Configuration

ODATANO supports two configuration paths:

ModeConfig sourceUsed when
Plugincds.requires.odatano-core.* in your package.jsonInstall @odatano/core as a CAP plugin
StandaloneEnvironment variables (.env or shell)Run the ODATANO server directly

Core Keys

CDS keyEnv varTypeDefaultDescription
networkNETWORKmainnet preview preprodpreviewTarget Cardano network
backendsBACKENDSblockforst koios ogmios["koios"]Backend priority order - first one is the live backend
txBuildersTX_BUILDERSbuildooor csl["buildooor"]Transaction builder engines
blockfrostApiKeyBLOCKFROST_API_KEYstring(empty)Required if backends includes blockfrost.
koiosApiKeyKOIOS_API_KEYstring(empty)Optional Koios bearer token
ogmiosUrlOGMIOS_URLstringws://localhost:1337Required if backends includes ogmios
primaryTimeoutMsPRIMARY_TIMEOUT_MSnumber (ms)30000Timeout for the primary backend
fallbackTimeoutMsFALLBACK_TIMEOUT_MSnumber (ms)60000Timeout for fallback backends
indexTtlMsINDEX_TTL_MSnumber (ms)3600000Cache TTL for temporal entities (Addresses, Accounts)

Validation runs at startup (loadConfigFromEnv() in srv/server.ts). Invalid values throw with a clear error before the server accepts requests.

HSM Keys (PKCS#11)

CDS key (under hsm.*)Env varRequiredDescription
enabledHSM_ENABLEDYestrue to activate HSM signing actions
pkcs11ModuleHSM_PKCS11_MODULEYesPath to vendor PKCS#11 shared library
pinHSM_PINYesPKCS#11 user PIN (use credential store in production)
slotHSM_SLOTNo (default 0)PKCS#11 slot number
keyIdHSM_KEY_IDOne of these requiredPKCS#11 key identifier
keyLabelHSM_KEY_LABELOne of these requiredPKCS#11 key label
requiresRoleHSM_REQUIRES_ROLENoJWT role/scope name required to invoke HSM signing actions (e.g. Sign)

HSM init failures are non-fatal - the rest of the server still starts; HSM actions return ODATANO_HSM_UNAVAILABLE. See Security › HSM Integration.

Authentication

All three services declare @requires: 'authenticated-user' at service level, so every request must carry a recognised principal. CAP picks the auth strategy via the auth config:

Profileauth.kindWhen to use
[development]dummyLocal cds watch. Always returns an authenticated user - no JWT needed.
[development]mockedLocal dev with mock users defined in .cdsrc.json for role-based testing.
[production]xsuaaSAP BTP - JWT validated via XSUAA service binding.

Without an explicit auth block in dev, requests can be rejected with 401. See Security › Authentication for the production XSUAA setup.

Full Plugin Mode Example

{
  "cds": {
    "requires": {
      "[development]": {
        "auth": { "kind": "dummy" }
      },
      "db": {
        "kind": "sqlite",
        "credentials": { "url": "db.sqlite" }
      },
      "odatano-core": {
        "network": "preview",
        "backends": ["ogmios", "blockfrost", "koios"],
        "txBuilders": ["buildooor"],
        "blockfrostApiKey": "preview_your_api_key",
        "ogmiosUrl": "ws://localhost:1337",
        "primaryTimeoutMs": 30000,
        "fallbackTimeoutMs": 60000,
        "indexTtlMs": 3600000,
        "hsm": {
          "enabled": true,
          "pkcs11Module": "/usr/lib/pkcs11/yubihsm_pkcs11.so",
          "pin": "0001password",
          "keyLabel": "cardano-signing-key",
          "requiresRole": "Sign"
        }
      }
    }
  }
}

Standalone Mode Example (.env)

NETWORK=preview
BACKENDS=ogmios,blockfrost,koios
TX_BUILDERS=buildooor
BLOCKFROST_API_KEY=preview_your_api_key
OGMIOS_URL=ws://localhost:1337
PRIMARY_TIMEOUT_MS=30000
FALLBACK_TIMEOUT_MS=60000
INDEX_TTL_MS=3600000

# HSM (optional)
HSM_ENABLED=true
HSM_PKCS11_MODULE=/usr/lib/pkcs11/yubihsm_pkcs11.so
HSM_PIN=0001password
HSM_KEY_LABEL=cardano-signing-key
HSM_REQUIRES_ROLE=Sign

Network → Address & Backend Prefix Matching

networkAddress prefixBlockfrost project prefix
mainnetaddr1...mainnetXXX
previewaddr_test1...previewXXX
preprodaddr_test1...preprodXXX

Mismatches surface as ODATANO_INVALID_INPUT at request time (network-aware bech32 validator) or as Blockfrost auth failures.

See Also