hatchet icon indicating copy to clipboard operation
hatchet copied to clipboard
verified publisher icon hatchet-dev

[FEAT] API Token Structure

Open inev opened this issue 2 months ago • 3 comments

Is there a reason for the hatchet token to have a bundled url? I get the upside of having just one string to connect to an engine but in practice it's actually really annoying.

Consider this: If you host hatchet within a docker swarm, or some internal VPN you just want to have an authentication token. The address will be a unique address specific to that VPN. However you might also want some workers outside of this VPN for certain tasks. They will have a different connecting address and token.

Correct me if I'm wrong, but as it stands, I need to use the public address for hosting hatchet, and the API key will always pack in the public address into the API string. If for some reason it can't be resolved, you're sort of stuck because you can't use the internal VPN address for this worker.

In pretty much every other system there's an API key and then theres another connecting address. Is there a specific reason hatchet does things this way?

inev avatar Oct 09 '25 12:10 inev

Hi @inev!

Yes, there are options to override the server URL. You can find the full documentation at https://docs.hatchet.run/self-hosting/worker-configuration-options.

In short:

  • For the TypeScript SDK, set HATCHET_CLIENT_API_URL
  • For the Python or Go SDKs, set HATCHET_CLIENT_SERVER_URL

We embed the server URL in the JWT by default to simplify configuration—you can just set HATCHET_CLIENT_TOKEN and it works out of the box for most use cases. That said, we also provide override options for scenarios like yours where more control is needed.

Let me know if this resolves your issue!

mnafees avatar Oct 10 '25 09:10 mnafees

I see, so setting the token and also setting HATCHET_CLIENT_SERVER_URL should override the token's internal server url? If that's the case this should resolve the issue. It's just so odd to me to have such a long token that forces the connection address with the authentication information inside it.

To give you some clarity about my setup: I'm currently using caprover to host hatchet, but it's quite brittle. For example the SERVER_GRPC_BROADCAST_ADDRESS is set as the IP of the server with a direct passthrough because I couldn't get it to work with caprover's nginx proxy that it puts in front of each app. I also had to hardcode the URLs in the docker compose file. Caprover is extremely popular with people who self host and both n8n and windmill are available as one click install. Both those setups dont require URLs or IPs or any custom config, just one click install. I prefer hatchet to both of those so I got it working manually but would be amazing if you guys can configure your docker compose so that it would set up automatically like the others.

Anyway thanks for helping out :)

inev avatar Oct 10 '25 09:10 inev

The documentation has three values.

HATCHET_CLIENT_HOST_PORT | GRPC server host and port | * Inherited from token HATCHET_CLIENT_API_URL (TypeScript SDK) | API server host and port | * Inherited from token HATCHET_CLIENT_SERVER_URL (Go SDK) | API server host and port | * Inherited from token

its pretty confusing. The client uses the GRPC server and host right? Why is it called HATCHET_CLIENT_HOST_PORT? Can you extend this table and provide example values that correlate to the defaults found in the docker compose file?

driverai-nick-wellinghoff avatar Nov 05 '25 20:11 driverai-nick-wellinghoff