Skip to content
NimbleBrain NimbleBrain NimbleBrain

instance.json

instance.json configures how users authenticate to a NimbleBrain deployment. It lives at <workDir>/instance.json and is the single source of truth for the deployment’s auth adapter and org identity.

Dev mode — the absence of the file

Section titled “Dev mode — the absence of the file”

If <workDir>/instance.json does not exist, the runtime starts in dev mode: no auth gate, and every request authenticates as a single built-in identity (usr_default, org role owner). This is the default for bun run dev, worktree dev, and any local checkout. You only create instance.json when you want real authentication.

Adapters

Section titled “Adapters”

The auth.adapter field selects the identity provider. Two adapters are configurable: oidc and workos. (Dev mode is not an adapter value — it is the no-file state above.)

instance.json
{
  "auth": {
    "adapter": "oidc",
    "issuer": "https://auth.example.com",
    "clientId": "nimblebrain-app",
    "allowedDomains": ["example.com", "acme.com"],
    "jwksUri": "https://auth.example.com/.well-known/jwks.json"
  },
  "orgName": "Acme",
  "orgId": "org_acme"
}

Verifies incoming Bearer JWTs against the provider’s JWKS. Users whose email domain is not in allowedDomains are rejected.

Top-level fields

Section titled “Top-level fields”
FieldTypeRequiredDescription
authobjectYesThe auth adapter config. See per-adapter fields below.
orgNamestringNoHuman-readable organization name.
orgIdstringNoStable organization identifier.
integrationsobjectNoFree-form integration config bag.

OIDC adapter (auth.adapter: "oidc")

Section titled “OIDC adapter (auth.adapter: "oidc")”
FieldTypeRequiredDescription
adapter"oidc"YesSelects the OIDC adapter.
issuerstringYesOIDC issuer URL.
clientIdstringYesOAuth client id registered with the provider.
allowedDomainsstring[]YesEmail domains permitted to sign in. A verified identity whose domain isn’t listed is rejected.
jwksUristringNoJWKS endpoint override. Discovered from the issuer’s .well-known when omitted.

WorkOS adapter (auth.adapter: "workos")

Section titled “WorkOS adapter (auth.adapter: "workos")”
FieldTypeRequiredDescription
adapter"workos"YesSelects the WorkOS adapter.
clientIdstringYesWorkOS Client ID (client_…).
redirectUristringNoOAuth callback URL. When omitted, derived as ${publicOrigin()}/v1/auth/callback from the canonical public origin. An explicit value (legacy WORKOS_REDIRECT_URI) overrides.
organizationIdstringNoWorkOS Organization ID — scopes auth to a specific customer org.
apiKeystringNoWorkOS API key. Can also come from the WORKOS_API_KEY env var.
authkitDomainstringNoAuthKit subdomain for MCP OAuth (e.g. "myapp"myapp.authkit.app). When set, /mcp accepts AuthKit-issued Bearer JWTs and exposes /.well-known/oauth-protected-resource for MCP client discovery.
adminRoleSlugsstring[]NoWorkOS membership role slugs that map to the app admin role (case-insensitive). Omit to use the defaults ["admin", "owner"]. An explicit list replaces the defaults and must contain at least one non-empty slug — an empty list is rejected at startup. Set this when your WorkOS org’s admin role carries a custom slug.

Validation

Section titled “Validation”

instance.json is validated at load:

  • Missing or non-object auth throws.
  • An unknown adapter value (anything other than oidc / workos) throws, naming the accepted set.
  • Each adapter’s required fields are type-checked; a missing or wrong-typed field throws with a field-specific message.
  • A malformed file crashes the deployment at startup rather than silently falling back to dev mode — an auth misconfiguration must fail loud, not open.

The file is written atomically (temp-then-rename) whenever the runtime persists changes to it.

Section titled “Related”