService PUTs the regenerated YAML whenever a

# BYO Tinybird sync activates or deactivates. If unset, the service generates

# in-memory but does not publish — safe degraded mode for single-node dev.

# MAPLE_SELF_MANAGED_COLLECTOR_RELOAD_URL=http://127.0.0.1:13140/-/reload

# MAPLE_SELF_MANAGED_COLLECTOR_RELOAD_TOKEN=some-shared-secret

# Billing (Autumn)

# AUTUMN_SECRET_KEY=am_sk_test_xxx

# Reject ingestion (HTTP 402) for orgs over their base-plan limit or without an

# active subscription. Off by default; the ingest gateway only enforces when this

# is true AND AUTUMN_SECRET_KEY is set. Fails open if Autumn is unreachable.

# AUTUMN_ENFORCE_LIMITS=false

# How long (seconds) the gateway caches each per-(org, signal) entitlement

# decision from Autumn's /v1/check. Defaults to 60.

# AUTUMN_CHECK_CACHE_TTL_SECS=60

# Hazel integration (OAuth)

# Maple acts as an OIDC client against Hazel's Clerk-hosted OAuth provider.

# Register Maple as an OAuth Application in Hazel's Clerk dashboard, then drop

# the credentials here. Defaults target https://clerk.hazel.sh + https://api.hazel.sh.

# HAZEL_API_BASE_URL=https://api.hazel.sh

# HAZEL_OAUTH_DISCOVERY_URL=https://clerk.hazel.sh/.well-known/openid-configuration

# HAZEL_OAUTH_CLIENT_ID=

# HAZEL_OAUTH_CLIENT_SECRET=

# HAZEL_OAUTH_SCOPES=openid email profile organizations:read channels:read channel-webhooks:write

# OpenTelemetry (API self-observability) — read by @maple-dev/effect-sdk

# MAPLE_ENVIRONMENT=local # "local" = no export; any other value enables OTLP

# MAPLE_ENDPOINT=http://127.0.0.1:3474 # Ingest gateway endpoint (enriches with org_id)

# MAPLE_INGEST_KEY= # Ingest key (maple_pk_* or maple_sk_*) for self-observability

# COMMIT_SHA= # Git commit SHA for service version