⚙️ Config v1.3.13

Added interface.sharedLinks

• Allows shared-link permissions to be bootstrapped from librechat.yaml
• Supports either a boolean or granular create, share, and public permissions
• public controls whether authenticated users can share links with everyone; anonymous access remains controlled by ALLOW_SHARED_LINKS_PUBLIC

Added interface.mcpServers.configureObo

• Seeds the permission required to configure MCP On-Behalf-Of token exchange
• Applies to the MCP_SERVERS.CONFIGURE_OBO role permission

Added mcpServers.<server>.obo

• Allows sse and streamable-http MCP servers to exchange the current user's OpenID token for a delegated downstream token
• Requires a non-empty scopes value

Added mcpServers.<server>.customUserVars.<key>.sensitive

• Controls whether a user-provided MCP variable is treated as a secret in the UI
• Defaults to masked/secret behavior when omitted

Added plugin authConfig[].sensitive

• Controls whether plugin authentication fields render as secret inputs
• Defaults to masked/secret behavior when omitted

Updated MCP OAuth URL handling

• YAML-defined OAuth URL fields now resolve ${ENV_VAR} values before URL validation
• User-submitted MCP OAuth endpoint URLs reject ${ENV_VAR} placeholders so server environment variables remain admin-controlled

Added MCP OAuth timeout environment variables

• MCP_OAUTH_HANDLING_TIMEOUT controls how long LibreChat waits for a user to complete an MCP OAuth flow
• MCP_OAUTH_FLOW_TTL controls OAuth flow-state retention and is clamped to outlive the handling timeout
• The MCP server-card polling window now follows the server-configured OAuth timeout

Added OTEL_IOREDIS_TRACING_ENABLED

• Enables Redis command-level OpenTelemetry spans when backend tracing is enabled
• Defaults to disabled so normal backend traces stay high-level and avoid noisy Redis spans

Updated authenticated RUM proxy behavior

• RUM proxy auth now drops invalid or expired browser telemetry with 204 instead of returning API auth errors
• RUM proxy outcomes are counted with rum_proxy_requests_total by endpoint and result

Added interface.retainAgentFiles

• Allows persistent agent resource files to be exempted from retentionMode: "all"
• Non-agent files and message attachments still expire according to the configured retention policy

Added endpoint titleTiming

• immediate generates titles as soon as the request starts, in parallel with the model response
• final keeps the legacy behavior and waits for the full response before title generation
• Can be set per endpoint or globally under endpoints.all

Added endpoints.agents.skills.maxCatalogSkills

• Caps the number of active accessible skills exposed in the model-visible skill catalog

Added memory.maxInputTokens

• Caps the number of recent-chat tokens sent to the automatic memory agent
• Defaults to 12000
• Long memory-agent inputs are truncated from the beginning so the newest context is preserved

Added endpoints.custom[].customParams.reasoningFormat

• Controls how OpenAI-compatible custom endpoints receive reasoning parameters
• Supports reasoning_effort, reasoning_object, and disabled

Added endpoints.custom[].customParams.reasoningKey

• Controls which response key is read for provider reasoning content
• Supports reasoning and reasoning_content

Updated endpoints.custom[].headers model-fetch behavior

• Header templates are now resolved and forwarded to models.fetch requests when the endpoint base URL is admin-controlled
• A configured Authorization header takes precedence over the endpoint apiKey Bearer fallback
• Header templates are not forwarded when baseURL: "user_provided" is configured

Added built-in endpoint headers

• endpoints.openAI.headers, endpoints.anthropic.headers, and endpoints.google.headers forward custom request headers to provider calls while preserving native provider request shapes
• endpoints.all.headers can set global headers, with endpoint-specific headers winning on key collisions
• Values support ${ENV_VAR}, {{LIBRECHAT_USER_*}}, and request body placeholders such as {{LIBRECHAT_BODY_CONVERSATIONID}}
• Provider-managed auth and required protocol headers remain authoritative, and admin-configured headers are withheld when a user controls the destination base URL

Added endpoints.custom[].provider

• Currently supports provider: anthropic
• Routes that custom endpoint through the native Anthropic /v1/messages client instead of the default OpenAI-compatible client
• Uses the custom endpoint's baseURL, apiKey, headers, addParams, dropParams, and customParams.paramDefinitions
• Implies the Anthropic parameter set for the UI unless customParams.defaultParamsEndpoint is explicitly set to another value
• Native Anthropic custom endpoints should list models explicitly under models.default; OpenAI-style model auto-fetch is not used for this provider

Added modelSpecs.list[].softDefault

• Selects a model spec for first-time users without overriding later user selections

Added modelSpecs.list[].skills

• Enables, disables, or allowlists Skills for a model spec

Added modelSpecs.list[].subagents

• Enables or disables Subagents for ephemeral agents created from a model spec
• Supports enabled, allowSelf, and a private server-side agent_ids allowlist
• agent_ids is capped by the shared MAX_SUBAGENTS limit and is removed from startup config sent to clients
• Client-supplied Subagent configuration is rejected; model-spec values remain server-controlled

Added modelSpecs.list[].showOnLanding

• Shows the model spec's label and description on the chat landing in place of the default greeting
• Existing model specs are unchanged unless showOnLanding: true is set

Added modelSpecs.list[].conversation_starters

• Defines curated starter prompts shown on the chat landing when the model spec is selected
• Works with model-spec landing branding so admins can pair a spec label, description, and suggested first prompts

Updated modelSpecs.list[].description

• Plain text descriptions still render in the model selector
• Descriptions that start with < render through the config HTML sanitizer so admins can include safe inline markup and media in model selector items and landing branding

Added interface.contextUsage

• Controls whether the real-time context window and token usage gauge is shown in the conversation UI
• Defaults to true

Added interface.contextCost

• Controls whether usage cost is shown with context and token usage details
• Defaults to false; set to true to show usage costs in the UI

Added interface.currency

• Converts displayed usage costs from USD into another currency with code and positive rate
• Example: currency: { code: EUR, rate: 0.92 }

Added endpoints.custom[].tokenConfig

• Defines per-model context windows and per-million-token rates for custom endpoints
• Supports prompt, completion, context, and optional cacheRead and cacheWrite values for each model name
• Used by real-time context tracking, visible usage/cost breakdowns, and multi-endpoint agent billing
• Token-config cache entries are scoped by user when endpoint models, keys, URLs, or headers can vary by request context

Updated context usage after summarization

• Persisted context usage now records a summary baseline marker after compaction
• Reloaded conversations use the compacted summary baseline plus post-summary turns instead of re-summing discarded pre-summary history
• The usage/cost walk still keeps cumulative spend across the full branch

Added skillSync.github

• Mirrors Skills from GitHub repositories into LibreChat
• Supports scheduled syncs with enabled, intervalMinutes, runOnStartup, and sources
• Each source supports id, owner, repo, ref, paths, skillDiscoveryDepth, credentialKey, token
• Sources must provide exactly one credential reference: either credentialKey for a stored admin credential or token as an environment variable reference like ${GITHUB_SKILLS_TOKEN}
• skillDiscoveryDepth defaults to 2 and is capped at 10
• intervalMinutes defaults to 60 and must be at least 5
• Sync status responses are only shown to authorized admins

Added messageFilter.pii

• Rejects submitted text that matches credential-shaped starter patterns or operator-defined regex patterns before it reaches the model or persistence
• The LibreChat chat route checks submitted user text; OpenAI-compatible Chat Completions and Responses requests scan text content across all caller-supplied message roles
• Starter pattern ids are sk_prefix, bearer_header, and api_key_header
• Custom patterns support id, label, and a JavaScript regex string

Updated OPENID_AUDIENCE

• Comma-separated values are accepted for JWT audience validation
• Authorization requests send the first non-empty audience value so providers that reject multi-value audience parameters still receive a single audience

Updated MCP runtime placeholders

• {{LIBRECHAT_BODY_*}} placeholders create request-scoped MCP connections that are reused for the current run and cleaned up when the request ends
• Request-scoped MCP servers are excluded from the persistent tool cache so request-specific headers and URLs are not reused outside the active run
• Cleanup is tied to resumable run completion so reconnects and resumed streams keep request-scoped MCP resources alive until the run finishes
• {{LIBRECHAT_USER_*}}, {{LIBRECHAT_OPENID_*}}, and {{LIBRECHAT_GRAPH_*}} placeholders still require user-scoped connections, but HTTP transports refresh resolved headers before each tool call without forcing a reconnect by themselves

Updated outbound proxy environment handling

• PROXY applies to both HTTP and HTTPS targets for supported server-side clients
• When PROXY is unset, supported clients honor HTTP_PROXY, HTTPS_PROXY, and NO_PROXY/no_proxy
• OpenID requests honor NO_PROXY even when PROXY is configured

Added ENABLE_STATIC_ASSET_BROTLI

• Enables serving precompressed .br static app assets when available
• When enabled, Brotli is preferred before gzip for API-served static files

Updated the config version to 1.3.13