Skip to content

Environment Variables¶

Complete reference for all AgentCube environment variables across both connectors and authentication modes.

Common Variables¶

Variable	Required	Default	Description
`AGENTCUBE_AUTH_MODE`	No	`basic`	Authentication mode: `basic` or `oidc`
`AGENTCUBE_LOG_LEVEL`	No	`INFO`	Logging level: `DEBUG`, `INFO`, `WARNING`, `ERROR`

Basic Auth Mode¶

Essbase Connector¶

Variable	Required	Description
`ESSBASE_SERVER_URL`	Yes	Essbase REST API base URL (e.g., `https://{essbase_host}`)
`ESSBASE_USERNAME`	Yes	Service account username (email format for Essbase 21c)
`ESSBASE_PASSWORD`	Yes	Service account password

Planning Connector¶

Variable	Required	Description
`PLANNING_URL`	Yes	Planning REST API base URL (e.g., `https://{planning_host}/HyperionPlanning`)
`PLANNING_USERNAME`	Yes	Service account username
`PLANNING_PASSWORD`	Yes	Service account password
`PLANNING_IDENTITY_DOMAIN`	No	Identity domain prefix. When set, prepended to username as `{domain}.{username}` for Oracle authentication. Required for non-default identity domains.

OIDC Mode — Layer 1 (Identity Provider)¶

Microsoft Entra ID (`OIDC_PROVIDER=azure`)¶

Variable	Required	Description
`OIDC_PROVIDER`	Yes	Set to `azure`
`OIDC_CLIENT_ID`	Yes	Entra app registration client ID
`OIDC_CLIENT_SECRET`	Yes	Entra app registration client secret VALUE
`OIDC_TENANT_ID`	Yes	Entra directory (tenant) ID
`OIDC_BASE_URL`	Yes	Public URL of this connector (e.g., `https://{connector_hostname}`)
`OIDC_JWT_SIGNING_KEY`	No	JWT signing key; falls back to `OIDC_CLIENT_SECRET` if not set

Generic OIDC (`OIDC_PROVIDER=oidc`)¶

Variable	Required	Description
`OIDC_PROVIDER`	Yes	Set to `oidc`
`OIDC_CONFIG_URL`	Yes	IdP discovery URL (`.well-known/openid-configuration`)
`OIDC_CLIENT_ID`	Yes	IdP application client ID
`OIDC_CLIENT_SECRET`	Yes	IdP application client secret
`OIDC_BASE_URL`	Yes	Public URL of this connector
`OIDC_SCOPES`	No	Comma-separated scopes (default: `openid,profile,email`)
`OIDC_JWT_SIGNING_KEY`	No	JWT signing key; falls back to `OIDC_CLIENT_SECRET` if not set

OIDC Mode — Layer 2 (Oracle Token Exchange)¶

These variables are required for all SSO deployments, regardless of identity provider.

Variable	Required	Description
`AGENTCUBE_SIGNING_KEY_BASE64`	Yes*	Base64-encoded RSA private key for JWT signing
`AGENTCUBE_SIGNING_KEY_PATH`	Yes*	Path to PEM file (alternative to BASE64)
`AGENTCUBE_SIGNING_KID`	Yes	Alias of the certificate in OCI trusted partner certificates
`OCI_TOKEN_ENDPOINT`	Yes	OCI Identity Domain URL (e.g., `https://idcs-{guid}.identity.oraclecloud.com:443`)
`OCI_CLIENT_ID`	Yes	OCI confidential application client ID
`OCI_CLIENT_SECRET`	Yes	OCI confidential application client secret

*Either AGENTCUBE_SIGNING_KEY_BASE64 or AGENTCUBE_SIGNING_KEY_PATH must be provided. BASE64 is recommended for container deployments.

Example Configurations¶

Essbase — Basic AuthEssbase — SSO (Entra)Planning — SSO (Generic OIDC)

ESSBASE_SERVER_URL=https://{essbase_host}
ESSBASE_USERNAME={username}
ESSBASE_PASSWORD={password}

AGENTCUBE_AUTH_MODE=oidc
OIDC_PROVIDER=azure
OIDC_CLIENT_ID={entra_client_id}
OIDC_CLIENT_SECRET={entra_client_secret}
OIDC_TENANT_ID={entra_tenant_id}
OIDC_BASE_URL=https://{connector_hostname}
ESSBASE_SERVER_URL=https://{essbase_host}
AGENTCUBE_SIGNING_KEY_BASE64={base64_private_key}
AGENTCUBE_SIGNING_KID={oci_cert_alias}
OCI_TOKEN_ENDPOINT=https://idcs-{guid}.identity.oraclecloud.com:443
OCI_CLIENT_ID={oci_client_id}
OCI_CLIENT_SECRET={oci_client_secret}

AGENTCUBE_AUTH_MODE=oidc
OIDC_PROVIDER=oidc
OIDC_CONFIG_URL=https://{idp_host}/.well-known/openid-configuration
OIDC_CLIENT_ID={idp_client_id}
OIDC_CLIENT_SECRET={idp_client_secret}
OIDC_BASE_URL=https://{connector_hostname}
PLANNING_URL=https://{planning_host}/HyperionPlanning
AGENTCUBE_SIGNING_KEY_BASE64={base64_private_key}
AGENTCUBE_SIGNING_KID={oci_cert_alias}
OCI_TOKEN_ENDPOINT=https://idcs-{guid}.identity.oraclecloud.com:443
OCI_CLIENT_ID={oci_client_id}
OCI_CLIENT_SECRET={oci_client_secret}