> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prisme.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Environment Variables Reference

> Complete reference for configuring Prisme.ai services through environment variables

Prisme.ai services can be configured through various environment variables. This reference provides a comprehensive list of available configuration options for your deployment.

## Configuration Methods

### Docker Setup

In a **Docker** deployment, configure these variables in the root `docker-compose.yml` file. See the [Docker Compose documentation](https://docs.docker.com/compose/environment-variables/) for more details.

### Developer Setup

In a **development** environment, create a `services/*/.env` file containing key/value pairs:

```
WORKSPACES_STORAGE_TYPE=S3_LIKE
WORKSPACES_STORAGE_S3_LIKE_BUCKET_NAME=someBucketName
...
```

To run a service directly from its Docker image, add an `env_file` option to its `services/*/docker-compose.yml` file:

```yaml theme={null}
console:
  entrypoint: npm start --prefix services/console
  restart: on-failure
  image: registry.gitlab.com/prisme.ai/prisme.ai/prisme.ai-console:latest
  ports:
    - "3000:3000"
  env_file: ./.env
```

**Note 1:** Default values may differ depending on the selected start mode (Docker or Developer), especially URL-related variables.

**Note 2:** Relative paths start from the executing service directory.

## Variable Categories

* [Domains & URLs](#domains--urls)
* [Databases & Storage](#databases--storage)
* [Authentication & Security](#authentication--security)
* [Service-Specific Configuration](#service-specific-configuration)
* [Performance & Limits](#performance--limits)
* [Integration & APIs](#integration--apis)

## Domains & URLs

Configure the URLs and domains used by Prisme.ai services.

| Name               | Service                       | Description                                                                                                                                                                                                                                                                                                                       | Default Value                                                                  |
| ------------------ | ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------ |
| INTERNAL\_API\_URL | All services                  | api-gateway internal URL for internal requests ending with `/v2` version suffix (i.e., contact fetching, public JWKS, runtime fetches)                                                                                                                                                                                            | [http://localhost:3001/v2](http://localhost:3001/v2)                           |
| API\_URL           | All services                  | api-gateway public URL ending with `/v2` version suffix                                                                                                                                                                                                                                                                           | [http://studio.local.prisme.ai:3001/v2](http://studio.local.prisme.ai:3001/v2) |
| CONSOLE\_URL       | api-gateway, console, runtime | Studio URL, used for emails, auth redirections & runtime variable `{{global.studioUrl}}`. Accepts a **comma-separated list** to expose the same frontend under several domains — every URL serves the same Studio and all of them call the single `API_URL`. All listed origins are auto-allowlisted for CORS and OIDC redirects. | [http://studio.local.prisme.ai:3000](http://studio.local.prisme.ai:3000)       |

## Databases & Storage

### Redis Configuration

| Name                                       | Service                                  | Description                                                                                                                | Default Value             |
| ------------------------------------------ | ---------------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | ------------------------- |
| BROKER\_HOST                               | api-gateway, workspaces, events, runtime | Redis broker URL (must be the same across services)                                                                        | redis\://localhost:6379/0 |
| BROKER\_PASSWORD                           | api-gateway, workspaces, events, runtime | Redis broker password                                                                                                      |                           |
| BROKER\_TLS\_CA\_FILE                      | api-gateway, workspaces, events, runtime | Redis TLS CA filepath                                                                                                      |                           |
| BROKER\_NAMESPACE                          | api-gateway, workspaces, events, runtime | Optional namespace to segment events when database instance is shared by multiple platforms                                |                           |
| BROKER\_TOPIC\_MAXLEN                      | api-gateway, workspaces, events, runtime | Redis streams max length before getting truncated ([Capped Streams](https://redis.io/topics/streams-intro#capped-streams)) | 10000                     |
| BROKER\_EMIT\_MAXLEN                       | api-gateway, workspaces, events, runtime | Maximum size (in bytes) of emitted events                                                                                  | 100000                    |
| BROKER\_EMIT\_EXECUTED\_AUTOMATION\_MAXLEN | runtime                                  | Maximum size (in bytes) of emitted runtime.automations.executed events                                                     | 10000                     |
| SESSIONS\_STORAGE\_HOST                    | api-gateway                              | Redis URL for sessions storage                                                                                             | redis\://localhost:6379/0 |
| SESSIONS\_STORAGE\_PASSWORD                | api-gateway                              | Redis password for sessions storage                                                                                        |                           |
| SESSIONS\_STORAGE\_TLS\_CA\_FILE           | api-gateway                              | Redis TLS CA filepath                                                                                                      |                           |
| CONTEXTS\_CACHE\_HOST                      | runtime                                  | Redis URL for contexts persistence                                                                                         | redis\://localhost:6379/0 |
| CONTEXTS\_CACHE\_PASSWORD                  | runtime                                  | Redis password for contexts persistence                                                                                    |                           |
| CONTEXTS\_CACHE\_TLS\_CA\_FILE             | runtime                                  | Redis TLS CA filepath                                                                                                      |                           |
| EVENTS\_TOPICS\_CACHE\_HOST                | events                                   | Redis URL for event userTopics persistence                                                                                 | BROKER\_HOST variable     |
| EVENTS\_TOPICS\_CACHE\_PASSWORD            | events                                   | Redis password for event userTopics persistence                                                                            |                           |
| EVENTS\_TOPICS\_CACHE\_TLS\_CA\_FILE       | events                                   | Redis TLS CA filepath                                                                                                      |                           |

### MongoDB/PostgreSQL Configuration

| Name                                    | Service                                  | Description                                                                                                  | Default Value                         |
| --------------------------------------- | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------------------------------- |
| PERMISSIONS\_STORAGE\_DRIVER            | api-gateway, workspaces, events, runtime | Database driver for permissions storage (must be the same for both workspaces & events): mongodb, postgresql | mongodb                               |
| PERMISSIONS\_STORAGE\_HOST              | api-gateway, workspaces, events, runtime | Database URL for permissions storage (must be the same for both workspaces & events)                         | mongodb://localhost:27017/permissions |
| PERMISSIONS\_STORAGE\_TLS\_CA\_FILE     | api-gateway, workspaces, events, runtime | Database TLS CA filepath                                                                                     |                                       |
| PERMISSIONS\_STORAGE\_TLS\_SELF\_SIGNED | api-gateway, workspaces, events, runtime | Set to true in order to disable server certificate validation                                                | false                                 |
| PERMISSIONS\_STORAGE\_DEBUG             | workspaces, events, runtime              | Enable database query logs                                                                                   | false                                 |
| USERS\_STORAGE\_DRIVER                  | api-gateway                              | Database type for users storage: mongodb, postgresql                                                         | mongodb                               |
| USERS\_STORAGE\_HOST                    | api-gateway                              | Database URL for users storage                                                                               | mongodb://localhost:27017/users       |
| USERS\_STORAGE\_TLS\_CA\_FILE           | api-gateway                              | Database TLS CA filepath                                                                                     |                                       |
| USERS\_STORAGE\_TLS\_SELF\_SIGNED       | api-gateway                              | Set to true in order to disable server certificate validation                                                | false                                 |
| USERS\_STORAGE\_DEBUG                   | api-gateway                              | Enable database query logs                                                                                   | false                                 |
| COLLECTIONS\_STORAGE\_DRIVER            | runtime                                  | Database type for collections storage: mongodb, postgresql                                                   | mongodb                               |
| COLLECTIONS\_STORAGE\_HOST              | runtime                                  | Database URL for collections storage                                                                         | mongodb://localhost:27017/users       |
| COLLECTIONS\_STORAGE\_TLS\_CA\_FILE     | runtime                                  | Database TLS CA filepath                                                                                     |                                       |
| COLLECTIONS\_STORAGE\_TLS\_SELF\_SIGNED | runtime                                  | Set to true in order to disable server certificate validation                                                | false                                 |
| COLLECTIONS\_STORAGE\_DEBUG             | runtime                                  | Enable database query logs                                                                                   | false                                 |

### Elasticsearch Configuration

| Name                               | Service | Description                                                                       | Default Value                                  |
| ---------------------------------- | ------- | --------------------------------------------------------------------------------- | ---------------------------------------------- |
| EVENTS\_STORAGE\_DRIVER            | events  | Events storage driver (support elasticseach or opensearch)                        | elasticsearch                                  |
| EVENTS\_STORAGE\_ES\_HOST          | events  | Elasticsearch URL for events persistence                                          | [http://localhost:9200](http://localhost:9200) |
| EVENTS\_STORAGE\_ES\_USER          | events  | Elasticsearch user for events persistence                                         |                                                |
| EVENTS\_STORAGE\_ES\_PASSWORD      | events  | Elasticsearch password for events persistence                                     |                                                |
| EVENTS\_STORAGE\_ES\_BULK\_REFRESH | events  | Enable Elastic "refresh" option when bulk inserting events (might cause overhead) | no                                             |
| EVENTS\_STORAGE\_NAMESPACE         | events  | Elasticsearch indices name prefix                                                 | \`\`                                           |

### Storage Configuration

Prisme.ai supports multiple storage backends for workspaces and uploads. Available storage types are:

* FILESYSTEM: Local file system storage
* S3\_LIKE: Amazon S3 or compatible services (MinIO, etc.)
* AZURE\_BLOB: Azure Blob Storage
* GCS : Google Cloud Storage

### Workspaces Storage

| Name                                     | Service              | Description                                                    | Default Value      |
| ---------------------------------------- | -------------------- | -------------------------------------------------------------- | ------------------ |
| WORKSPACES\_STORAGE\_TYPE                | runtime & workspaces | Storage driver type (FILESYSTEM, S3\_LIKE, AZURE\_BLOB or GCS) | FILESYSTEM         |
| WORKSPACES\_STORAGE\_FILESYSTEM\_DIRPATH | runtime & workspaces | Directory path for filesystem storage                          | ../../data/models/ |

#### S3-Compatible Storage for Workspaces

| Name                                        | Service              | Description                                 | Default Value |
| ------------------------------------------- | -------------------- | ------------------------------------------- | ------------- |
| WORKSPACES\_STORAGE\_S3\_LIKE\_ACCESS\_KEY  | runtime & workspaces | S3 access key                               |               |
| WORKSPACES\_STORAGE\_S3\_LIKE\_SECRET\_KEY  | runtime & workspaces | S3 secret key                               |               |
| WORKSPACES\_STORAGE\_S3\_LIKE\_ENDPOINT     | runtime & workspaces | S3 endpoint                                 |               |
| WORKSPACES\_STORAGE\_S3\_LIKE\_BUCKET\_NAME | runtime & workspaces | S3 bucket name                              |               |
| WORKSPACES\_STORAGE\_S3\_LIKE\_REGION       | runtime & workspaces | S3 region                                   |               |
| STORAGE\_S3\_LIKE\_MAX\_RETRIES             | runtime & workspaces | Maximum retries on rate-limited S3 requests | 5             |

#### Azure Blob Storage for Workspaces

| Name                                                 | Service              | Description                  | Default Value |
| ---------------------------------------------------- | -------------------- | ---------------------------- | ------------- |
| WORKSPACES\_STORAGE\_AZURE\_BLOB\_CONTAINER          | runtime & workspaces | Azure Blob container name    | models        |
| WORKSPACES\_STORAGE\_AZURE\_BLOB\_CONNECTION\_STRING | runtime & workspaces | Azure Blob connection string |               |

#### GCS Storage for Workspaces

| Name                                  | Service              | Description                                     | Default Value                                         |   |   |
| ------------------------------------- | -------------------- | ----------------------------------------------- | ----------------------------------------------------- | - | - |
| WORKSPACES\_STORAGE\_GCS\_BUCKET      | runtime & workspaces | GCS bucket name (**required**)                  |                                                       |   |   |
| WORKSPACES\_STORAGE\_GCS\_KEYFILEPATH | runtime & workspaces | Service account configuration filepath          | `GOOGLE_APPLICATION_CREDENTIALS` environment variable |   |   |
| WORKSPACES\_STORAGE\_GCS\_PROJECTID   | runtime & workspaces | GCS project id, only required when using apiKey |                                                       |   |   |
| WORKSPACES\_STORAGE\_GCS\_APIKEY      | runtime & workspaces | Api key                                         |                                                       |   |   |
| STORAGE\_GCS\_MAX\_RETRIES            | runtime & workspaces | Maximum retries on rate-limited GCS requests    | 5                                                     |   |   |

If **WORKSPACES\_STORAGE\_GCS\_KEYFILEPATH** or **GOOGLE\_APPLICATION\_CREDENTIALS** is provided, only **WORKSPACES\_STORAGE\_GCS\_BUCKET** is required.

### File Uploads Storage

| Name                                  | Service    | Description                                                    | Default Value      |
| ------------------------------------- | ---------- | -------------------------------------------------------------- | ------------------ |
| UPLOADS\_STORAGE\_TYPE                | workspaces | Storage driver type (FILESYSTEM, S3\_LIKE, AZURE\_BLOB or GCS) | FILESYSTEM         |
| UPLOADS\_STORAGE\_FILESYSTEM\_DIRPATH | workspaces | Directory path for filesystem storage                          | ../../data/models/ |

#### S3-Compatible Storage for uploads

| Name                                             | Service    | Description                                                                                                                                           | Default Value |
| ------------------------------------------------ | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| UPLOADS\_STORAGE\_S3\_LIKE\_ACCESS\_KEY          | workspaces | S3 access key                                                                                                                                         |               |
| UPLOADS\_STORAGE\_S3\_LIKE\_SECRET\_KEY          | workspaces | S3 secret key                                                                                                                                         |               |
| UPLOADS\_STORAGE\_S3\_LIKE\_ENDPOINT             | workspaces | S3 endpoint                                                                                                                                           |               |
| UPLOADS\_STORAGE\_S3\_LIKE\_BUCKET\_NAME         | workspaces | S3 bucket name                                                                                                                                        |               |
| UPLOADS\_PUBLIC\_STORAGE\_S3\_LIKE\_BUCKET\_NAME | workspaces | Optional. Separate bucket for public assets, used only if you want public files served directly by a CDN instead of being proxied by the api-gateway. |               |
| UPLOADS\_STORAGE\_S3\_LIKE\_REGION               | workspaces | S3 region                                                                                                                                             |               |
| STORAGE\_S3\_LIKE\_MAX\_RETRIES                  | workspaces | Maximum retries on rate-limited S3 requests                                                                                                           | 5             |
| UPLOADS\_STORAGE\_S3\_LIKE\_BASE\_URL            | workspaces | Base download URL (if omitted, workspaces API will be used as proxy)                                                                                  |               |

#### Azure Blob Storage for uploads

| Name                                              | Service    | Description                                                          | Default Value |
| ------------------------------------------------- | ---------- | -------------------------------------------------------------------- | ------------- |
| UPLOADS\_STORAGE\_AZURE\_BLOB\_CONTAINER          | workspaces | Azure Blob container name                                            | models        |
| UPLOADS\_STORAGE\_AZURE\_BLOB\_CONNECTION\_STRING | workspaces | Azure Blob connection string                                         |               |
| UPLOADS\_STORAGE\_AZURE\_BLOB\_BASE\_URL          | workspaces | Base download URL (if omitted, workspaces API will be used as proxy) |               |

#### GCS Storage for uploads

| Name                                  | Service    | Description                                                                                                                                           | Default Value                                         |   |   |
| ------------------------------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | - | - |
| UPLOADS\_STORAGE\_GCS\_BUCKET         | workspaces | GCS bucket name (**required**)                                                                                                                        |                                                       |   |   |
| UPLOADS\_PUBLIC\_STORAGE\_GCS\_BUCKET | workspaces | Optional. Separate bucket for public assets, used only if you want public files served directly by a CDN instead of being proxied by the api-gateway. |                                                       |   |   |
| UPLOADS\_STORAGE\_GCS\_KEYFILEPATH    | workspaces | Service account configuration filepath                                                                                                                | `GOOGLE_APPLICATION_CREDENTIALS` environment variable |   |   |
| UPLOADS\_STORAGE\_GCS\_PROJECTID      | workspaces | GCS project id, only required when using apiKey                                                                                                       |                                                       |   |   |
| UPLOADS\_STORAGE\_GCS\_APIKEY         | workspaces | Api key                                                                                                                                               |                                                       |   |   |
| STORAGE\_GCS\_MAX\_RETRIES            | workspaces | Maximum retries on rate-limited GCS requests                                                                                                          | 5                                                     |   |   |
| UPLOADS\_STORAGE\_GCS\_BASE\_URL      | workspaces | Base download URL (if omitted, workspaces API will be used as proxy)                                                                                  |                                                       |   |   |

If **UPLOADS\_STORAGE\_GCS\_KEYFILEPATH** or **GOOGLE\_APPLICATION\_CREDENTIALS** is provided, only **UPLOADS\_STORAGE\_GCS\_BUCKET** is required.

**Notes on uploads bucket:**

By default, **a single private bucket** holds both public and private uploads. Every download is proxied by the api-gateway, which checks the file's visibility and serves public files without requiring authentication. **No CDN, no public bucket, and no object-level ACLs are required.** The default applies as long as `UPLOADS_STORAGE_*_BASE_URL` is left unset.

If you want public files to be served directly from a CDN instead of through the api-gateway, you can opt into a two-bucket setup:

1. Keep the private bucket as-is (`UPLOADS_STORAGE_S3_*`).
2. Add a second bucket dedicated to public assets (`UPLOADS_PUBLIC_STORAGE_S3_*`), exposed through a CDN.
3. Set `UPLOADS_STORAGE_S3_LIKE_BASE_URL` (and/or `UPLOADS_PUBLIC_STORAGE_S3_LIKE_BASE_URL`) to the CDN's public base URL — that is what tells the platform to hand out direct CDN URLs instead of proxying through the api-gateway.

You can reuse the same credentials for both buckets or provide separate ones:

```
UPLOADS_PUBLIC_STORAGE_S3_LIKE_BUCKET_NAME="your public uploads bucket name"
UPLOADS_PUBLIC_STORAGE_S3_LIKE_BASE_URL="your CDN public base URL"
```

Equivalent variables exist for **GCS**:

```
UPLOADS_PUBLIC_STORAGE_GCS_BUCKET="your public uploads bucket name"
UPLOADS_PUBLIC_STORAGE_GCS_BASE_URL="your CDN public base URL"
```

To switch back to "everything through the api-gateway", simply **unset** the `UPLOADS_STORAGE_*_BASE_URL` variables.

## Authentication & Security

### OIDC Configuration

| Name                              | Service                       | Description                                                             | Default Value                                                       |
| --------------------------------- | ----------------------------- | ----------------------------------------------------------------------- | ------------------------------------------------------------------- |
| OIDC\_PROVIDER\_URL               | api-gateway, console, runtime | OIDC Authorization public server URL (rarely needs changing)            | API\_URL without base path                                          |
| OIDC\_INTERNAL\_PROVIDER\_URL     | api-gateway                   | OIDC Authorization internal server URL (rarely needs changing)          | By precedence: INTERNAL\_API\_URL, OIDC\_PROVIDER\_URL, or API\_URL |
| OIDC\_STUDIO\_CLIENT\_ID          | api-gateway, console          | Studio OIDC client ID                                                   | local-client-id                                                     |
| OIDC\_STUDIO\_CLIENT\_SECRET      | api-gateway                   | Studio OIDC client secret (known only by api-gateway)                   | local-client-id                                                     |
| OIDC\_CLIENT\_REGISTRATION\_TOKEN | api-gateway                   | Access token required for OIDC clients registration API                 | local-client-id                                                     |
| OIDC\_WELL\_KNOWN\_URL            | api-gateway                   | OIDC provider configuration discovery URL (only for external providers) |                                                                     |
| JWKS\_URL                         | api-gateway                   | Endpoint for retrieving JWKS as part of the JWKS strategy               | OIDC\_INTERNAL\_PROVIDER\_URL/oidc/jwks                             |

### Session & Token Configuration

| Name                           | Service     | Description                                                                 | Default Value                       |
| ------------------------------ | ----------- | --------------------------------------------------------------------------- | ----------------------------------- |
| SESSION\_COOKIES\_MAX\_AGE     | api-gateway | Auth server session cookies expiration (in seconds)                         | 2592000 (1 month)                   |
| ACCESS\_TOKENS\_MAX\_AGE       | api-gateway | Session expiration for both anonymous & authenticated sessions (in seconds) | 2592000 (1 month)                   |
| SESSION\_COOKIES\_SIGN\_SECRET | api-gateway | Session cookies signing secret                                              |                                     |
| SOCKETIO\_COOKIE\_MAX\_AGE     | events      | Socket.io cookie maxAge                                                     | Default from 'cookie' NodeJS module |

### Security Settings

| Name                               | Service     | Description                                                                                                                                   | Default Value |
| ---------------------------------- | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| CORS\_ADDITIONAL\_ALLOWED\_ORIGINS | api-gateway | Additional allowed CORS origins (beyond `CONSOLE_URL` and workspace custom domains)                                                           |               |
| CSP\_HEADER                        | console     | Content Security Policy header for the frontend (if undefined, no CSP header is returned)                                                     |               |
| PASSWORD\_VALIDATION\_REGEXP       | api-gateway | Password validation regular expression                                                                                                        | `.{8,32}`     |
| ACCOUNT\_VALIDATION\_METHOD        | api-gateway | Account validation method on signup: "auto", "email", or "manual"                                                                             | email         |
| DISABLE\_LOCAL\_SIGNIN             | api-gateway | Disable local username/password sign-in API. Only SSO providers remain available.                                                             | false         |
| DISABLE\_LOCAL\_SIGNUP             | api-gateway | Disable local sign-up API.                                                                                                                    | false         |
| MFA\_FORCE\_LOCAL                  | api-gateway | Require TOTP multi-factor authentication for all local (password) accounts. SSO and anonymous accounts are exempt. Set to `false` to disable. | true          |

## Service-Specific Configuration

### API Gateway

| Name                    | Service                 | Description                                                                                                                                                           | Default Value                                    |
| ----------------------- | ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ |
| PORT                    | api-gateway             | Listening port number                                                                                                                                                 | 3001                                             |
| GATEWAY\_CONFIG\_PATH   | api-gateway             | Path to gateway.config.yml                                                                                                                                            | ../../gateway.config.yml                         |
| AUTH\_PROVIDERS\_CONFIG | api-gateway             | Path to authProviders.config.yml                                                                                                                                      | ../../authProviders.config.yml                   |
| INTERNAL\_API\_KEY      | api-gateway, workspaces | API key for internal services to access events /sys/cleanup API                                                                                                       |                                                  |
| WORKSPACES\_API\_URL    | api-gateway             | prismeai-workspaces internal URL                                                                                                                                      | [http://workspaces:3002](http://workspaces:3002) |
| EVENTS\_API\_URL        | api-gateway             | prismeai-events internal URL                                                                                                                                          | [http://events:3004](http://events:3004)         |
| RUNTIME\_API\_URL       | api-gateway             | prismeai-runtime internal URL                                                                                                                                         | [http://runtime:3003](http://runtime:3003)       |
| X\_FORWARDED\_HEADERS   | api-gateway             | Add X-Forwarded-\* headers on proxied requests                                                                                                                        | yes                                              |
| SUPER\_ADMIN\_EMAILS    | api-gateway             | Comma-separated list of user emails with access to all workspaces (e.g., "[admin@example.com](mailto:admin@example.com),[user@company.com](mailto:user@company.com)") | None                                             |
| REQUEST\_MAX\_SIZE      | api-gateway             | Maximum request body size (format from bodyParser.json)                                                                                                               | 1mb                                              |
| EMAIL\_DRIVER           | api-gateway             | Email driver to use. ("smtp", "mailgun")                                                                                                                              | mailgun                                          |
| EMAIL\_FROM             | api-gateway             | Email address to use as "from" when sending emails                                                                                                                    | `"Prisme.ai" <no-reply@prisme.ai>`               |
| SMTP\_HOST              | api-gateway             | Hostname or IP address of your SMTP server. (example: smtp.gmail.com)                                                                                                 |                                                  |
| SMTP\_PORT              | api-gateway             | Port to connect to                                                                                                                                                    | 587                                              |
| SMTP\_USER              | api-gateway             | User authentication                                                                                                                                                   |                                                  |
| SMTP\_PASS              | api-gateway             | User's password                                                                                                                                                       |                                                  |
| SMTP\_SECURE            | api-gateway             | If true, the connection will use TLS immediately (recommended for port 465).                                                                                          | false                                            |

### Console

| Name                            | Service | Description                         | Default Value     |
| ------------------------------- | ------- | ----------------------------------- | ----------------- |
| PORT                            | console | Listening port number               | 3000              |
| WEBSOCKETS\_DEFAULT\_TRANSPORTS | console | Default Socket.io transport methods | websocket,polling |

### Events Service

| Name                                              | Service | Description                                                                                                                                                                                              | Default Value |
| ------------------------------------------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| PORT                                              | events  | Listening port number                                                                                                                                                                                    | 3004          |
| EVENTS\_BUFFER\_FLUSH\_AT                         | events  | Persist events in data lake after this many events                                                                                                                                                       | 128           |
| EVENTS\_BUFFER\_HIGH\_WATERMARK                   | events  | Stop listening for new events when this many are waiting to be persisted                                                                                                                                 | 256           |
| EVENTS\_BUFFER\_FLUSH\_EVERY                      | events  | Persist events every N milliseconds, even if EVENTS\_BUFFER\_FLUSH\_AT not reached                                                                                                                       | 5000          |
| EVENTS\_RETENTION\_DAYS                           | events  | Days events are kept in data lake before removal                                                                                                                                                         | 180           |
| EVENTS\_CLEANUP\_WORKSPACE\_INACTIVITY\_DAYS      | events  | Delete workspace events if inactive for more than N days & with fewer than EVENTS\_CLEANUP\_WORKSPACE\_MAX\_EVENTS                                                                                       | 15            |
| EVENTS\_CLEANUP\_WORKSPACE\_MAX\_EVENTS           | events  | Delete workspace events if inactive for more than EVENTS\_CLEANUP\_WORKSPACE\_INACTIVITY\_DAYS & with fewer than N events                                                                                | 100           |
| EVENTS\_SCHEDULED\_DELETION\_DAYS                 | events  | Days events are kept in data lake after workspace deletion (min\_age parameter for the `policy-events-deletion-scheduled` ILM policy)                                                                    | 90            |
| ELASTIC\_SEARCH\_TIMEOUT                          | events  | Best effort timeout for search requests : [https://www.elastic.co/docs/solutions/search/the-search-api#search-timeout](https://www.elastic.co/docs/solutions/search/the-search-api#search-timeout)       | 20000ms       |
| EVENTS\_CLEANUP\_AUTOMATION\_EXECUTED\_EXPIRATION | events  | Expiration period enforced by `/cleanup` API for payload & output fields of runtime.automations.executed events. Can also be tuned from Helm `prismeai-events.events.automationExecutedExpiration` value | 14d           |

### Runtime Service

| Name                                                     | Service | Description                                                                                                             | Default Value                                              |
| -------------------------------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- |
| PORT                                                     | runtime | Listening port number                                                                                                   | 3003                                                       |
| MAXIMUM\_SUCCESSIVE\_CALLS                               | runtime | Maximum automation executions for the same correlation ID                                                               | 20                                                         |
| CONTEXT\_RUN\_EXPIRE\_TIME                               | runtime | Run context expiration time in seconds                                                                                  | 60                                                         |
| CONTEXT\_UNAUTHENTICATED\_SESSION\_EXPIRE\_TIME          | runtime | Session context expiration time in seconds for unauthenticated sessions                                                 | 3600 (1 hour)                                              |
| ADDITIONAL*GLOBAL\_VARS*\*                               | runtime | Additional variables available from global context (e.g., ADDITIONAL\_GLOBAL\_VARS\_apiUrl becomes `{{global.apiUrl}}`) | None                                                       |
| WORKSPACE*CONFIG*`{{workspaceSlug}}`\_`{{variableName}}` | runtime | Variables available for specific workspaces                                                                             | None                                                       |
| APP*CONFIG*`{{appSlug}}`\_`{{variableName}}`             | runtime | Variables available for specific apps                                                                                   | None                                                       |
| FETCH\_FORBIDDEN\_HOSTS                                  | runtime | Comma-separated list of forbidden hostnames in fetch instruction                                                        |                                                            |
| FETCH\_MAX\_RETRIES                                      | runtime | Maximum fetch retries                                                                                                   | 3                                                          |
| FETCH\_RETRY\_CODES                                      | runtime | Error codes that trigger fetch retries                                                                                  | ECONNRESET,UND\_ERR\_SOCKET,EPIPE,EHOSTUNREACH,ENETUNREACH |
| FETCH\_RETRY\_STATUS                                     | runtime | Response status codes that trigger fetch retries                                                                        | 429,503,502                                                |
| RUNNER\_MAX\_THREADS                                     | runtime | Number of worker\_threads per runtime instance                                                                          | 1                                                          |
| CONTEXT\_SOCKET\_MAX\_SIZE                               | runtime | Maximum size in bytes of **socket** context (this limit only emits error but does not throw, for now                    | 100000                                                     |
| CONTEXT\_GLOBAL\_MAX\_SIZE                               | runtime | Maximum size in bytes of **global** context (this limit only emits error but does not throw, for now                    | 500000                                                     |
| CONTEXT\_RUN\_MAX\_SIZE                                  | runtime | Maximum size in bytes of **run** context (this limit only emits error but does not throw, for now                       | 500000                                                     |
| CONTEXT\_USER\_MAX\_SIZE                                 | runtime | Maximum size in bytes of **user** context (this limit only emits error but does not throw, for now                      | 100000                                                     |
| CONTEXT\_SESSION\_MAX\_SIZE                              | runtime | Maximum size in bytes of **session** context (this limit only emits error but does not throw, for now                   | 1000000                                                    |
| CONTEXT\_LOCAL\_MAX\_SIZE                                | runtime | Maximum size in bytes of **local** context (this limit only emits error but does not throw, for now                     | 50000000                                                   |
| CONTEXT\_CONFIG\_MAX\_SIZE                               | runtime | Maximum size in bytes of **config** context (this limit only emits error but does not throw, for now                    | 100000                                                     |

### Workspaces Service

| Name                          | Service                          | Description                                                        | Default Value                                 |
| ----------------------------- | -------------------------------- | ------------------------------------------------------------------ | --------------------------------------------- |
| PORT                          | workspaces                       | Listening port number                                              | 3002                                          |
| UPLOADS\_ALLOWED\_MIMETYPES   | workspaces                       | Comma-separated list of allowed upload MIME types                  | image/*,text/*,video/*,audio/*,application/\* |
| UPLOADS\_FORBIDDEN\_MIMETYPES | workspaces                       | Comma-separated list of forbidden upload MIME types (no wildcards) |                                               |
| UPLOADS\_DEFAULT\_VISIBILITY  | workspaces                       | Default upload visibility if not specified in API request          | public                                        |
| UPLOADS\_MAX\_SIZE            | workspaces, api-gateway, runtime | Maximum upload size in bytes                                       | 10000000 (10MB)                               |
| IMPORT\_BATCH\_SIZE           | workspaces                       | Maximum parallel save requests during imports                      | 50                                            |

#### Platform Repositories

Platform repositories are shared repositories automatically available to **all workspaces** for versioning (push/pull). They are configured entirely through environment variables and require no per-workspace setup.

Each workspace's files are stored in a subdirectory named after the workspace slug within the repository. This allows a single repository to serve as a centralized versioning backend for every workspace on the platform.

Multiple platform repositories can be configured by using the following naming convention:

```
WORKSPACES_STORAGE_GIT_PLATFORM_{repoId}_{FIELD}
```

Where `{repoId}` is a unique identifier for the repository (e.g., `prismeai`, `backup`) and `{FIELD}` is one of the supported fields listed below.

| Field suffix    | Description                                                                                                                                                                                                                                                                                                                                   | Default Value |
| --------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| `TYPE`          | Repository type: `git` (remote Git repository) or `filesystem` (local directory)                                                                                                                                                                                                                                                              | `git`         |
| `URL`           | Git repository URL (**required for `git` type** — the repository is only enabled if this is set)                                                                                                                                                                                                                                              |               |
| `NAME`          | Display name shown in the UI                                                                                                                                                                                                                                                                                                                  | `{repoId}`    |
| `BRANCH`        | Git branch to use (only for `git` type)                                                                                                                                                                                                                                                                                                       | `main`        |
| `MODE`          | Access mode: `read-write` or `read-only`                                                                                                                                                                                                                                                                                                      | `read-write`  |
| `DIRPATH`       | For `git` type: base directory path inside the repository. Each workspace's files are stored under `{dirpath}/{workspaceSlug}`. If omitted, workspace files are stored directly under `{workspaceSlug}` at the repository root. For `filesystem` type: **required** absolute path to the local directory containing workspace subdirectories. |               |
| `AUTH_USER`     | Username for HTTPS authentication (only for `git` type)                                                                                                                                                                                                                                                                                       |               |
| `AUTH_PASSWORD` | Password or personal access token (PAT) for HTTPS authentication (only for `git` type)                                                                                                                                                                                                                                                        |               |
| `AUTH_SSHKEY`   | SSH private key content for SSH authentication (only for `git` type)                                                                                                                                                                                                                                                                          |               |

<Warning>
  The `filesystem` type is reserved for platform repositories and cannot be used in workspace-level repository configurations.
</Warning>

**Example — single platform Git repository:**

```dotenv theme={null}
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_URL=https://github.com/myorg/workspaces.git
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_NAME=Platform Repository
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_BRANCH=main
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_AUTH_USER=your-user
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_AUTH_PASSWORD=github_pat_xxxxxxx
```

**Example — filesystem platform repository (like the one embedded in prismeai-workspaces Docker image):**

```dotenv theme={null}
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_TYPE=filesystem
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_NAME=Built-in Workspaces
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_DIRPATH=/www/platform-workspaces
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_MODE=read-only
```

With this configuration, the platform expects workspace directories directly inside `/www/platform-workspaces/` (e.g., `/www/platform-workspaces/ai-knowledge/`, etc.).

**Example — with a custom directory path (Git):**

```dotenv theme={null}
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_URL=https://github.com/myorg/monorepo.git
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_NAME=Platform Repository
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_DIRPATH=workspaces
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_AUTH_USER=your-user
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_AUTH_PASSWORD=github_pat_xxxxxxx
```

With this configuration, a workspace with slug `myapp` would be stored under `workspaces/myapp/` in the repository.

**Example — multiple platform repositories:**

```dotenv theme={null}
# Primary read-write Git repository
WORKSPACES_STORAGE_GIT_PLATFORM_primary_URL=https://github.com/myorg/workspaces.git
WORKSPACES_STORAGE_GIT_PLATFORM_primary_NAME=Main Repository
WORKSPACES_STORAGE_GIT_PLATFORM_primary_AUTH_USER=x-access-token
WORKSPACES_STORAGE_GIT_PLATFORM_primary_AUTH_PASSWORD=ghp_xxxxxxxxxxxx

# Read-only backup Git repository
WORKSPACES_STORAGE_GIT_PLATFORM_backup_URL=git@github.com:myorg/workspaces-backup.git
WORKSPACES_STORAGE_GIT_PLATFORM_backup_NAME=Backup (read-only)
WORKSPACES_STORAGE_GIT_PLATFORM_backup_MODE=read-only
WORKSPACES_STORAGE_GIT_PLATFORM_backup_AUTH_SSHKEY="-----BEGIN OPENSSH PRIVATE KEY-----\n..."

# Built-in filesystem repository (Docker image)
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_TYPE=filesystem
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_NAME=Built-in Workspaces
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_DIRPATH=/www/platform-workspaces
```

**Notes:**

* Platform repositories are returned in the `platformRepositories` field of the workspace API response — they do not include auth details, and are never persisted into the workspace configuration.
* Authentication credentials are never exposed in API responses.
* For GitHub HTTPS authentication, use your username as `AUTH_USER` and a personal access token (PAT) with read-write permissions on **Contents** as `AUTH_PASSWORD`.

#### Workspace Groups

Workspace groups define logical sets of workspaces that can be imported together via bulk import. Groups are configured through environment variables:

```
WORKSPACES_GROUP_{groupName}_LABELS="label1,label2,..."
```

A workspace belongs to a group if at least one of its labels matches one of the group's labels. When a workspace is pushed to a platform repository, the groups it belongs to are recorded in its `.import.yml` file.

| Name                                  | Service    | Description                                                                                                  | Default Value |
| ------------------------------------- | ---------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
| `WORKSPACES_GROUP_{groupName}_LABELS` | workspaces | Comma-separated list of labels for the group. A workspace with any matching label is included in this group. |               |

**Example:**

```dotenv theme={null}
# Core dependencies
WORKSPACES_GROUP_base1_LABELS=production:app:base1
WORKSPACES_GROUP_base2_LABELS=production:app:base2

# Core products
WORKSPACES_GROUP_extended_LABELS=production:app,production:product
```

These group names are then used in:

* The **bulk import** API (`groups` body parameter): `POST /v2/workspaces/platform/versions/latest/pull`
* The **bulk push** API (`groups` body parameter): `POST /v2/workspaces/platform/versions`
* `STARTUP_IMPORT_GROUPS` to select which workspaces to import automatically on startup

#### Automatic Import at Startup

The workspaces service can automatically trigger a bulk import when it starts. This is useful for initial deployments and platform upgrades, ensuring that reference workspaces from a platform repository are always up to date.

| Name                        | Service    | Description                                                                                                                                                                                         | Default Value |
| --------------------------- | ---------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| `STARTUP_IMPORT_GROUPS`     | workspaces | Comma-separated list of group names to import at startup. Each group is imported sequentially. If any group encounters errors, remaining groups are skipped. If empty, no auto-import is performed. |               |
| `STARTUP_IMPORT_REPOSITORY` | workspaces | Repository ID (matching a configured platform repository) to import from at startup.                                                                                                                |               |

**Example:**

```dotenv theme={null}
# Import core workspaces from the built-in filesystem repository at startup
STARTUP_IMPORT_GROUPS=base1,base2,extended
STARTUP_IMPORT_REPOSITORY=builtin
```

At startup, the service:

1. Ensures the `platform` workspace exists (creates it if needed)
2. Waits for the platform to be ready (checks the `/v2/readiness` endpoint, with a 5-minute timeout)
3. Imports each group sequentially using the bulk import mechanism, with a 30s pause between each group
4. Skips workspaces already at the correct version (based on `.import.yml` version matching)

<Info>
  When multiple replicas start simultaneously (e.g., during a rollout), only one replica acquires the write lock on the Platform workspace and performs the import. Other replicas skip the import entirely.
</Info>

## Performance & Limits

### Rate Limiting

The variables below are the **api-gateway-side** rate limits: requests above the threshold are rejected with HTTP 429.

For **automation rate limits** (also `RATE_LIMIT_*` but on `prismeai-runtime`), see [API Reference — Rate Limits](/api-reference/rate-limits#configuration-options). Unlike the gateway limits, those don't break execution — they **deliberately slow automations down** instead of failing them.

| Name                          | Service     | Description                                                                                                                                                                                                                                      | Default Value |
| ----------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------- |
| DISABLE\_RATE\_LIMIT          | api-gateway | Set it to true in order to disable all rate limits                                                                                                                                                                                               |               |
| RATE\_LIMIT\_SIGNUP           | api-gateway | Maximum signups per IP per minute                                                                                                                                                                                                                | 1             |
| RATE\_LIMIT\_ANONYMOUS\_LOGIN | api-gateway | Maximum anonymous logins per IP per minute                                                                                                                                                                                                       | 10            |
| RATE\_LIMIT\_TOKEN\_EXCHANGE  | api-gateway | Maximum OIDC token exchanges (`/v2/login/token-exchange`) per IP per minute. Uses its own counter, separate from anonymous logins. Token exchange is usually brokered server-side, so all users share one source IP — raise this for production. | 60            |
| RATE\_LIMIT\_PRISMEAI\_LOGIN  | api-gateway | Maximum email/password login attempts per email per minute                                                                                                                                                                                       | 5             |
| RATE\_LIMIT\_PASSWORD\_RESET  | api-gateway | Maximum password reset requests per IP per minute                                                                                                                                                                                                | 1             |

## Integration & APIs

| Name              | Service      | Description                                           | Default Value                 |
| ----------------- | ------------ | ----------------------------------------------------- | ----------------------------- |
| OPENAPI\_FILEPATH | All services | Path to Swagger file for requests & events validation | ../specifications/swagger.yml |

## Examples

### S3 Storage Configuration

```dotenv theme={null}
# Configure workspace storage with S3
WORKSPACES_STORAGE_TYPE=S3_LIKE
WORKSPACES_STORAGE_S3_LIKE_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
WORKSPACES_STORAGE_S3_LIKE_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
WORKSPACES_STORAGE_S3_LIKE_BUCKET_NAME=prisme-workspaces
WORKSPACES_STORAGE_S3_LIKE_REGION=us-west-1
WORKSPACES_STORAGE_S3_LIKE_BASE_URL=https://prisme-workspaces.s3.us-west-1.amazonaws.com

# Configure uploads with the same credentials but different bucket
UPLOADS_STORAGE_TYPE=S3_LIKE
UPLOADS_STORAGE_S3_LIKE_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
UPLOADS_STORAGE_S3_LIKE_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
UPLOADS_STORAGE_S3_LIKE_BUCKET_NAME=prisme-uploads
UPLOADS_STORAGE_S3_LIKE_REGION=us-west-1
UPLOADS_STORAGE_S3_LIKE_BASE_URL=https://prisme-uploads.s3.us-west-1.amazonaws.com
```

### Authentication and Rate Limiting for Production

```dotenv theme={null}
# Set a strong password policy
PASSWORD_VALIDATION_REGEXP= "YOUR_REGEX"

# Enable manual account validation
ACCOUNT_VALIDATION_METHOD=manual

# Configure super admins
SUPER_ADMIN_EMAILS=admin@company.com,security@company.com

# Set stricter rate limits
RATE_LIMIT_SIGNUP=1
RATE_LIMIT_ANONYMOUS_LOGIN=5
RATE_LIMIT_PRISMEAI_LOGIN=3
RATE_LIMIT_PASSWORD_RESET=1
```
