Optional ReadonlyauthAuthentication configuration. When provided, enables OAuth 2.1 endpoints and/or bearer token validation. Health and metrics endpoints remain unauthenticated for probe access.
Optional ReadonlybodyMaximum request body size for express.json() middleware.
Accepts Express size strings (e.g. '1mb', '500kb', '2mb').
Optional ReadonlycorsAllow credentials in CORS requests. Only effective when corsOrigin is set.
Optional ReadonlycorsCORS allowed origins.
undefined — CORS disabled (no Access-Control headers)string[] — List of allowed origins (e.g. ['https://app.example.com'])['*'] to allow all origins (not recommended for production)Optional ReadonlyenablePrefer JSON responses over SSE for simple request-response. Default: true
Optional ReadonlyeventEvent store for stream resumability (stateful only)
Optional ReadonlyhealthHealth endpoint configuration for API connectivity monitoring
Optional ReadonlyhelmetContent Security Policy.
undefined — Helmet default CSP'false' — Disable CSPOptional ReadonlyhelmetX-Frame-Options header.
'DENY' — Never allow framing (default)'SAMEORIGIN' — Allow from same origin'false' — Disable X-Frame-OptionsOptional ReadonlyhelmetEnable HSTS header. Default: false (managed by reverse proxy)
Optional ReadonlystatelessOperate in stateless mode (no session IDs). Default: false
Optional ReadonlytrustResolved trust proxy value for Express.
number for hop countstring for IP/CIDR/keyword (possibly comma-separated)undefined when disabled
Options for Express application creation.