MCP Identity Gateway environment variables

Set these environment variables when installing the MCP Identity Gateway. They configure how the MCP Identity Gateway operates at install time.

Required variables

`AEMBIT_TENANT_URL` Required

Default - not set

Base URL of your Aembit tenant. Find this value in the browser address bar when you sign in to the Aembit console. See Set up the MCP Identity Gateway for detailed configuration steps.

Example:
https://tenantid.aembit.io

`AEMBIT_MCP_GATEWAY_URL` Required

Default - not set

Public URL of this MCP Identity Gateway instance. This is the URL that MCP clients use to connect.

Example:
https://mcp-gateway.example.com

`AEMBIT_AGENT_CONTROLLER_URL` Required

Default - not set

URL of the local Agent Controller. Must point to localhost because the MCP Identity Gateway and Agent Controller must run on the same host. The Agent Controller registers the MCP Identity Gateway with Aembit Cloud and provides it with the credentials and configuration needed to operate. This local-only communication ensures credentials never traverse the network. For architecture details, see MCP Identity Gateway concepts.

Example:
http://localhost:5000

`AEMBIT_TLS_CERT_CHAIN_PATH` Required

Default - not set

Sensitive - No

Filesystem path to the TLS certificate chain file (PEM format). Must include the full chain (leaf certificate and intermediates). The certificate Common Name (CN) or Subject Alternative Name (SAN) must match the hostname in AEMBIT_MCP_GATEWAY_URL.

Example:
/etc/ssl/certs/fullchain.pem

`AEMBIT_TLS_PRIVATE_KEY_PATH` Required

Default - not set

Sensitive - Yes

Filesystem path to the TLS private key file (PEM format). Store in a secrets manager for production.

Example:
/etc/ssl/private/privkey.pem

Optional variables

`AEMBIT_LOG_LEVEL`

Default - info

Log verbosity level. Options: trace, debug, info, warn, error, off. Use info or higher for production; trace and debug may log sensitive information.

Example:
debug

Example installation

sudo AEMBIT_TENANT_URL=https://tenantid.aembit.io \
     AEMBIT_MCP_GATEWAY_URL=https://mcp-gateway.example.com \
     AEMBIT_TLS_CERT_CHAIN_PATH=/etc/ssl/certs/fullchain.pem \
     AEMBIT_TLS_PRIVATE_KEY_PATH=/etc/ssl/private/privkey.pem \
     AEMBIT_AGENT_CONTROLLER_URL=http://localhost:5000 \
     AEMBIT_LOG_LEVEL=info \
     ./install

Validation and failure behavior

The MCP Identity Gateway validates configuration at startup and fails closed on errors.

Startup validation

When the MCP Identity Gateway starts, it validates:

Required variables - You must set all required environment variables
URL format - Tenant and controller URLs must be well-formed
TLS certificates - Certificate and key files must exist and be readable
Agent Controller connectivity - The MCP Identity Gateway must reach the Agent Controller on localhost

If any validation fails, the MCP Identity Gateway exits immediately with an error message.

Runtime caching

During operation, the MCP Identity Gateway caches data from Aembit Cloud to maintain availability:

Data type	Cache duration
Assigned MCP server workloads	60 seconds
Access policy directives	60 seconds
Credentials	60 seconds

If Aembit Cloud becomes unreachable, the MCP Identity Gateway continues operating with cached data until the cache expires.

Verifying configuration

After installation, verify the MCP Identity Gateway is running:

sudo systemctl status aembit_mcp_gateway

Check the logs for startup errors:

sudo journalctl -u aembit_mcp_gateway -n 50

Agent Controller environment variables

The MCP Identity Gateway requires an Agent Controller running on the same host. The Agent Controller uses its own set of environment variables during installation.

`AEMBIT_TENANT_ID` Required

Default - not set

Aembit tenant ID.

Example:
123abc

`AEMBIT_AGENT_CONTROLLER_ID` Required

Default - not set

ID of the Agent Controller as configured in Aembit.

Example:
01234567-89ab-cdef-0123-456789abcdef

`AEMBIT_STACK_DOMAIN`

Default - useast2.aembit.io

Aembit stack domain for this tenant. Don’t set this value unless directed by your Aembit representative.

`AEMBIT_LOG_LEVEL`

Default - information

Log verbosity level for Agent Controller. The supported levels include fatal, error, warning, information, debug, verbose.

Example:
verbose

The Agent Controller uses its own AEMBIT_LOG_LEVEL independently from the Gateway. For consistent logging in aggregated environments, use the following mapping:

Gateway level	Agent Controller level
`info`	`information`
`debug`	`debug`
`trace`	`verbose`

For Agent Controller installation details, see Set up the MCP Identity Gateway.

MCP Identity Gateway reference

MCP Identity Gateway environment variables

Required variables

AEMBIT_TENANT_URL Required

AEMBIT_MCP_GATEWAY_URL Required

AEMBIT_AGENT_CONTROLLER_URL Required

AEMBIT_TLS_CERT_CHAIN_PATH Required

AEMBIT_TLS_PRIVATE_KEY_PATH Required

Optional variables

AEMBIT_LOG_LEVEL

Example installation

Validation and failure behavior

Startup validation

Runtime caching

Verifying configuration

Agent Controller environment variables

AEMBIT_TENANT_ID Required

AEMBIT_AGENT_CONTROLLER_ID Required

AEMBIT_STACK_DOMAIN

AEMBIT_LOG_LEVEL

Related resources

`AEMBIT_TENANT_URL` Required

`AEMBIT_MCP_GATEWAY_URL` Required

`AEMBIT_AGENT_CONTROLLER_URL` Required

`AEMBIT_TLS_CERT_CHAIN_PATH` Required

`AEMBIT_TLS_PRIVATE_KEY_PATH` Required

`AEMBIT_LOG_LEVEL`

`AEMBIT_TENANT_ID` Required

`AEMBIT_AGENT_CONTROLLER_ID` Required

`AEMBIT_STACK_DOMAIN`

`AEMBIT_LOG_LEVEL`