crab’d is configured mostly through .crabd.yml, but a handful of things —
secrets, identity, and forge/runner wiring — come from the environment. This is the complete list.
| Variable |
Description |
CRABD_APP_ID |
GitHub App ID. With CRABD_APP_PRIVATE_KEY, authenticates as that App (self-hosted identity). Overrides the broker. |
CRABD_APP_PRIVATE_KEY |
GitHub App private key. A raw PEM or a base64-encoded PEM (easier as an env var). |
CRABD_APP_INSTALLATION_ID |
Optional installation ID. Auto-resolved from the repo when omitted. |
CRABD_BROKER_URL |
Token-broker URL for the canonical crab'd[bot] identity. Defaults to the built-in DEFAULT_BROKER_URL. |
CRABD_BROKER_AUDIENCE |
OIDC audience the broker expects. Default crabd-broker. |
CRABD_DISABLE_BROKER |
Set to true to skip the broker even when OIDC is available. |
CRABD_GITHUB_TOKEN |
GitHub token for forge ops (fallback identity: github-actions). |
CRABD_GITHUB_API_URL |
GitHub API base URL (GitHub Enterprise). |
| Variable |
Description |
CRABD_FORGE |
Force the forge: github or forgejo. Auto-detected otherwise. |
CRABD_FORGEJO_TOKEN |
Bot-account token — crab’d’s identity on Forgejo. |
CRABD_FORGEJO_API_URL |
Forgejo API root, e.g. https://forgejo.example.com/api/v1. |
| Variable |
Description |
CRABD_INPUT_MODEL |
Model for the inputs layer (from the model action input). |
CRABD_INPUT_TRIGGER_PHRASE |
Trigger phrase (inputs layer). |
CRABD_INPUT_PROVIDERS |
Comma-separated provider allowlist (inputs layer). |
CRABD_INPUT_THINKING_LEVEL |
Reasoning level (inputs layer). |
CRABD_CONFIG_ENV |
A YAML blob applied as the highest env config layer. |
CRABD_CONFIG_PATH |
Repo config filename. Default .crabd.yml. |
CRABD_ORG_CONFIG_REPO |
Org config repo slug. Default <owner>/.crabd-config. |
CRABD_ORG_CONFIG_PATH |
Path within the org repo. Default .crabd.yml. |
CRABD_EXTENSION_PATH_REL |
Repo-relative path to crabd.config.ts. Default crabd.config.ts. |
| Variable |
Description |
CRABD_OLLAMA_BASE_URL |
Registers a local Ollama provider at this OpenAI-compatible URL. |
TAVILY_API_KEY |
Enables reliable web search for the agent’s web_search tool (falls back to keyless DuckDuckGo when unset). |
The egress gateway is configured via providers.gateway_url in
.crabd.yml, not by hand.
Read by the provider integrations (not by crab’d directly). Provide the one(s) for your chosen model:
| Variable |
Provider |
ANTHROPIC_API_KEY |
anthropic |
OPENAI_API_KEY |
openai |
OPENROUTER_API_KEY |
openrouter |
GEMINI_API_KEY |
google (Gemini) |
GOOGLE_APPLICATION_CREDENTIALS, GOOGLE_CLOUD_PROJECT, GOOGLE_CLOUD_LOCATION |
google-vertex (Vertex AI, ADC) |
(your api_key_env) |
a custom provider |
Set by the CI runner; crab’d reads them. You rarely set these yourself.
| Variable |
Description |
GITHUB_EVENT_NAME / GITHUB_EVENT_PATH |
The event kind and payload file. |
GITHUB_WORKSPACE |
The checked-out repo path (the agent’s sandbox root). |
GITHUB_TOKEN |
Fallback forge token. |
GITHUB_API_URL / GITHUB_SERVER_URL |
API / server base URLs. |
GITHUB_OUTPUT |
File crab’d writes its mode / result / summary outputs to. |
FORGEJO_ACTIONS |
Present on Forgejo runners; aids forge auto-detection. |
ACTIONS_ID_TOKEN_REQUEST_URL / ACTIONS_ID_TOKEN_REQUEST_TOKEN |
OIDC minting endpoint (requires permissions: id-token: write). |
CRABD_EVENT_NAME / CRABD_EVENT_PATH |
Override the event source (useful outside Actions). |
Set on the deployed broker, not in consumer workflows.
| Variable |
Description |
CRABD_APP_ID / CRABD_APP_PRIVATE_KEY |
The canonical crab’d App credentials the broker holds. The key may be a raw PEM or base64-encoded. |
CRABD_BROKER_AUDIENCE |
Audience the broker requires. Default crabd-broker. |
PORT |
Node listen port. Default 8787. |
Set by the CLI for the Flue turn subprocess. You normally don’t set these, but they’re documented for
non-Actions embedding.
| Variable |
Description |
CRABD_MODEL, CRABD_INSTRUCTIONS, CRABD_THINKING_LEVEL |
Resolved dials handed to the agent. |
CRABD_CWD |
Sandbox working directory. |
CRABD_TIMEOUT_MS |
Hard run timeout in milliseconds (from limits.timeout_minutes). |
CRABD_CUSTOM_PROVIDERS |
JSON of resolved custom providers to register. |
CRABD_GATEWAY_URL / CRABD_GATEWAY_PROVIDERS |
Gateway base URL and the built-in providers to route through it (from providers.gateway_url). |
CRABD_MCP |
JSON of MCP servers to connect. |
CRABD_WEB_SEARCH |
JSON of the resolved web-search config (enabled, maxResults). |
CRABD_EXTENSION_PATH |
Absolute path to crabd.config.ts. |
CRABD_SANDBOX_ENV |
JSON of extra env vars exposed to the sandbox (empty by default). |
CRABD_FORGE_TOKEN, CRABD_REPO_OWNER, CRABD_REPO_NAME, CRABD_REPO_DEFAULT_BRANCH, CRABD_TRACKING_ID, CRABD_SUBJECT |
Wiring for the live-progress tool. |