Environment variables
Complete reference for Forven's environment variables — startup, safety, auth, encryption, integrations, and first-run seeding keys with meanings and defaults.
Forven reads a small set of environment variables to control where it stores data, which port it binds, the execution mode (paper by default), and how the local HTTP API is secured. This page is the authoritative reference: every variable, what it does, and its default.
Most users never set these by hand. The launcher seeds a sensible .env on first run (on macOS/Linux you copy .env.example to .env), and the rest of configuration lives in the UI. Set these only when you need a non-default port or data location, are hardening a non-localhost deployment, or wiring up an integration.
How variables are resolved
Environment variables sit at the top of Forven's configuration precedence:
env var > KV store (settings) > config.json > built-in defaultSo an env var always wins over the same value set in the configuration file or the in-app settings. Forven reads .env from the repository root (on macOS/Linux you copy .env.example to .env; on Windows start_all.ps1 reads variables from the current shell). See Configuration reference for the file-level structure.
On Windows, set a variable for the current PowerShell session like this:
$env:FORVEN_PORT = "8003"
$env:FORVEN_BIND_HOST = "127.0.0.1"To persist a value, add it to your .env file (one KEY=value per line) rather than exporting it each session.
Startup & paths
These control where Forven lives and how it listens.
| Variable | Meaning | Default |
|---|---|---|
FORVEN_HOME | Root directory for all app state: config.json, forven.db, forven_lab.db, workspace/, chromadb/. Auto-merges a legacy .juddex/.judex home on first run. | ~/.forven |
FORVEN_PORT | Port the FastAPI backend (uvicorn) binds. A startup guard detects port collisions. | 8003 |
FORVEN_BIND_HOST | Host the backend binds to. Loopback-only by default. | 127.0.0.1 |
FORVEN_CLIENT_BASE | Explicit API base URL the frontend calls. | http://127.0.0.1:8003 |
FORVEN_DATA_DIR | Custom directory for OHLCV and backtest data. | ./data, or FORVEN_HOME/data |
FORVEN_FRONTEND_DIR | Path to a prebuilt SvelteKit bundle. If set and present, the SPA is mounted at /. | (unset) |
FORVEN_HOME is the single most important variable: point it at a different directory to run an isolated second instance, or to relocate your data. Everything Forven knows lives under it.
Safety: execution mode & mainnet gate
These two variables, together with the build channel, decide whether Forven can ever touch real capital. Treat them as the load-bearing safety surface.
| Variable | Meaning | Default |
|---|---|---|
FORVEN_EXECUTION_MODE | paper or live. Paper records trades in SQLite against local candle prices; live routes orders to HyperLiquid. | paper |
FORVEN_ALLOW_MAINNET | Must be 1 to permit real-funds (mainnet) orders. Default-deny — the exchange risk gate refuses mainnet unless this is explicitly set. | 0 |
FORVEN_ENV | Optional deployment channel flag. Unset by default. Setting it to beta adds an extra hard-lock that forces execution to paper regardless of other settings — a belt-and-suspenders safety switch, since paper is the supported mode anyway. | (unset) |
FORVEN_EXECUTION_FAST_PATH | When true, the scanner attempts direct exchange execution before queuing an execution-trader task. | true |
Paper (optionally on the HyperLiquid testnet) is the supported mode and the default. There is no supported live / mainnet path: mainnet is default-deny (FORVEN_ALLOW_MAINNET=0), and wiring real exchange keys with FORVEN_EXECUTION_MODE=live plus FORVEN_ALLOW_MAINNET=1 is unsupported and entirely at your own risk. See Execution modes and Going live safely.
The public docs sometimes call the paper stage a candidate strategy; internally and in these variables it is always paper.
API authentication
Forven's local HTTP API binds to 127.0.0.1 by default and is unauthenticated unless you set keys. For any deployment that is not strictly localhost, set keys and require them. See the full REST & WebSocket API reference for endpoint groups and headers.
| Variable | Meaning | Default |
|---|---|---|
FORVEN_API_KEY | If set, every /api/* request must carry this key (header x-api-key or Authorization: Bearer). /api/health and /api/shutdown are exempt. | (unset — no auth required) |
FORVEN_OPERATOR_KEY | Higher-privilege key (header x-operator-key) for operator-gated routers and dangerous endpoints (/api/system/*, /api/execution-mode, /api/kill-switch/*). | (unset — no auth required) |
FORVEN_AUTH_REQUIRED | When true, the backend refuses to start unless both FORVEN_API_KEY and FORVEN_OPERATOR_KEY are set. | false |
FORVEN_ALLOWED_HOSTS | Comma-separated DNS-rebinding guard. Middleware rejects unknown Host headers. | 127.0.0.1, localhost, [::1], testserver |
FORVEN_CORS_ORIGINS | Comma-separated CORS-allowed origins. | http://127.0.0.1:5173, http://localhost:5173, ... |
When a key is unset, Forven logs a loud warning at startup. Setting FORVEN_AUTH_REQUIRED=true turns that warning into a hard failure — recommended for anything reachable beyond loopback.
$env:FORVEN_API_KEY = "<a-long-random-string>"
$env:FORVEN_OPERATOR_KEY = "<a-different-long-random-string>"
$env:FORVEN_AUTH_REQUIRED = "true"Encryption & secrets
Forven encrypts API keys and exchange credentials at rest using Fernet symmetric encryption. The key is generated once and stored in a non-synced location.
| Variable | Meaning | Default |
|---|---|---|
FORVEN_ENCRYPTION_KEY | Explicit Fernet key for secrets. If unset, Forven auto-generates one at a preferred path. | (auto-generated) |
The auto-generated key lives at %LOCALAPPDATA%\Forven\.forven_key on Windows (~/.config/forven/.forven_key elsewhere) — deliberately outside FORVEN_HOME.
The encryption key path is non-synced on purpose: it will not follow OneDrive or Dropbox. Your encrypted credentials (in auth.json under FORVEN_HOME) and the key that decrypts them can therefore diverge if you back up one without the other. Back them up together, or set FORVEN_ENCRYPTION_KEY explicitly so the key is reproducible.
HyperLiquid credentials
These provide live-routing credentials as an environment override for file-based or encrypted-settings storage. They are only consulted when execution mode is live. Full setup is on the HyperLiquid integration page; keys stay on your machine.
| Variable | Meaning | Default |
|---|---|---|
FORVEN_HL_API_KEY | HyperLiquid API key. | (unset) |
FORVEN_HL_API_SECRET | HyperLiquid API secret (env or encrypted settings only — not file-based). | (unset) |
FORVEN_HL_WALLET_ADDRESS | HyperLiquid wallet address. | (unset) |
FORVEN_HL_USE_TESTNET | true for testnet, false for mainnet. Paper/test default to testnet, live to mainnet. | true |
Credentials are resolved from your encrypted in-app settings (Settings → HyperLiquid) first, then these env vars, then a legacy file-based settings.json. Note that FORVEN_HL_USE_TESTNET=false still does not permit real-funds orders on its own — FORVEN_ALLOW_MAINNET=1 is the separate, explicit gate.
Integrations
| Variable | Meaning | Default |
|---|---|---|
DISCORD_TOKEN | Discord bot token for the Forven bot. Required only when START_BOT=1. | (unset) |
POLYGON_API_KEY | Polygon.io key for market data. Checked in Settings → API Keys (KV store) first, then auth.json. | (unset) |
FORVEN_GITHUB_WEBHOOK_SECRET | HMAC secret enabling the /api/webhooks/github auto-pull endpoint. For local dev only; leave unset unless you know you need it. | (unset) |
FORVEN_GITHUB_WEBHOOK_BRANCH | Target git branch for webhook auto-pull. | main |
First-run seeding variables
These optional variables control what a fresh FORVEN_HOME is seeded with on first launch. Most users never set them — the launcher provides sensible defaults — but they are available if you want to point first-run seeding at your own .env template or parquet directory. See Running from source.
| Variable | Meaning | Default |
|---|---|---|
FORVEN_DEFAULT_ENV | Source .env template seeded to FORVEN_HOME/.env on first launch. | (unset) |
FORVEN_DEFAULT_SEED_DATA | Source parquet seed directory copied to FORVEN_HOME/data/ohlcv so the dashboard shows data immediately. | (unset) |
FORVEN_DISABLE_CHROMA_IN_PROCESS | Disables in-process ChromaDB (Windows ONNX workaround). Set automatically on Windows. | (auto on Windows) |
Startup script flags
These are read by the launcher (start_all.ps1 / start_all.sh) to decide which background processes to start.
| Variable | Meaning | Default |
|---|---|---|
START_BOT | 1 starts the Discord bot, 0 skips it. | 1 |
START_DAEMON | 1 starts the data/risk daemon loop, 0 skips it. | 1 |
START_LAB_WORKER | 1 starts the Regime Lab worker. | 0 (unless FORVEN_ENABLE_REGIME_LAB=1) |
FORVEN_ENABLE_REGIME_LAB | Enables the optional Regime Lab worker and UI. | 0 |
FORCE_RESTART | 1 force-restarts backend/frontend/bot even if healthy. | 0 |
Runtime tuning (advanced)
You rarely need these. They size worker pools and timeouts; the defaults are tuned for a desktop machine. Stay within the documented bounds.
| Variable | Meaning | Default |
|---|---|---|
FORVEN_HEADLESS_AGENT_CONCURRENCY | Agent worker pool size (min 1, max 8). | 3 |
FORVEN_HEADLESS_BRAIN_LIMIT | Brain worker task limit (min 1, max 8). | 2 |
FORVEN_API_RUNTIME_THREAD_MODE | true runs scheduler/agent/brain/daemon on separate threads; false runs them as async tasks in the event loop. | true |
FORVEN_API_RUNTIME_START_DELAY_SECONDS | Delay before starting background loops, to let the DB init (0–60). | 5.0 |
FORVEN_OPTIMIZATION_MAX_WORKERS | Parameter-optimization thread pool (1–4). | 2 |
FORVEN_ROBUSTNESS_MAX_WORKERS | Robustness-test thread pool (1–8). | 5 |
FORVEN_ROBUSTNESS_TIMEOUT_SECS | Per-run robustness timeout (min 60). | 600 |
FORVEN_MAX_UPLOAD_BYTES | Max CSV upload size; 413 returned if exceeded. | 52428800 (50 MiB) |
FORVEN_ENABLE_SIMULATION_API | Includes the optional simulation router. | false |
Verifying your settings
After setting variables, confirm the backend picked them up:
- Start Forven with the launcher (
start_all.ps1on Windows,start_all.shon macOS/Linux). - Open
http://127.0.0.1:8003/api/health— it should return a health payload with no auth required. - Check the /ops page for the active execution mode and system health.
- If you set auth keys, confirm a request without the key is rejected with
401.
What you'll see: the /ops dashboard shows the current execution mode (it should read paper by default, the supported mode), system health, and scheduler status. If a key is required and missing, every operator-gated call returns 401.
Caveats
- Env always wins. A value set here overrides the same key in the UI or
config.json. If a setting in the app "won't stick," check for an env override first. - Live/mainnet is unsupported. Paper (optionally on testnet) is the supported mode. Setting
FORVEN_EXECUTION_MODE=liveandFORVEN_ALLOW_MAINNET=1is at your own risk and not a supported path. - Secrets and their key can diverge. Back up
FORVEN_HOME/auth.jsontogether with the non-synced encryption key (or pin it viaFORVEN_ENCRYPTION_KEY). - Webhook endpoint is dev-only.
FORVEN_GITHUB_WEBHOOK_SECRETis intended for local development only.
Forven is a research tool. Nothing here is financial advice, paper results are not predictive of live results, and any numbers in the app are illustrative of process — not a forecast of profit.
Related
- Configuration reference — config.json structure and the full precedence chain
- REST & WebSocket API — endpoints, headers, and the auth model these keys back
- HyperLiquid integration — credential setup and testnet/mainnet selection
- Execution modes: paper vs live — what the safety variables actually gate
Configuration reference
Where Forven keeps its configuration, the order settings are resolved, and the most-touched config.json key groups for the lab, gauntlet, and pipeline.
REST & WebSocket API
The local Forven HTTP and WebSocket API — base URL, authentication keys, the endpoint catalog by router, the live feed, and the legacy sunset.