Skip to content

Configuration

MikroChat can be configured through CLI flags, environment variables, or a JSON configuration file. CLI flags take the highest priority.

  1. CLI flags (highest priority)
  2. Config file (mikrochat.config.json)
  3. Default values and environment variables (lowest priority)

Create a mikrochat.config.json file in your project root:

{
"auth": {
"jwtSecret": "your-secret-signing-key",
"appUrl": "https://chat.example.com",
"authMode": "magic-link",
"isInviteRequired": true,
"magicLinkExpirySeconds": 900,
"jwtExpirySeconds": 900,
"refreshTokenExpirySeconds": 604800,
"maxActiveSessions": 3
},
"chat": {
"initialUser": {
"userName": "admin",
"email": "[email protected]",
"password": ""
},
"messageRetentionDays": 30,
"maxMessagesPerChannel": 100
},
"email": {
"user": "[email protected]",
"host": "smtp.example.com",
"password": "smtp-password",
"port": 465,
"secure": true
},
"storage": {
"databaseDirectory": "mikrochat_db",
"encryptionKey": "optional-encryption-key"
},
"server": {
"port": 3000,
"host": "0.0.0.0",
"allowedDomains": ["https://chat.example.com"],
"rateLimit": {
"enabled": true,
"requestsPerMinute": 100
}
},
"oauth": {
"presets": {
"google": {
"clientId": "your-google-client-id",
"clientSecret": "your-google-client-secret",
"redirectUri": "https://chat.example.com/auth/oauth/google/callback"
}
},
"stateExpirySeconds": 600,
"rateLimiting": {
"maxAttempts": 10,
"windowMs": 900000
}
}
}
CLI FlagJSON PathEnvironment VariableDefaultDescription
--jwtSecretauth.jwtSecretAUTH_JWT_SECRET-JWT signing key (required)
--appUrlauth.appUrlAPP_URL-Base URL for magic links
--isInviteRequiredauth.isInviteRequired-trueRequire admin invite before signup
--magicLinkExpirySecondsauth.magicLinkExpirySeconds-900Magic link expiry (15 min)
--jwtExpirySecondsauth.jwtExpirySeconds-900JWT expiry (15 min)
--refreshTokenExpirySecondsauth.refreshTokenExpirySeconds-604800Refresh token expiry (7 days)
--maxActiveSessionsauth.maxActiveSessions-3Max concurrent sessions per user
--authModeauth.authMode-magic-linkAuth mode: dev, magic-link, or password
CLI FlagJSON PathEnvironment VariableDefaultDescription
--initialUserIdchat.initialUser.idINITIAL_USER_ID-ID for initial admin user
--initialUserNamechat.initialUser.userNameINITIAL_USER_NAME-Username for initial admin
--initialUserEmailchat.initialUser.emailINITIAL_USER_EMAIL-Email for initial admin
--initialUserPasswordchat.initialUser.passwordINITIAL_USER_PASSWORD-Password for initial admin
--messageRetentionDayschat.messageRetentionDays-30Days to keep messages
--maxMessagesPerChannelchat.maxMessagesPerChannel-100Max messages per channel

Email configuration is required for magic-link authentication and optional for password mode. Without email in password mode, admins set user passwords directly through the settings panel; with email, users get invite links and can use self-service password reset. Email is not needed for dev mode or OAuth-only setups.

CLI FlagJSON PathEnvironment VariableDefaultDescription
--emailSubjectemail.emailSubject-Your Secure Login LinkEmail subject line
--emailUseremail.userEMAIL_USER-SMTP username
--emailHostemail.hostEMAIL_HOST-SMTP host
--emailPasswordemail.passwordEMAIL_PASSWORD-SMTP password
--emailPortemail.port-465SMTP port
--emailSecureemail.secure-trueUse secure connection
--emailMaxRetriesemail.maxRetries-2Max delivery attempts
CLI FlagJSON PathEnvironment VariableDefaultDescription
--dbstorage.databaseDirectory-mikrochat_dbDatabase directory path
--encryptionKeystorage.encryptionKeySTORAGE_KEY-Encryption key for data at rest

When an encryption key is provided, all data written to the database (messages, users, channels, conversations, and settings) is encrypted using AES-256-GCM. See Encryption at Rest below for details.

CLI FlagJSON PathEnvironment VariableDefaultDescription
--portserver.portMIKROCHAT_PORT, PORT3000Server port
--hostserver.hostHOST127.0.0.1Server bind address
--httpsserver.useHttps-falseEnable HTTPS
--http2server.useHttp2-falseEnable HTTP/2
--certserver.sslCert--SSL certificate path
--keyserver.sslKey--SSL private key path
--caserver.sslCa--SSL CA certificate path
--ratelimitserver.rateLimit.enabled-trueEnable rate limiting
--rpsserver.rateLimit.requestsPerMinute-100Requests per minute limit
--allowedserver.allowedDomains--CORS allowed domains
--debugserver.debugDEBUGfalseEnable debug mode

OAuth is disabled by default. Add the oauth block to enable OAuth sign-in alongside existing auth modes.

Presets (provide just credentials for common providers):

JSON PathDefaultDescription
oauth.presets.google.clientId-Google OAuth client ID
oauth.presets.google.clientSecret-Google OAuth client secret
oauth.presets.google.redirectUri-Google callback URL
oauth.presets.microsoft.clientId-Microsoft OAuth client ID
oauth.presets.microsoft.clientSecret-Microsoft OAuth client secret
oauth.presets.microsoft.redirectUri-Microsoft callback URL
oauth.presets.github.clientId-GitHub OAuth client ID
oauth.presets.github.clientSecret-GitHub OAuth client secret
oauth.presets.github.redirectUri-GitHub callback URL
oauth.presets.gitlab.clientId-GitLab OAuth client ID
oauth.presets.gitlab.clientSecret-GitLab OAuth client secret
oauth.presets.gitlab.redirectUri-GitLab callback URL

General OAuth settings:

JSON PathDefaultDescription
oauth.stateExpirySeconds600CSRF state token expiry (10 min)
oauth.rateLimiting.maxAttempts10Max OAuth attempts per window
oauth.rateLimiting.windowMs900000Rate limit window (15 min)

Custom providers (oauth.custom array) accept full provider config objects. See the Authentication guide for details.

The redirect URI for each provider must follow the pattern: https://your-domain.com/auth/oauth/{providerId}/callback

The web application reads browser-only deployment settings from config.js, a standalone file that lives alongside the built frontend in the dist/ (or app/) directory. Edit it directly — changes take effect on page reload with no rebuild needed.

Authentication mode, email availability, password reset support, registration support, and OAuth availability are read from the backend at runtime through GET /config.json. GET /auth/config remains available as a compatibility alias. Configure those values in mikrochat.config.json, not in config.js.

window.MIKROCHAT_CONFIG = {
DEBUG_MODE: false,
API_BASE_URL: 'http://127.0.0.1:3000',
MAX_CONTENT_LENGTH: 1000
};
OptionDefaultDescription
DEBUG_MODEfalseEnable debug logging (console table of config on load)
API_BASE_URL'http://127.0.0.1:3000'Backend API URL
MAX_CONTENT_LENGTH1000Maximum message length in characters

The browser fetches GET /config.json on startup. The response contains safe, non-secret capabilities such as auth.mode, auth.hasEmail, auth.oauthEnabled, auth.passwordResetEnabled, and auth.registrationEnabled.

OAuth sign-in works alongside whatever backend auth.authMode you choose. When OAuth providers are configured on the backend, the frontend fetches the list of available providers from GET /auth/oauth/providers and renders “Sign in with …” buttons above the regular login form, separated by an “or” divider.

To enable OAuth sign-in:

  1. Configure providers on the backend by adding an oauth block to mikrochat.config.json (see OAuth configuration above and the Authentication guide).

If the backend has no OAuth providers configured, the buttons are simply not shown.

The frontend includes built-in SVG icons for Google, GitHub, Microsoft, and GitLab. Custom providers are displayed without an icon.

Customize magic link emails by providing template functions:

{
auth: {
templates: {
textVersion: (magicLink, expiryMinutes) =>
`Sign in to MikroChat: ${magicLink} (expires in ${expiryMinutes} minutes)`,
htmlVersion: (magicLink, expiryMinutes) =>
`<h1>Sign in to MikroChat</h1><p><a href="${magicLink}">Click here</a> (expires in ${expiryMinutes} minutes)</p>`
}
}
}

Enable HTTPS or HTTP/2 for production:

{
"server": {
"useHttps": true,
"sslCert": "/path/to/certificate.pem",
"sslKey": "/path/to/private-key.pem",
"sslCa": "/path/to/ca-certificate.pem"
}
}

Generate self-signed certificates for testing:

Terminal window
openssl genrsa -out private-key.pem 2048
openssl req -new -key private-key.pem -out csr.pem
openssl x509 -req -days 365 -in csr.pem -signkey private-key.pem -out certificate.pem

MikroChat supports AES-256-GCM encryption for all stored data. When enabled, every value written to the database is encrypted before persistence and decrypted on read. Database keys (e.g. message:abc123) remain unencrypted so prefix-based lookups continue to work.

To enable encryption, set the STORAGE_KEY environment variable or the storage.encryptionKey config option:

Terminal window
STORAGE_KEY=your-secret-key node lib/mikrochat.mjs

The provided key is derived into a 256-bit cryptographic key using scrypt. Each value is encrypted with a unique random IV, producing authenticated ciphertext that prevents both reading and tampering.

Without a STORAGE_KEY, data is stored unencrypted (the default).

Enable debug mode for verbose logging:

Terminal window
node lib/mikrochat.mjs --debug

The CLI --debug flag enables debug mode across all areas. Use the config file for granular control.