Complete reference for all Thand Agent configuration options and their default values.
Overview Environment Configuration Basic Environment Settings Local Environment Config AWS-Specific Config GCP-Specific Config Azure-Specific Config Server Configuration Basic Server Settings Server Limits Metrics Configuration Health Checks CORS Settings Login Server Configuration Thand Cloud Configuration API Configuration Logging Configuration Services Configuration Encryption Service Vault Service Scheduler Service (Temporal) Temporal Configuration Large Language Model (LLM) Configuration Roles Configuration External Role Loading Workflows Configuration Providers Configuration Security Configuration Endpoint Configuration Structure Authentication Basic Authentication Bearer Token Authentication Environment Variables Examples Configuration File Examples Minimal Configuration Complete Configuration Validation Thand Agent supports comprehensive configuration through YAML files, environment variables, and command-line flags. Configuration is loaded in the following order (later sources override earlier ones):
Default values (hardcoded) Configuration file (config.yaml, ~/.config/thand/config.yaml, etc.) Environment variables (prefixed with THAND_) Command line flags Core environment settings that define the runtime context and platform.
Option Type Default Description environment.namestring Automatic Name of the environment or hostname. Will be automatically set if not provided environment.hostnamestring Automatic Hostname of the machine. Will be automatically set if not provided environment.platformstring Automatic Platform type: aws, gcp, azure, kubernetes, local. Will be automatically set if not provided environment.osstring Automatic Operating system: windows, darwin, linux. Will be automatically set if not provided environment.os_versionstring Automatic Operating system version. Will be automatically set if not provided environment.archstring Automatic System architecture: amd64, arm64. Will be automatically set if not provided environment.ephemeralboolean falseWhether running in ephemeral environment. Will be automatically set if not provided
Platform-specific configuration settings:
Option Type Default Description environment.config.passwordstring changemeDefault encryption password environment.config.saltstring changemeDefault encryption salt
Option Type Default Description environment.config.profilestring - AWS profile to use environment.config.regionstring - AWS region environment.config.access_key_idstring - AWS access key ID environment.config.secret_access_keystring - AWS secret access key environment.config.kms_arnstring - AWS KMS key ARN for encryption environment.config.imds_disableboolean - Disable AWS instance metadata service
Option Type Default Description environment.config.project_idstring - GCP project ID environment.config.locationstring - GCP location/region environment.config.key_ringstring - Cloud KMS key ring name environment.config.key_namestring - Cloud KMS key name
Option Type Default Description environment.config.vault_urlstring - Azure Key Vault URL
Settings for the Thand server when running in server mode.
Option Type Default Description server.hoststring 0.0.0.0Server bind address server.portinteger 5225Server listen port
Option Type Default Description server.limits.read_timeoutduration 30sHTTP read timeout server.limits.write_timeoutduration 30sHTTP write timeout server.limits.idle_timeoutduration 120sHTTP idle timeout server.limits.requests_per_minuteinteger 100Rate limit for requests per minute server.limits.burstinteger 10Rate limit burst size
Option Type Default Description server.metrics.enabledboolean trueEnable Prometheus metrics endpoint server.metrics.pathstring /metricsMetrics endpoint path server.metrics.namespacestring thandMetrics namespace prefix
Option Type Default Description server.health.enabledboolean trueEnable health check endpoint server.health.pathstring /healthHealth check endpoint path server.ready.enabledboolean trueEnable readiness check endpoint server.ready.pathstring /readyReadiness check endpoint path
Option Type Default Description server.security.cors.allowed_origins[]string ["https://thand.io", "https://*.thand.io"]Allowed CORS origins server.security.cors.allowed_methods[]string ["GET", "POST", "PUT", "DELETE", "OPTIONS"]Allowed HTTP methods server.security.cors.allowed_headers[]string ["Authorization", "Content-Type", "X-Requested-With"]Allowed headers server.security.cors.expose_headers[]string - Exposed headers server.security.cors.allow_credentialsboolean falseAllow credentials server.security.cors.max_ageinteger 86400CORS preflight cache duration (seconds)
Settings for connecting to the Thand login server.
Option Type Default Description login.endpointstring https://auth.thand.io/Login server endpoint URL login.basestring /Base path for login endpoints login.api_keystring - API key for login server authentication
Settings for connecting to Thand Cloud services (thand.io).
Option Type Default Description thand.endpointstring https://app.thand.io/Thand Cloud endpoint URL thand.basestring /Base path for Thand Cloud endpoints thand.api_keystring - API key for authenticating with Thand Cloud thand.syncboolean trueEnable synchronization with Thand Cloud
Settings for the REST API.
Option Type Default Description api.versionstring /api/v1API version api.rate_limit.requests_per_minuteinteger - API-specific rate limit api.rate_limit.burstinteger - API-specific burst limit
Control logging behavior and output format.
Option Type Default Description logging.levelstring infoLog level: trace, debug, info, warn, error, fatal, panic logging.formatstring jsonLog format: json, text logging.outputstring stdoutLog output destination logging.open_telemetry.enabledboolean falseEnable OpenTelemetry logging logging.open_telemetry.endpointEndpoint - OpenTelemetry endpoint configuration
External service integrations and configurations.
Option Type Default Description services.encryption.providerstring localEncryption provider: aws, gcp, azure, local services.encryption.config.*map - Provider-specific encryption config
Option Type Default Description services.vault.providerstring localVault provider: aws, gcp, azure, local services.vault.config.*map - Provider-specific vault config
Option Type Default Description services.scheduler.providerstring localScheduler provider services.scheduler.config.*map - Provider-specific scheduler config
Option Type Default Description services.temporal.hoststring localhostTemporal server host services.temporal.portinteger 7233Temporal server port services.temporal.namespacestring defaultTemporal namespace services.temporal.api_keystring - Temporal Cloud API key services.temporal.mtls_certstring - mTLS certificate content services.temporal.mtls_cert_pathstring - Path to mTLS certificate file services.temporal.disable_versioningboolean falseDisable worker versioning
Option Type Default Description services.llm.providerstring - LLM provider: openai, gemini, anthropic services.llm.api_keystring - API key for LLM provider services.llm.base_urlstring - Custom base URL for LLM API services.llm.modelstring - Model name (e.g., gpt-4, gemini-pro)
Define and load role definitions.
Option Type Default Description roles.pathstring ./examples/rolesLocal directory for role files roles.urlEndpoint - Remote URL endpoint for roles roles.vaultstring - Vault secret path for roles roles.*map - Inline role definitions
Roles can be loaded from external sources:
# Load from local directory
roles :
path : " ./config/roles"
# Load from remote URL
roles :
url :
uri : " https://example.com/roles.yaml"
method : " GET"
headers :
Authorization : " Bearer token"
# Load from vault
roles :
vault : " secret/roles"
Define and load workflow definitions.
Option Type Default Description workflows.pathstring ./examples/workflowsLocal directory for workflow files workflows.urlEndpoint - Remote URL endpoint for workflows workflows.vaultstring - Vault secret path for workflows workflows.plugins.pathstring - Local directory for workflow plugins workflows.plugins.urlstring - Remote URL for workflow plugins workflows.*map - Inline workflow definitions
Define and load provider configurations.
Option Type Default Description providers.pathstring ./examples/providersLocal directory for provider files providers.urlEndpoint - Remote URL endpoint for providers providers.vaultstring - Vault secret path for providers providers.plugins.pathstring - Local directory for provider plugins providers.plugins.urlstring - Remote URL for provider plugins providers.*map - Inline provider definitions
Option Type Default Description secretstring changemeSecret key for signing cookies and tokens
The Endpoint object is used to configure remote connections, such as fetching configuration files or sending telemetry data. It follows the Serverless Workflow Specification for endpoint definitions.
Field Type Description uristring The URI of the endpoint authenticationobject Authentication configuration (optional)
The authentication object supports various authentication methods, including Basic Auth and Bearer Token. For more details on how to configure authentication, refer to the HTTP Authentication .
endpoint :
uri : " https://api.example.com/v1/resource"
authentication :
basic :
username : " myuser"
password : " mypassword"
endpoint :
uri : " https://api.example.com/v1/resource"
authentication :
bearer :
token : " eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
All configuration options can be set via environment variables using the THAND_ prefix and converting nested keys to uppercase with underscores:
# Environment settings
export THAND_ENVIRONMENT_PLATFORM = "aws"
export THAND_ENVIRONMENT_CONFIG_REGION = "us-west-2"
# Server settings
export THAND_SERVER_HOST = "0.0.0.0"
export THAND_SERVER_PORT = "8080"
# Logging
export THAND_LOGGING_LEVEL = "debug"
export THAND_LOGGING_FORMAT = "json"
# Services
export THAND_SERVICES_LLM_PROVIDER = "openai"
export THAND_SERVICES_LLM_API_KEY = "sk-..."
export THAND_SERVICES_LLM_MODEL = "gpt-4"
# Temporal
export THAND_SERVICES_TEMPORAL_HOST = "temporal.example.com"
export THAND_SERVICES_TEMPORAL_NAMESPACE = "production"
# External sources
export THAND_ROLES_VAULT = "secret/roles"
export THAND_WORKFLOWS_VAULT = "secret/workflows"
export THAND_PROVIDERS_VAULT = "secret/providers"
environment :
name : " production"
platform : " aws"
logging :
level : " info"
format : " json"
server :
host : " 0.0.0.0"
port : 5225
# Environment configuration
environment :
name : " production-agent"
platform : " aws"
config :
region : " us-west-2"
timeout : " 10s"
# Server configuration
server :
host : " 0.0.0.0"
port : 5225
limits :
read_timeout : " 30s"
write_timeout : " 30s"
requests_per_minute : 200
metrics :
enabled : true
namespace : " thand-prod"
security :
cors :
allowed_origins : [ " https://app.example.com" ]
# Login server
login :
endpoint : " https://auth.example.com"
api_key : " ${LOGIN_API_KEY}"
# Services
services :
llm :
provider : " openai"
api_key : " ${OPENAI_API_KEY}"
model : " gpt-4"
temporal :
host : " temporal.example.com"
port : 7233
namespace : " production"
api_key : " ${TEMPORAL_API_KEY}"
vault :
provider : " aws"
config :
region : " us-west-2"
# Logging
logging :
level : " info"
format : " json"
# External sources
roles :
vault : " secret/production/roles"
workflows :
vault : " secret/production/workflows"
providers :
vault : " secret/production/providers"
# Security
secret : " ${THAND_SECRET}"
Configuration validation occurs at startup. Common validation rules include:
Required fields must be present Enum values must match allowed options Duration fields must be valid Go duration strings URL fields must be valid URLs Port numbers must be in valid range (1-65535) Invalid configurations will cause the agent to fail startup with descriptive error messages.