docs: document v0.8.6 env and config updates

Author: danny-avila

content/changelog/config_v1.3.12.mdx

@@ -0,0 +1,16 @@
+---
+date: 2026-05-25
+title: ⚙️ Config v1.3.12
+version: '1.3.12'
+---
+
+- Added `interface.retentionMode`
+  - `"temporary"` keeps retention limited to temporary chats
+  - `"all"` applies configured retention to all supported conversation data
+
+- Added `mcpServers.<server>.proxy`
+  - Allows `sse` and `streamable-http` MCP servers to use a per-server outbound proxy
+  - Supports `http://`, `https://`, `socks://`, and `socks5://` proxy URLs
+
+- Added `modelSpecs.list[].hideBadgeRow`
+  - Allows a model spec to hide the tool badge row in the chat composer

content/docs/configuration/dotenv.mdx

@@ -258,6 +258,12 @@ To configure LibreChat for local use or custom domain deployment, set the follow
       'Specifies the server-side domain.',
       'DOMAIN_SERVER=http://localhost:3080',
     ],
+    [
+      'ADMIN_PANEL_URL',
+      'string',
+      'External admin panel base URL used for admin OAuth/SSO redirects when the admin panel is hosted separately. Do not include a trailing slash.',
+      'ADMIN_PANEL_URL=https://admin.example.com/admin',
+    ],
   ]}
 />
 
@@ -303,6 +309,12 @@ LibreChat has built-in central logging, see [Logging System](/docs/configuration
       'Enable verbose console/stdout logs in the same format as file debug logs.',
       'DEBUG_CONSOLE=false',
     ],
+    [
+      'LOG_TO_FILE',
+      'boolean',
+      'Set to false to disable file-backed Winston transports while keeping console logging available.',
+      'LOG_TO_FILE=true',
+    ],
     [
       'CONSOLE_JSON',
       'boolean',
@@ -345,6 +357,65 @@ Note:
 
 Note: `DEBUG_CONSOLE` is not recommended, as the outputs can be quite verbose, and so it's disabled by default.
 
+### OpenTelemetry Tracing
+
+LibreChat can emit backend OpenTelemetry traces for general API, HTTP, MongoDB, Mongoose, Redis, and outbound request visibility. Use Langfuse for GenAI-specific prompt/model observability.
+
+<OptionTable
+  options={[
+    [
+      'OTEL_TRACING_ENABLED',
+      'boolean',
+      'Enable backend OpenTelemetry tracing. Tracing remains disabled when OTEL_SDK_DISABLED=true.',
+      '# OTEL_TRACING_ENABLED=false',
+    ],
+    [
+      'OTEL_SERVICE_NAME',
+      'string',
+      'Service name reported to OpenTelemetry. Default: librechat.',
+      '# OTEL_SERVICE_NAME=librechat',
+    ],
+    [
+      'OTEL_SERVICE_VERSION',
+      'string',
+      'Service version reported to OpenTelemetry. Defaults to the package version when unset.',
+      '# OTEL_SERVICE_VERSION=',
+    ],
+    [
+      'OTEL_EXPORTER_OTLP_ENDPOINT',
+      'string',
+      'Base OTLP exporter endpoint.',
+      '# OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318',
+    ],
+    [
+      'OTEL_EXPORTER_OTLP_TRACES_ENDPOINT',
+      'string',
+      'Trace-specific OTLP endpoint. Overrides the base endpoint for traces when set.',
+      '# OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=',
+    ],
+    [
+      'OTEL_EXPORTER_OTLP_HEADERS',
+      'string',
+      'Comma-separated OTLP exporter headers, such as authorization metadata.',
+      '# OTEL_EXPORTER_OTLP_HEADERS=',
+    ],
+    ['OTEL_TRACES_EXPORTER', 'string', 'Trace exporter selection.', '# OTEL_TRACES_EXPORTER=otlp'],
+    [
+      'OTEL_TRACES_SAMPLER',
+      'string',
+      'OpenTelemetry trace sampler. Default example: parentbased_always_on.',
+      '# OTEL_TRACES_SAMPLER=parentbased_always_on',
+    ],
+    ['OTEL_LOG_LEVEL', 'string', 'OpenTelemetry SDK log level.', '# OTEL_LOG_LEVEL=INFO'],
+    [
+      'OTEL_SDK_DISABLED',
+      'boolean',
+      'Disable the OpenTelemetry SDK even if tracing is enabled.',
+      '# OTEL_SDK_DISABLED=false',
+    ],
+  ]}
+/>
+
 ### Permission
 
 > UID and GID are numbers assigned by Linux to each user and group on the system. If you have permission problems, set here the UID and GID of the user running the Docker Compose command. The applications in the container will run with these UID/GID.
@@ -431,7 +502,12 @@ Uncomment `ENDPOINTS` to customize the available endpoints in LibreChat.
       'Comma-separated list of available endpoints.',
       '# ENDPOINTS=openAI,agents,assistants,gptPlugins,azureOpenAI,google,anthropic,bingAI,custom',
     ],
-    ['PROXY', 'string', 'Proxy setting for all endpoints.', 'PROXY='],
+    [
+      'PROXY',
+      'string',
+      'Outbound proxy for server-side requests, including endpoint calls and remote MCP HTTP/SSE transports. Remote MCP transports also honor HTTP_PROXY, HTTPS_PROXY, and NO_PROXY when PROXY is unset.',
+      'PROXY=',
+    ],
     ['TITLE_CONVO', 'boolean', 'Enable titling for all endpoints.', 'TITLE_CONVO=true'],
   ]}
 />
@@ -610,6 +686,12 @@ See: [AWS Bedrock Setup](/docs/configuration/pre_configured_ai/bedrock)
       'AWS access key ID for Bedrock. Optional if using default AWS credentials chain.',
       '# BEDROCK_AWS_ACCESS_KEY_ID=your_access_key_id',
     ],
+    [
+      'BEDROCK_AWS_PROFILE',
+      'string',
+      'AWS profile name from ~/.aws/config or ~/.aws/credentials. Supports SSO, assume-role, and credential_process profiles.',
+      '# BEDROCK_AWS_PROFILE=your-profile-name',
+    ],
     [
       'BEDROCK_AWS_SECRET_ACCESS_KEY',
       'string',
@@ -622,6 +704,12 @@ See: [AWS Bedrock Setup](/docs/configuration/pre_configured_ai/bedrock)
       'AWS session token for temporary credentials. Optional.',
       '# BEDROCK_AWS_SESSION_TOKEN=your_session_token',
     ],
+    [
+      'BEDROCK_AWS_BEARER_TOKEN',
+      'string',
+      'Bedrock API key. Set to an API key for admin-configured auth, or user_provided to prompt users for their own key.',
+      '# BEDROCK_AWS_BEARER_TOKEN=yourBedrockApiKey',
+    ],
     [
       'BEDROCK_AWS_MODELS',
       'string',
@@ -631,7 +719,7 @@ See: [AWS Bedrock Setup](/docs/configuration/pre_configured_ai/bedrock)
   ]}
 />
 
-> **Note:** You can omit the access keys to use the default AWS credentials chain (environment variables, SSO credentials, shared credentials files, or EC2/ECS Instance Metadata Service). See [AWS Bedrock Setup](/docs/configuration/pre_configured_ai/bedrock) for more details.
+> **Note:** Prefer `BEDROCK_AWS_PROFILE`, IAM roles, or the AWS default credentials chain when possible. Use static keys or `BEDROCK_AWS_BEARER_TOKEN` only when those deployment options are not suitable. See [AWS Bedrock Setup](/docs/configuration/pre_configured_ai/bedrock) for more details.
 
 ### BingAI
 
@@ -1754,6 +1842,12 @@ see: **[Authentication System](/docs/configuration/authentication)**
       'Refresh token expiry time.',
       'REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7',
     ],
+    [
+      'SESSION_COOKIE_SECURE',
+      'boolean',
+      'Overrides the Secure attribute for session/auth cookies. Leave unset to use the default NODE_ENV/DOMAIN_SERVER heuristic.',
+      '# SESSION_COOKIE_SECURE=false',
+    ],
   ]}
 />
 
@@ -1995,7 +2089,7 @@ For more information:
     [
       'OPENID_USE_PKCE',
       'boolean',
-      'Use PKCE (Proof Key for Code Exchange) for OpenID authentication.',
+      'Use PKCE (Proof Key for Code Exchange) for OpenID authentication. For public clients without a client secret, leave OPENID_CLIENT_SECRET empty and set this to true.',
       '# OPENID_USE_PKCE=true',
     ],
     [
@@ -2694,6 +2788,18 @@ Configure Model Context Protocol settings for enhanced server management and OAu
       'Skip code challenge method validation. When set to true, forces S256 code challenge even if not advertised in .well-known/openid-configuration',
       'MCP_SKIP_CODE_CHALLENGE_CHECK=false',
     ],
+    [
+      'MCP_STREAMABLE_HTTP_MAX_RESPONSE_BYTES',
+      'number',
+      'Maximum bytes allowed in a non-GET streamable HTTP MCP response before rejecting it. Set to 0 to disable. Default: 16777216 (16 MiB).',
+      '# MCP_STREAMABLE_HTTP_MAX_RESPONSE_BYTES=16777216',
+    ],
+    [
+      'MCP_STREAMABLE_HTTP_MAX_LINE_BYTES',
+      'number',
+      'Maximum bytes allowed in one SSE line for non-GET streamable HTTP MCP responses. Set to 0 to disable. Default: 5242880 (5 MiB).',
+      '# MCP_STREAMABLE_HTTP_MAX_LINE_BYTES=5242880',
+    ],
   ]}
 />
 

content/docs/configuration/librechat_yaml/example.mdx

@@ -10,7 +10,7 @@ icon: FileCode
 This example config includes all documented endpoints (Except Azure, LiteLLM, MLX, and Ollama, which all require additional configurations)
 
 ```yaml filename="librechat.yaml"
-version: 1.3.11
+version: 1.3.12
 
 cache: true
 
@@ -273,7 +273,7 @@ This example configuration file sets up LibreChat with detailed options across s
 # https://www.librechat.ai/docs/configuration/librechat_yaml
 
 # Configuration version (required)
-version: 1.3.11
+version: 1.3.12
 
 # Cache settings: Set to true to enable caching
 cache: true

content/docs/configuration/librechat_yaml/object_structure/config.mdx

@@ -911,6 +911,12 @@ see also:
       'Configures the retention period for temporary chats in hours. Min: 1, Max: 8760. Default: 720 (30 days).',
       '',
     ],
+    [
+      'retentionMode',
+      'String',
+      'Controls whether retention applies only to temporary chats ("temporary", default) or to all supported conversation data ("all").',
+      '',
+    ],
     [
       'autoSubmitFromUrl',
       'Boolean',