Get started
Configuration.
Briar is configured through environment variables and a cascading credential store. There is no
briar.toml or central config file — everything is either an env var the CLI reads at startup, or a flag you pass per-invocation.Per-company credential env vars
Most providers ship a single account per developer. Briar multi-tenants on top of that by interpolating a {company} token into the env var name. --company acme reads JIRA_ACME_TOKEN; the same flow with --company widgets reads JIRA_WIDGETS_TOKEN. The company token is uppercased and dashes become underscores. GitHub PATs are the exception — they're workspace-wide, so the var is just GITHUB_TOKEN with no company segment.
Use briar secrets doctor
Don't hand-derive the env var name. Run
briar secrets doctor (it walks the runbook YAMLs in ./examples by default) and it lists every env var the configured extractors and writers need, marked present / missing.Tracker credentials
| Provider | Env vars |
|---|---|
| GitHub (PAT) | GITHUB_TOKEN (workspace-wide, no company segment) |
| Bitbucket Cloud | BITBUCKET_{COMPANY}_USERNAME, BITBUCKET_{COMPANY}_APP_PASSWORD, BITBUCKET_{COMPANY}_WORKSPACE |
| Jira (token) | JIRA_{COMPANY}_EMAIL, JIRA_{COMPANY}_TOKEN, JIRA_{COMPANY}_URL |
| Jira (session — for SSO tenants) | JIRA_{COMPANY}_SESSION_TOKEN, JIRA_{COMPANY}_XSRF_TOKEN (+ optional JIRA_{COMPANY}_TENANT_SESSION_TOKEN, JIRA_{COMPANY}_USER_AGENT) |
| Linear | LINEAR_{COMPANY}_TOKEN |
Cloud credentials
| Provider | Env vars / notes |
|---|---|
| AWS | AWS_{COMPANY}_ACCESS_KEY_ID, AWS_{COMPANY}_SECRET_ACCESS_KEY, AWS_{COMPANY}_SESSION_TOKEN (optional), AWS_{COMPANY}_REGION. Or use --aws-extract-profile to point at an existing local boto3 profile. |
| GCP / Azure | Use --cloud gcp / --cloud azure + --aws-extract-profile (carries the project ID / subscription ID) + --aws-extract-region. Flag names read AWS-flavoured but are generic; the underlying SDK picks them up. |
Meeting transcripts
| Provider | Env vars |
|---|---|
| Fireflies | FIREFLIES_{COMPANY}_API_KEY |
LLM providers
| Provider | Env vars |
|---|---|
| Anthropic | ANTHROPIC_API_KEY (or CLAUDE_CODE_OAUTH_TOKEN for the Claude Code OAuth bundle) |
| OpenAI | OPENAI_API_KEY |
| Google Gemini | GEMINI_API_KEY |
| AWS Bedrock | Uses the same AWS_{COMPANY}_* as the AWS cloud extractor. |
Briar runtime env vars
These influence how the CLI runs, where it persists state, and which features are enabled.
| Variable | Effect |
|---|---|
BRIAR_VERBOSE | 1/true switches the console formatter to verbose logs (timestamps, levels, logger names). |
BRIAR_LIB_DEBUG | Enables third-party library debug logging (boto3, urllib3, anthropic SDK). |
BRIAR_DEFAULT_STORE | Default credential store kind for briar auth login when --store is omitted. Falls back to envfile. |
BRIAR_SECRETS_FILE | Override the envfile-store path. Default is ~/.config/briar/secrets.env. |
BRIAR_DATABASE_URL | Postgres DSN for the postgres knowledge / plan / journal backend. Per-company override: BRIAR_{COMPANY}_DATABASE_URL. |
BRIAR_PG_POOL_SIZE | SQLAlchemy connection-pool size (default 4). |
BRIAR_PG_POOL_OVERFLOW | SQLAlchemy overflow size (default 2). |
BRIAR_JOURNAL | off / 0 / no disables the journal entirely. |
BRIAR_JOURNAL_STORE | Journal store backend (default file). |
BRIAR_JOURNAL_ROOT | File-store root (default ./journal). |
BRIAR_JOURNAL_SINKS | Comma-separated sink list (default file). |
BRIAR_NOTIFY_SINKS | Comma-separated notify-sink list for runbook serve failures. Choices: email, pagerduty, slack, telegram. |
BRIAR_TELEMETRY | off / errors-only / full. Per-process override of the persisted tier. |
BRIAR_SENTRY_DSN | Override the Sentry DSN to route telemetry to your own project. |
BRIAR_ENV | Sentry environment tag (default production). |
BRIAR_GITHUB_CLIENT_ID | Override the OAuth client used by briar auth login github-device. |
DO_NOT_TRACK | Industry-standard. 1 disables all telemetry. Wins over BRIAR_TELEMETRY and any persisted tier. |
Credential stores
Briar reads credentials from one store at a time, picked with --store on auth / secrets commands. Four stores ship:
envfile— text file at~/.config/briar/secrets.env. Default.aws-secretsmanager— AWS Secrets Manager.ssm— AWS Systems Manager Parameter Store.vault— HashiCorp Vault (KV v2).
$ briar auth login github-pat --store vault --company acme$ briar auth list --store aws-secretsmanager --company acme
Bootstrap on startup
Bootstraps run before every command and pre-populate os.environ from a remote source. Onlyenvfile ships today (loads secrets.env).
$ briar secrets bootstrap --kind envfile # one-off$ briar secrets bootstrap --dry-run # print keys only
Production hosts
On a long-running scheduler box, don't leave
secrets.env world-readable. Use chmod 600 and chown to the user the briar service runs as.Where to go next
- briar auth · secrets · telemetry — the commands that consume everything on this page.
- briar extract — the first command you'll run that needs credentials.