Org in a Box
Getting Started

Configuration Reference

Every environment variable Org in a Box reads, with defaults and notes.

Core

VariableDefaultDescription
POSTGRES_URLFull connection string: postgres://user:pass@host:5432/db
DATABASE_URLAlias for POSTGRES_URL (either works)
OPENCODE_URLhttp://sandbox:4096URL of the opencode sandbox HTTP server
OPENCODE_SERVER_PASSWORDShared basic-auth password for the sandbox HTTP server. Local bun orginabox up / bun compose:up auto-generates it; set it manually for raw compose or hosted environments
ORGINABOX_API_KEYBearer token for the REST API. Unset = local-dev mode (no auth)
OPERATOR_USER_IDFallback user ID for single-operator mode (no SSO)

LLM Providers

VariableDescription
ANTHROPIC_API_KEYAnthropic API key (Claude models)
OPENAI_API_KEYOpenAI API key (GPT models + embeddings)
AZURE_OPENAI_API_KEYAzure OpenAI key
AZURE_OPENAI_ENDPOINTAzure OpenAI endpoint URL (https://<name>.openai.azure.com)

The setup wizard writes provider credentials encrypted into the providers table. You can also manage them via bun orginabox provider add or, for owners/admins in the signed-in web app, the Settings → Providers screen. After provider changes, run bun orginabox runtime apply to promote the staged runtime into the sandbox.

Azure AD SSO

Customer-side auth (tenant admins + end users):

VariableDescription
AZURE_CLIENT_IDEntra ID app registration client ID
AZURE_CLIENT_SECRETApp registration client secret
AZURE_TENANT_IDAzure AD tenant ID, or common for multi-tenant
AZURE_REDIRECT_URIOAuth callback URL (default: http://localhost:8787/v1/auth/callback)

Optional platform-side auth (internal staff only — SaaS prod):

VariableDescription
AZURE_PLATFORM_CLIENT_IDSeparate platform app registration client ID
AZURE_PLATFORM_CLIENT_SECRETPlatform app registration client secret
AZURE_PLATFORM_TENANT_IDSpecific platform tenant ID (must not be common)
AZURE_PLATFORM_REDIRECT_URIPlatform OAuth callback URL (default: http://localhost:8787/v1/platform/auth/callback)

Each platform variable falls back to its AZURE_* counterpart when unset. Self-hosted single-tenant pilots can leave all AZURE_PLATFORM_* empty; the customer app reg handles both flows.

When both AZURE_CLIENT_ID and AZURE_PLATFORM_CLIENT_ID are unset, browser SSO is disabled. Local demo installs can still run with anonymous mode enabled, and the login screen falls back to opening the workspace directly instead of dead-ending on Microsoft auth.

Azure Key Vault (production)

VariableDescription
AZURE_KEYVAULT_URLKey Vault URL (https://<name>.vault.azure.net)
AZURE_KEYVAULT_SECRET_NAMESecret name for the 32-byte keyring (default: orginabox-keyring)

When unset, the keyring is stored at ~/.orginabox/.keyring (file mode 0600).

Observability

VariableDescription
OTEL_EXPORTER_OTLP_ENDPOINTOTLP endpoint (e.g. Azure App Insights, Jaeger)
OTEL_EXPORTER_OTLP_HEADERSAuth headers, e.g. Authorization=Bearer <key>

Gateway-specific

See the individual gateway setup guides for gateway-specific variables (SLACK_BOT_TOKEN, TEAMS_APP_ID, etc.).

Docker Compose Profiles

Enable optional services with --profile:

docker compose --profile slack up -d      # Slack gateway
docker compose --profile teams up -d      # Microsoft Teams gateway
docker compose --profile email up -d      # Email gateway
docker compose --profile web up -d        # Next.js dashboard
docker compose up -d orginabox-api        # Standalone REST API container

Quick Start

Run Org in a Box locally with Docker Compose in under 5 minutes.

Your First Agent Task

A walkthrough of a real agent task from prompt to result.

On this page

CoreLLM ProvidersAzure AD SSOAzure Key Vault (production)ObservabilityGateway-specificDocker Compose Profiles