Configuration Reference

March 21, 2026 · View on GitHub

English | 中文

Configuration Reference

Dr. Claw is configured through environment variables in a .env file at the project root. This guide documents every variable the application reads.

How .env Loading Works

  1. Backendserver/load-env.js reads .env line-by-line on startup and sets any key not already present in process.env. System environment variables always take precedence.
  2. Frontend — Vite loads .env automatically. Only variables prefixed with VITE_ are exposed to browser code.
  3. Precedence — System env > .env file values.

Quick start: cp .env.example .env gives you sensible defaults. See the Quickstart guide for a step-by-step walkthrough.


Configuration Reference

Server

VariableRequiredDefaultDescription
PORTNo3001Express API + WebSocket server port.
VITE_PORTNo5173Vite dev server port (development only).
CLAUDE_CLI_PATHNoclaudeAbsolute or relative path to the Claude Code binary. Override if claude is not on your PATH.
CURSOR_CLI_PATHNoAuto-detect (cursor-agent then agent)Override Cursor CLI command/binary. Useful when your environment only provides one alias.
GEMINI_CLI_PATHNogeminiOverride Gemini CLI command/binary. Useful when your shell resolves Gemini through a custom alias or path.
CODEX_CLI_PATHNocodexOverride Codex CLI command/binary. Useful when Codex is installed outside your default PATH.

Database

VariableRequiredDefaultDescription
DATABASE_PATHNoserver/database/auth.dbAbsolute path to the SQLite database file. The directory is created automatically if it does not exist.

Authentication

These variables are security-sensitive. See the Security Checklist below.

VariableRequiredDefaultDescription
JWT_SECRETYes (production)claude-ui-dev-secret-change-in-productionSecret used to sign and verify JWT tokens. Must be changed before exposing Dr. Claw outside localhost. Generate one with: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
API_KEYNo(none — validation skipped)When set, every HTTP request must include an X-Api-Key header with this value. Useful for restricting access in hosted setups.

Context Window

VariableRequiredDefaultDescription
CONTEXT_WINDOWNo160000Maximum token context window sent to the backend CLI process.
VITE_CONTEXT_WINDOWNo160000Same value exposed to the frontend (must match CONTEXT_WINDOW).

Platform Mode

Platform mode is an advanced deployment option. Most users should leave these commented out.

VariableRequiredDefaultDescription
VITE_IS_PLATFORMNofalseSet to true to enable Platform mode. In this mode JWT authentication is bypassed and the first database user is used for all requests.
WORKSPACES_ROOTNoUser home directory (os.homedir())Root directory where Dr. Claw looks for and creates project workspaces. Only meaningful when VITE_IS_PLATFORM=true.

Integrations

VariableRequiredDefaultDescription
OPENAI_API_KEYNo(none)OpenAI API key for Codex integration. Required only if you use the Codex CLI backend.

Advanced

VariableRequiredDefaultDescription
CLAUDE_TOOL_APPROVAL_TIMEOUT_MSNo55000Timeout in milliseconds for Claude tool-approval prompts before auto-declining.

OSS Mode vs Platform Mode

Dr. Claw supports two authentication paths:

OSS Mode (default)Platform Mode
Who uses itIndividual developers running Dr. Claw locallyHosted / multi-tenant deployments
Auth flowRegister/login with username + password; JWT issued per sessionJWT auth bypassed; first DB user auto-selected
EnableDefault — no extra config neededSet VITE_IS_PLATFORM=true
WORKSPACES_ROOTIgnoredDefines the root directory for all project workspaces

In OSS mode the WORKSPACES_ROOT variable is ignored — Dr. Claw discovers projects from Claude Code / Cursor / Codex session directories under the user's home folder.


Security Checklist

Before deploying Dr. Claw on a network (not just localhost), review the following:

  1. JWT_SECRET — Replace the default with a strong random string. The default value is public and provides zero security.
  2. API_KEY — Consider setting an API key to add an extra authentication layer.
  3. WORKSPACES_ROOT — In Platform mode, ensure this is scoped to a directory you trust. Dr. Claw serves file contents from this tree.
  4. .gitignore — Verify that .env is listed in .gitignore (it is by default) so secrets are never committed.
  5. HTTPS — When exposing Dr. Claw to the internet, place it behind a reverse proxy (e.g. Nginx, Caddy) with TLS termination.

Troubleshooting