> ## Documentation Index
> Fetch the complete documentation index at: https://prismeai-legacy.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Environment Variables Reference

> Complete reference for configuring Prisme.ai services through environment variables

Prisme.ai services can be configured through various environment variables. This reference provides a comprehensive list of available configuration options for your deployment.

## Configuration Methods

### Docker Setup

In a **Docker** deployment, configure these variables in the root `docker-compose.yml` file. See the [Docker Compose documentation](https://docs.docker.com/compose/environment-variables/) for more details.

### Developer Setup

In a **development** environment, create a `services/*/.env` file containing key/value pairs:

```
WORKSPACES_STORAGE_TYPE=S3_LIKE
WORKSPACES_STORAGE_S3_LIKE_BUCKET_NAME=someBucketName
...
```

To run a service directly from its Docker image, add an `env_file` option to its `services/*/docker-compose.yml` file:

```yaml theme={null}
console:
  entrypoint: npm start --prefix services/console
  restart: on-failure
  image: registry.gitlab.com/prisme.ai/prisme.ai/prisme.ai-console:latest
  ports:
    - "3000:3000"
  env_file: ./.env
```

**Note 1:** Default values may differ depending on the selected start mode (Docker or Developer), especially URL-related variables.

**Note 2:** Relative paths start from the executing service directory.

## Variable Categories

* [Domains & URLs](#domains--urls)
* [Databases & Storage](#databases--storage)
* [Authentication & Security](#authentication--security)
* [Service-Specific Configuration](#service-specific-configuration)
* [Performance & Limits](#performance--limits)
* [Integration & APIs](#integration--apis)

## Domains & URLs

Configure the URLs and domains used by Prisme.ai services.

| Name               | Service                              | Description                                                                                                                                                                                         | Default Value                                                                  |
| ------------------ | ------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------ |
| INTERNAL\_API\_URL | All services                         | api-gateway internal URL for internal requests ending with `/v2` version suffix (i.e., contact fetching, public JWKS, runtime fetches)                                                              | [http://localhost:3001/v2](http://localhost:3001/v2)                           |
| API\_URL           | All services                         | api-gateway public URL ending with `/v2` version suffix                                                                                                                                             | [http://studio.local.prisme.ai:3001/v2](http://studio.local.prisme.ai:3001/v2) |
| CONSOLE\_URL       | api-gateway, console, pages, runtime | Studio URL, used for emails, auth redirections & runtime variable `{{global.studioUrl}}`                                                                                                            | [http://studio.local.prisme.ai:3000](http://studio.local.prisme.ai:3000)       |
| PAGES\_HOST        | api-gateway, console, pages, runtime | Pages base domain starting with a '.', workspace slug will be prefixed as a subdomain. Used for pages builder, pages sign-in redirection from api gateway, & runtime variable `{{global.pagesUrl}}` | .pages.local.prisme.ai:3100                                                    |

## Databases & Storage

### Redis Configuration

| Name                                       | Service                                  | Description                                                                                                                | Default Value             |
| ------------------------------------------ | ---------------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | ------------------------- |
| BROKER\_HOST                               | api-gateway, workspaces, events, runtime | Redis broker URL (must be the same across services)                                                                        | redis\://localhost:6379/0 |
| BROKER\_PASSWORD                           | api-gateway, workspaces, events, runtime | Redis broker password                                                                                                      |                           |
| BROKER\_TLS\_CA\_FILE                      | api-gateway, workspaces, events, runtime | Redis TLS CA filepath                                                                                                      |                           |
| BROKER\_NAMESPACE                          | api-gateway, workspaces, events, runtime | Optional namespace to segment events when database instance is shared by multiple platforms                                |                           |
| BROKER\_TOPIC\_MAXLEN                      | api-gateway, workspaces, events, runtime | Redis streams max length before getting truncated ([Capped Streams](https://redis.io/topics/streams-intro#capped-streams)) | 10000                     |
| BROKER\_EMIT\_MAXLEN                       | api-gateway, workspaces, events, runtime | Maximum size (in bytes) of emitted events                                                                                  | 100000                    |
| BROKER\_EMIT\_EXECUTED\_AUTOMATION\_MAXLEN | runtime                                  | Maximum size (in bytes) of emitted runtime.automations.executed events                                                     | 10000                     |
| SESSIONS\_STORAGE\_HOST                    | api-gateway                              | Redis URL for sessions storage                                                                                             | redis\://localhost:6379/0 |
| SESSIONS\_STORAGE\_PASSWORD                | api-gateway                              | Redis password for sessions storage                                                                                        |                           |
| SESSIONS\_STORAGE\_TLS\_CA\_FILE           | api-gateway                              | Redis TLS CA filepath                                                                                                      |                           |
| CONTEXTS\_CACHE\_HOST                      | runtime                                  | Redis URL for contexts persistence                                                                                         | redis\://localhost:6379/0 |
| CONTEXTS\_CACHE\_PASSWORD                  | runtime                                  | Redis password for contexts persistence                                                                                    |                           |
| CONTEXTS\_CACHE\_TLS\_CA\_FILE             | runtime                                  | Redis TLS CA filepath                                                                                                      |                           |
| EVENTS\_TOPICS\_CACHE\_HOST                | events                                   | Redis URL for event userTopics persistence                                                                                 | BROKER\_HOST variable     |
| EVENTS\_TOPICS\_CACHE\_PASSWORD            | events                                   | Redis password for event userTopics persistence                                                                            |                           |
| EVENTS\_TOPICS\_CACHE\_TLS\_CA\_FILE       | events                                   | Redis TLS CA filepath                                                                                                      |                           |

### MongoDB/PostgreSQL Configuration

| Name                                    | Service                                  | Description                                                                                                  | Default Value                         |
| --------------------------------------- | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------------------------------- |
| PERMISSIONS\_STORAGE\_DRIVER            | api-gateway, workspaces, events, runtime | Database driver for permissions storage (must be the same for both workspaces & events): mongodb, postgresql | mongodb                               |
| PERMISSIONS\_STORAGE\_HOST              | api-gateway, workspaces, events, runtime | Database URL for permissions storage (must be the same for both workspaces & events)                         | mongodb://localhost:27017/permissions |
| PERMISSIONS\_STORAGE\_TLS\_CA\_FILE     | api-gateway, workspaces, events, runtime | Database TLS CA filepath                                                                                     |                                       |
| PERMISSIONS\_STORAGE\_TLS\_SELF\_SIGNED | api-gateway, workspaces, events, runtime | Set to true in order to disable server certificate validation                                                | false                                 |
| PERMISSIONS\_STORAGE\_DEBUG             | workspaces, events, runtime              | Enable database query logs                                                                                   | false                                 |
| USERS\_STORAGE\_DRIVER                  | api-gateway                              | Database type for users storage: mongodb, postgresql                                                         | mongodb                               |
| USERS\_STORAGE\_HOST                    | api-gateway                              | Database URL for users storage                                                                               | mongodb://localhost:27017/users       |
| USERS\_STORAGE\_TLS\_CA\_FILE           | api-gateway                              | Database TLS CA filepath                                                                                     |                                       |
| USERS\_STORAGE\_TLS\_SELF\_SIGNED       | api-gateway                              | Set to true in order to disable server certificate validation                                                | false                                 |
| USERS\_STORAGE\_DEBUG                   | api-gateway                              | Enable database query logs                                                                                   | false                                 |
| COLLECTIONS\_STORAGE\_DRIVER            | runtime                                  | Database type for collections storage: mongodb, postgresql                                                   | mongodb                               |
| COLLECTIONS\_STORAGE\_HOST              | runtime                                  | Database URL for collections storage                                                                         | mongodb://localhost:27017/users       |
| COLLECTIONS\_STORAGE\_TLS\_CA\_FILE     | runtime                                  | Database TLS CA filepath                                                                                     |                                       |
| COLLECTIONS\_STORAGE\_TLS\_SELF\_SIGNED | runtime                                  | Set to true in order to disable server certificate validation                                                | false                                 |
| COLLECTIONS\_STORAGE\_DEBUG             | runtime                                  | Enable database query logs                                                                                   | false                                 |

### Elasticsearch Configuration

| Name                               | Service | Description                                                                       | Default Value                                  |
| ---------------------------------- | ------- | --------------------------------------------------------------------------------- | ---------------------------------------------- |
| EVENTS\_STORAGE\_DRIVER            | events  | Events storage driver (support elasticseach or opensearch)                        | elasticsearch                                  |
| EVENTS\_STORAGE\_ES\_HOST          | events  | Elasticsearch URL for events persistence                                          | [http://localhost:9200](http://localhost:9200) |
| EVENTS\_STORAGE\_ES\_USER          | events  | Elasticsearch user for events persistence                                         |                                                |
| EVENTS\_STORAGE\_ES\_PASSWORD      | events  | Elasticsearch password for events persistence                                     |                                                |
| EVENTS\_STORAGE\_ES\_BULK\_REFRESH | events  | Enable Elastic "refresh" option when bulk inserting events (might cause overhead) | no                                             |
| EVENTS\_STORAGE\_NAMESPACE         | events  | Elasticsearch indices name prefix                                                 | \`\`                                           |

### Storage Configuration

Prisme.ai supports multiple storage backends for workspaces and uploads. Available storage types are:

* FILESYSTEM: Local file system storage
* S3\_LIKE: Amazon S3 or compatible services (MinIO, etc.)
* AZURE\_BLOB: Azure Blob Storage
* GCS : Google Cloud Storage

### Workspaces Storage

| Name                                     | Service              | Description                                                    | Default Value      |
| ---------------------------------------- | -------------------- | -------------------------------------------------------------- | ------------------ |
| WORKSPACES\_STORAGE\_TYPE                | runtime & workspaces | Storage driver type (FILESYSTEM, S3\_LIKE, AZURE\_BLOB or GCS) | FILESYSTEM         |
| WORKSPACES\_STORAGE\_FILESYSTEM\_DIRPATH | runtime & workspaces | Directory path for filesystem storage                          | ../../data/models/ |

#### S3-Compatible Storage for Workspaces

| Name                                        | Service              | Description                                 | Default Value |
| ------------------------------------------- | -------------------- | ------------------------------------------- | ------------- |
| WORKSPACES\_STORAGE\_S3\_LIKE\_ACCESS\_KEY  | runtime & workspaces | S3 access key                               |               |
| WORKSPACES\_STORAGE\_S3\_LIKE\_SECRET\_KEY  | runtime & workspaces | S3 secret key                               |               |
| WORKSPACES\_STORAGE\_S3\_LIKE\_ENDPOINT     | runtime & workspaces | S3 endpoint                                 |               |
| WORKSPACES\_STORAGE\_S3\_LIKE\_BUCKET\_NAME | runtime & workspaces | S3 bucket name                              |               |
| WORKSPACES\_STORAGE\_S3\_LIKE\_REGION       | runtime & workspaces | S3 region                                   |               |
| STORAGE\_S3\_LIKE\_MAX\_RETRIES             | runtime & workspaces | Maximum retries on rate-limited S3 requests | 5             |

#### Azure Blob Storage for Workspaces

| Name                                                 | Service              | Description                  | Default Value |
| ---------------------------------------------------- | -------------------- | ---------------------------- | ------------- |
| WORKSPACES\_STORAGE\_AZURE\_BLOB\_CONTAINER          | runtime & workspaces | Azure Blob container name    | models        |
| WORKSPACES\_STORAGE\_AZURE\_BLOB\_CONNECTION\_STRING | runtime & workspaces | Azure Blob connection string |               |

#### GCS Storage for Workspaces

| Name                                  | Service              | Description                                     | Default Value                                         |   |   |
| ------------------------------------- | -------------------- | ----------------------------------------------- | ----------------------------------------------------- | - | - |
| WORKSPACES\_STORAGE\_GCS\_BUCKET      | runtime & workspaces | GCS bucket name (**required**)                  |                                                       |   |   |
| WORKSPACES\_STORAGE\_GCS\_KEYFILEPATH | runtime & workspaces | Service account configuration filepath          | `GOOGLE_APPLICATION_CREDENTIALS` environment variable |   |   |
| WORKSPACES\_STORAGE\_GCS\_PROJECTID   | runtime & workspaces | GCS project id, only required when using apiKey |                                                       |   |   |
| WORKSPACES\_STORAGE\_GCS\_APIKEY      | runtime & workspaces | Api key                                         |                                                       |   |   |
| STORAGE\_GCS\_MAX\_RETRIES            | runtime & workspaces | Maximum retries on rate-limited GCS requests    | 5                                                     |   |   |

If **WORKSPACES\_STORAGE\_GCS\_KEYFILEPATH** or **GOOGLE\_APPLICATION\_CREDENTIALS** is provided, only **WORKSPACES\_STORAGE\_GCS\_BUCKET** is required.

### File Uploads Storage

| Name                                  | Service    | Description                                                    | Default Value      |
| ------------------------------------- | ---------- | -------------------------------------------------------------- | ------------------ |
| UPLOADS\_STORAGE\_TYPE                | workspaces | Storage driver type (FILESYSTEM, S3\_LIKE, AZURE\_BLOB or GCS) | FILESYSTEM         |
| UPLOADS\_STORAGE\_FILESYSTEM\_DIRPATH | workspaces | Directory path for filesystem storage                          | ../../data/models/ |

#### S3-Compatible Storage for uploads

| Name                                             | Service    | Description                                                                                                     | Default Value |
| ------------------------------------------------ | ---------- | --------------------------------------------------------------------------------------------------------------- | ------------- |
| UPLOADS\_STORAGE\_S3\_LIKE\_ACCESS\_KEY          | workspaces | S3 access key                                                                                                   |               |
| UPLOADS\_STORAGE\_S3\_LIKE\_SECRET\_KEY          | workspaces | S3 secret key                                                                                                   |               |
| UPLOADS\_STORAGE\_S3\_LIKE\_ENDPOINT             | workspaces | S3 endpoint                                                                                                     |               |
| UPLOADS\_STORAGE\_S3\_LIKE\_BUCKET\_NAME         | workspaces | S3 bucket name                                                                                                  |               |
| UPLOADS\_PUBLIC\_STORAGE\_S3\_LIKE\_BUCKET\_NAME | workspaces | S3 bucket name for public assets (**required if the private uploads bucket does not support object level ACL**) |               |
| UPLOADS\_STORAGE\_S3\_LIKE\_REGION               | workspaces | S3 region                                                                                                       |               |
| STORAGE\_S3\_LIKE\_MAX\_RETRIES                  | workspaces | Maximum retries on rate-limited S3 requests                                                                     | 5             |
| UPLOADS\_STORAGE\_S3\_LIKE\_BASE\_URL            | workspaces | Base download URL (if omitted, workspaces API will be used as proxy)                                            |               |

#### Azure Blob Storage for uploads

| Name                                              | Service    | Description                                                          | Default Value |
| ------------------------------------------------- | ---------- | -------------------------------------------------------------------- | ------------- |
| UPLOADS\_STORAGE\_AZURE\_BLOB\_CONTAINER          | workspaces | Azure Blob container name                                            | models        |
| UPLOADS\_STORAGE\_AZURE\_BLOB\_CONNECTION\_STRING | workspaces | Azure Blob connection string                                         |               |
| UPLOADS\_STORAGE\_AZURE\_BLOB\_BASE\_URL          | workspaces | Base download URL (if omitted, workspaces API will be used as proxy) |               |

#### GCS Storage for uploads

| Name                                  | Service    | Description                                                                                                      | Default Value                                         |   |   |
| ------------------------------------- | ---------- | ---------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | - | - |
| UPLOADS\_STORAGE\_GCS\_BUCKET         | workspaces | GCS bucket name (**required**)                                                                                   |                                                       |   |   |
| UPLOADS\_PUBLIC\_STORAGE\_GCS\_BUCKET | workspaces | GCS bucket name for public assets (**required if the private uploads bucket does not support object level ACL**) |                                                       |   |   |
| UPLOADS\_STORAGE\_GCS\_KEYFILEPATH    | workspaces | Service account configuration filepath                                                                           | `GOOGLE_APPLICATION_CREDENTIALS` environment variable |   |   |
| UPLOADS\_STORAGE\_GCS\_PROJECTID      | workspaces | GCS project id, only required when using apiKey                                                                  |                                                       |   |   |
| UPLOADS\_STORAGE\_GCS\_APIKEY         | workspaces | Api key                                                                                                          |                                                       |   |   |
| STORAGE\_GCS\_MAX\_RETRIES            | workspaces | Maximum retries on rate-limited GCS requests                                                                     | 5                                                     |   |   |
| UPLOADS\_STORAGE\_GCS\_BASE\_URL      | workspaces | Base download URL (if omitted, workspaces API will be used as proxy)                                             |                                                       |   |   |

If **UPLOADS\_STORAGE\_GCS\_KEYFILEPATH** or **GOOGLE\_APPLICATION\_CREDENTIALS** is provided, only **UPLOADS\_STORAGE\_GCS\_BUCKET** is required.

**Notes on uploads bucket:**

By default, the driver stores all uploads inside the same bucket for both public and private files. This bucket must allow public access and enable object-level ACLs, letting the driver selectively set objects as public or private.

If these options are restricted in your environment, you can configure two separate buckets for public/private objects:

1. Both buckets can maintain default settings (which prohibit public access and disable object-level ACLs)
2. The public bucket could be served through a CDN allowed to access all objects (or any more restrictive pattern you prefer)

In this setup, `UPLOADS_STORAGE_S3_*` variables configure the private bucket, while `UPLOADS_PUBLIC_STORAGE_S3_*` variables configure the "public" bucket (i.e dedicated to public assets, but not necessarily public itself).

You can provide separate credentials for the public bucket or simply set these two variables to use the same credentials:

```
UPLOADS_PUBLIC_STORAGE_S3_LIKE_BUCKET_NAME="your public uploads bucket name"
UPLOADS_PUBLIC_STORAGE_S3_LIKE_BASE_URL="your OPTIONAL CDN public base URL" 
```

Equivalent variables exist for **GCS** :

```
UPLOADS_PUBLIC_STORAGE_GCS_BUCKET="your public uploads bucket name"
UPLOADS_PUBLIC_STORAGE_GCS_BASE_URL="your OPTIONAL CDN public base URL"
```

To avoid public buckets / CDN, you can force all file download requests to go through the Prisme.ai API by **not providing** the `UPLOADS_STORAGE_*_BASE_URL` environment variable.

## Authentication & Security

### OIDC Configuration

| Name                              | Service                              | Description                                                             | Default Value                                                       |
| --------------------------------- | ------------------------------------ | ----------------------------------------------------------------------- | ------------------------------------------------------------------- |
| OIDC\_PROVIDER\_URL               | api-gateway, pages, console, runtime | OIDC Authorization public server URL (rarely needs changing)            | API\_URL without base path                                          |
| OIDC\_INTERNAL\_PROVIDER\_URL     | api-gateway                          | OIDC Authorization internal server URL (rarely needs changing)          | By precedence: INTERNAL\_API\_URL, OIDC\_PROVIDER\_URL, or API\_URL |
| OIDC\_STUDIO\_CLIENT\_ID          | api-gateway, console                 | Studio OIDC client ID                                                   | local-client-id                                                     |
| OIDC\_STUDIO\_CLIENT\_SECRET      | api-gateway                          | Studio OIDC client secret (known only by api-gateway)                   | local-client-id                                                     |
| OIDC\_CLIENT\_REGISTRATION\_TOKEN | api-gateway                          | Access token required for OIDC clients registration API                 | local-client-id                                                     |
| OIDC\_WELL\_KNOWN\_URL            | api-gateway                          | OIDC provider configuration discovery URL (only for external providers) |                                                                     |
| JWKS\_URL                         | api-gateway                          | Endpoint for retrieving JWKS as part of the JWKS strategy               | OIDC\_INTERNAL\_PROVIDER\_URL/oidc/jwks                             |

### Session & Token Configuration

| Name                           | Service     | Description                                                                 | Default Value                       |
| ------------------------------ | ----------- | --------------------------------------------------------------------------- | ----------------------------------- |
| SESSION\_COOKIES\_MAX\_AGE     | api-gateway | Auth server session cookies expiration (in seconds)                         | 2592000 (1 month)                   |
| ACCESS\_TOKENS\_MAX\_AGE       | api-gateway | Session expiration for both anonymous & authenticated sessions (in seconds) | 2592000 (1 month)                   |
| SESSION\_COOKIES\_SIGN\_SECRET | api-gateway | Session cookies signing secret                                              |                                     |
| SOCKETIO\_COOKIE\_MAX\_AGE     | events      | Socket.io cookie maxAge                                                     | Default from 'cookie' NodeJS module |

### Security Settings

| Name                               | Service        | Description                                                                                     | Default Value |
| ---------------------------------- | -------------- | ----------------------------------------------------------------------------------------------- | ------------- |
| CORS\_ADDITIONAL\_ALLOWED\_ORIGINS | api-gateway    | Additional allowed CORS origins (beyond STUDIO\_URL, PAGES\_HOST, and workspace custom domains) |               |
| CSP\_HEADER                        | console, pages | Content Security Policy header for frontend services (if undefined, no CSP header is returned)  |               |
| PASSWORD\_VALIDATION\_REGEXP       | api-gateway    | Password validation regular expression                                                          | `.{8,32}`     |
| ACCOUNT\_VALIDATION\_METHOD        | api-gateway    | Account validation method on signup: "auto", "email", or "manual"                               | email         |

## Service-Specific Configuration

### API Gateway

| Name                    | Service                 | Description                                                                                                                                                           | Default Value                                    |
| ----------------------- | ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ |
| PORT                    | api-gateway             | Listening port number                                                                                                                                                 | 3001                                             |
| GATEWAY\_CONFIG\_PATH   | api-gateway             | Path to gateway.config.yml                                                                                                                                            | ../../gateway.config.yml                         |
| AUTH\_PROVIDERS\_CONFIG | api-gateway             | Path to authProviders.config.yml                                                                                                                                      | ../../authProviders.config.yml                   |
| INTERNAL\_API\_KEY      | api-gateway, workspaces | API key for internal services to access events /sys/cleanup API                                                                                                       |                                                  |
| WORKSPACES\_API\_URL    | api-gateway             | prismeai-workspaces internal URL                                                                                                                                      | [http://workspaces:3002](http://workspaces:3002) |
| EVENTS\_API\_URL        | api-gateway             | prismeai-events internal URL                                                                                                                                          | [http://events:3004](http://events:3004)         |
| RUNTIME\_API\_URL       | api-gateway             | prismeai-runtime internal URL                                                                                                                                         | [http://runtime:3003](http://runtime:3003)       |
| X\_FORWARDED\_HEADERS   | api-gateway             | Add X-Forwarded-\* headers on proxied requests                                                                                                                        | yes                                              |
| SUPER\_ADMIN\_EMAILS    | api-gateway             | Comma-separated list of user emails with access to all workspaces (e.g., "[admin@example.com](mailto:admin@example.com),[user@company.com](mailto:user@company.com)") | None                                             |
| REQUEST\_MAX\_SIZE      | api-gateway             | Maximum request body size (format from bodyParser.json)                                                                                                               | 1mb                                              |
| EMAIL\_DRIVER           | api-gateway             | Email driver to use. ("smtp", "mailgun")                                                                                                                              | mailgun                                          |
| EMAIL\_FROM             | api-gateway             | Email address to use as "from" when sending emails                                                                                                                    | `"Prisme.ai" <no-reply@prisme.ai>`               |
| SMTP\_HOST              | api-gateway             | Hostname or IP address of your SMTP server. (example: smtp.gmail.com)                                                                                                 |                                                  |
| SMTP\_PORT              | api-gateway             | Port to connect to                                                                                                                                                    | 587                                              |
| SMTP\_USER              | api-gateway             | User authentication                                                                                                                                                   |                                                  |
| SMTP\_PASS              | api-gateway             | User's password                                                                                                                                                       |                                                  |
| SMTP\_SECURE            | api-gateway             | If true, the connection will use TLS immediately (recommended for port 465).                                                                                          | false                                            |

### Console

| Name                            | Service        | Description                                                                                                                                                                                                               | Default Value                           |
| ------------------------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------- |
| PORT                            | console        | Listening port number                                                                                                                                                                                                     | 3000                                    |
| WORKSPACE\_OPS\_MANAGER         | console, page  | Public base url towards AI Governance workspace webhooks for automatically deducing below  endpoints (customization, suggestions, products, ...). Example: `https://<API_URL>/v2/workspaces/{AIG_WORKSPACE_ID}/webhooks/` |                                         |
| CUSTOMIZATION\_ENDPOINT         | console, page  | Public url for `/customization` webhook  (retrieves platform theme settings)                                                                                                                                              | \$WORKSPACE\_OPS\_MANAGER/customization |
| TRACKING\_WEBHOOK               | console, page  | url towards `/tracking` webhook (tracks builder activity)                                                                                                                                                                 | \$WORKSPACE\_OPS\_MANAGER/tracking      |
| SUGGESTIONS\_ENDPOINT           | console, page  | url towards `/suggestions` webhook (retrieves suggestions on builder left menu)                                                                                                                                           | \$WORKSPACE\_OPS\_MANAGER/suggestions   |
| PRODUCTS\_ENDPOINT              | console, page  | url towards `/products` webhook (retrieves products on left menu)                                                                                                                                                         | \$WORKSPACE\_OPS\_MANAGER/products      |
| TRANSLATIONS\_OVERRIDE          | console, page  | url towards `/translations` webhook (retrieves platform custom translations)                                                                                                                                              | \$WORKSPACE\_OPS\_MANAGER/translations  |
| WEBSOCKETS\_DEFAULT\_TRANSPORTS | console, pages | Default Socket.io transport methods                                                                                                                                                                                       | polling,websocket                       |

**None of `*_ENDPOINT`, `*_WEBHOOK` or `*_OVERRIDE` should be configured if the generic `WORKSPACE_OPS_MANAGER` environment variable is set (recommended). In helm, it can be tuned from `prismeai-console.workspace_ops_manager` and `prismeai-pages.workspace_ops_manager` environment variables.**

### Events Service

| Name                                              | Service | Description                                                                                                                                                                                              | Default Value |
| ------------------------------------------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| PORT                                              | events  | Listening port number                                                                                                                                                                                    | 3004          |
| EVENTS\_BUFFER\_FLUSH\_AT                         | events  | Persist events in data lake after this many events                                                                                                                                                       | 128           |
| EVENTS\_BUFFER\_HIGH\_WATERMARK                   | events  | Stop listening for new events when this many are waiting to be persisted                                                                                                                                 | 256           |
| EVENTS\_BUFFER\_FLUSH\_EVERY                      | events  | Persist events every N milliseconds, even if EVENTS\_BUFFER\_FLUSH\_AT not reached                                                                                                                       | 5000          |
| EVENTS\_RETENTION\_DAYS                           | events  | Days events are kept in data lake before removal                                                                                                                                                         | 180           |
| EVENTS\_CLEANUP\_WORKSPACE\_INACTIVITY\_DAYS      | events  | Delete workspace events if inactive for more than N days & with fewer than EVENTS\_CLEANUP\_WORKSPACE\_MAX\_EVENTS                                                                                       | 15            |
| EVENTS\_CLEANUP\_WORKSPACE\_MAX\_EVENTS           | events  | Delete workspace events if inactive for more than EVENTS\_CLEANUP\_WORKSPACE\_INACTIVITY\_DAYS & with fewer than N events                                                                                | 100           |
| EVENTS\_SCHEDULED\_DELETION\_DAYS                 | events  | Days events are kept in data lake after workspace deletion (min\_age parameter for the `policy-events-deletion-scheduled` ILM policy)                                                                    | 90            |
| ELASTIC\_SEARCH\_TIMEOUT                          | events  | Best effort timeout for search requests : [https://www.elastic.co/docs/solutions/search/the-search-api#search-timeout](https://www.elastic.co/docs/solutions/search/the-search-api#search-timeout)       | 20000ms       |
| EVENTS\_CLEANUP\_AUTOMATION\_EXECUTED\_EXPIRATION | events  | Expiration period enforced by `/cleanup` API for payload & output fields of runtime.automations.executed events. Can also be tuned from Helm `prismeai-events.events.automationExecutedExpiration` value | 14d           |

### Runtime Service

| Name                                                     | Service | Description                                                                                                             | Default Value                                              |
| -------------------------------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- |
| PORT                                                     | runtime | Listening port number                                                                                                   | 3003                                                       |
| MAXIMUM\_SUCCESSIVE\_CALLS                               | runtime | Maximum automation executions for the same correlation ID                                                               | 20                                                         |
| CONTEXT\_RUN\_EXPIRE\_TIME                               | runtime | Run context expiration time in seconds                                                                                  | 60                                                         |
| CONTEXT\_UNAUTHENTICATED\_SESSION\_EXPIRE\_TIME          | runtime | Session context expiration time in seconds for unauthenticated sessions                                                 | 3600 (1 hour)                                              |
| ADDITIONAL*GLOBAL\_VARS*\*                               | runtime | Additional variables available from global context (e.g., ADDITIONAL\_GLOBAL\_VARS\_apiUrl becomes `{{global.apiUrl}}`) | None                                                       |
| WORKSPACE*CONFIG*`{{workspaceSlug}}`\_`{{variableName}}` | runtime | Variables available for specific workspaces                                                                             | None                                                       |
| APP*CONFIG*`{{appSlug}}`\_`{{variableName}}`             | runtime | Variables available for specific apps                                                                                   | None                                                       |
| FETCH\_FORBIDDEN\_HOSTS                                  | runtime | Comma-separated list of forbidden hostnames in fetch instruction                                                        |                                                            |
| FETCH\_MAX\_RETRIES                                      | runtime | Maximum fetch retries                                                                                                   | 3                                                          |
| FETCH\_RETRY\_CODES                                      | runtime | Error codes that trigger fetch retries                                                                                  | ECONNRESET,UND\_ERR\_SOCKET,EPIPE,EHOSTUNREACH,ENETUNREACH |
| FETCH\_RETRY\_STATUS                                     | runtime | Response status codes that trigger fetch retries                                                                        | 429,503,502                                                |
| RUNNER\_MAX\_THREADS                                     | runtime | Number of worker\_threads per runtime instance                                                                          | 1                                                          |
| CONTEXT\_SOCKET\_MAX\_SIZE                               | runtime | Maximum size in bytes of **socket** context (this limit only emits error but does not throw, for now                    | 100000                                                     |
| CONTEXT\_GLOBAL\_MAX\_SIZE                               | runtime | Maximum size in bytes of **global** context (this limit only emits error but does not throw, for now                    | 500000                                                     |
| CONTEXT\_RUN\_MAX\_SIZE                                  | runtime | Maximum size in bytes of **run** context (this limit only emits error but does not throw, for now                       | 500000                                                     |
| CONTEXT\_USER\_MAX\_SIZE                                 | runtime | Maximum size in bytes of **user** context (this limit only emits error but does not throw, for now                      | 100000                                                     |
| CONTEXT\_SESSION\_MAX\_SIZE                              | runtime | Maximum size in bytes of **session** context (this limit only emits error but does not throw, for now                   | 1000000                                                    |
| CONTEXT\_LOCAL\_MAX\_SIZE                                | runtime | Maximum size in bytes of **local** context (this limit only emits error but does not throw, for now                     | 50000000                                                   |
| CONTEXT\_CONFIG\_MAX\_SIZE                               | runtime | Maximum size in bytes of **config** context (this limit only emits error but does not throw, for now                    | 100000                                                     |

### Workspaces Service

| Name                          | Service                          | Description                                                        | Default Value                                 |
| ----------------------------- | -------------------------------- | ------------------------------------------------------------------ | --------------------------------------------- |
| PORT                          | workspaces                       | Listening port number                                              | 3002                                          |
| UPLOADS\_ALLOWED\_MIMETYPES   | workspaces                       | Comma-separated list of allowed upload MIME types                  | image/*,text/*,video/*,audio/*,application/\* |
| UPLOADS\_FORBIDDEN\_MIMETYPES | workspaces                       | Comma-separated list of forbidden upload MIME types (no wildcards) |                                               |
| UPLOADS\_DEFAULT\_VISIBILITY  | workspaces                       | Default upload visibility if not specified in API request          | public                                        |
| UPLOADS\_MAX\_SIZE            | workspaces, api-gateway, runtime | Maximum upload size in bytes                                       | 10000000 (10MB)                               |
| IMPORT\_BATCH\_SIZE           | workspaces                       | Maximum parallel save requests during imports                      | 50                                            |

#### Platform Repositories

Platform repositories are shared repositories automatically available to **all workspaces** for versioning (push/pull). They are configured entirely through environment variables and require no per-workspace setup.

Each workspace's files are stored in a subdirectory named after the workspace slug within the repository. This allows a single repository to serve as a centralized versioning backend for every workspace on the platform.

Multiple platform repositories can be configured by using the following naming convention:

```
WORKSPACES_STORAGE_GIT_PLATFORM_{repoId}_{FIELD}
```

Where `{repoId}` is a unique identifier for the repository (e.g., `prismeai`, `backup`) and `{FIELD}` is one of the supported fields listed below.

| Field suffix    | Description                                                                                                                                                                                                                                                                                                                                   | Default Value |
| --------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| `TYPE`          | Repository type: `git` (remote Git repository) or `filesystem` (local directory)                                                                                                                                                                                                                                                              | `git`         |
| `URL`           | Git repository URL (**required for `git` type** — the repository is only enabled if this is set)                                                                                                                                                                                                                                              |               |
| `NAME`          | Display name shown in the UI                                                                                                                                                                                                                                                                                                                  | `{repoId}`    |
| `BRANCH`        | Git branch to use (only for `git` type)                                                                                                                                                                                                                                                                                                       | `main`        |
| `MODE`          | Access mode: `read-write` or `read-only`                                                                                                                                                                                                                                                                                                      | `read-write`  |
| `DIRPATH`       | For `git` type: base directory path inside the repository. Each workspace's files are stored under `{dirpath}/{workspaceSlug}`. If omitted, workspace files are stored directly under `{workspaceSlug}` at the repository root. For `filesystem` type: **required** absolute path to the local directory containing workspace subdirectories. |               |
| `AUTH_USER`     | Username for HTTPS authentication (only for `git` type)                                                                                                                                                                                                                                                                                       |               |
| `AUTH_PASSWORD` | Password or personal access token (PAT) for HTTPS authentication (only for `git` type)                                                                                                                                                                                                                                                        |               |
| `AUTH_SSHKEY`   | SSH private key content for SSH authentication (only for `git` type)                                                                                                                                                                                                                                                                          |               |

<Warning>
  The `filesystem` type is reserved for platform repositories and cannot be used in workspace-level repository configurations.
</Warning>

**Example — single platform Git repository:**

```dotenv theme={null}
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_URL=https://github.com/myorg/workspaces.git
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_NAME=Platform Repository
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_BRANCH=main
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_AUTH_USER=your-user
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_AUTH_PASSWORD=github_pat_xxxxxxx
```

**Example — filesystem platform repository (like the one embedded in prismeai-workspaces Docker image):**

```dotenv theme={null}
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_TYPE=filesystem
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_NAME=Built-in Workspaces
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_DIRPATH=/www/platform-workspaces
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_MODE=read-only
```

With this configuration, the platform expects workspace directories directly inside `/www/platform-workspaces/` (e.g., `/www/platform-workspaces/ai-knowledge/`, etc.).

**Example — with a custom directory path (Git):**

```dotenv theme={null}
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_URL=https://github.com/myorg/monorepo.git
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_NAME=Platform Repository
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_DIRPATH=workspaces
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_AUTH_USER=your-user
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_AUTH_PASSWORD=github_pat_xxxxxxx
```

With this configuration, a workspace with slug `myapp` would be stored under `workspaces/myapp/` in the repository.

**Example — multiple platform repositories:**

```dotenv theme={null}
# Primary read-write Git repository
WORKSPACES_STORAGE_GIT_PLATFORM_primary_URL=https://github.com/myorg/workspaces.git
WORKSPACES_STORAGE_GIT_PLATFORM_primary_NAME=Main Repository
WORKSPACES_STORAGE_GIT_PLATFORM_primary_AUTH_USER=x-access-token
WORKSPACES_STORAGE_GIT_PLATFORM_primary_AUTH_PASSWORD=ghp_xxxxxxxxxxxx

# Read-only backup Git repository
WORKSPACES_STORAGE_GIT_PLATFORM_backup_URL=git@github.com:myorg/workspaces-backup.git
WORKSPACES_STORAGE_GIT_PLATFORM_backup_NAME=Backup (read-only)
WORKSPACES_STORAGE_GIT_PLATFORM_backup_MODE=read-only
WORKSPACES_STORAGE_GIT_PLATFORM_backup_AUTH_SSHKEY="-----BEGIN OPENSSH PRIVATE KEY-----\n..."

# Built-in filesystem repository (Docker image)
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_TYPE=filesystem
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_NAME=Built-in Workspaces
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_DIRPATH=/www/platform-workspaces
```

**Notes:**

* Platform repositories are returned in the `platformRepositories` field of the workspace API response — they do not include auth details, and are never persisted into the workspace configuration.
* Authentication credentials are never exposed in API responses.
* For GitHub HTTPS authentication, use your username as `AUTH_USER` and a personal access token (PAT) with read-write permissions on **Contents** as `AUTH_PASSWORD`.

#### Workspace Groups

Workspace groups define logical sets of workspaces that can be imported together via bulk import. Groups are configured through environment variables:

```
WORKSPACES_GROUP_{groupName}_LABELS="label1,label2,..."
```

A workspace belongs to a group if at least one of its labels matches one of the group's labels. When a workspace is pushed to a platform repository, the groups it belongs to are recorded in its `.import.yml` file.

| Name                                  | Service    | Description                                                                                                  | Default Value |
| ------------------------------------- | ---------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
| `WORKSPACES_GROUP_{groupName}_LABELS` | workspaces | Comma-separated list of labels for the group. A workspace with any matching label is included in this group. |               |

**Example:**

```dotenv theme={null}
# Core dependencies
WORKSPACES_GROUP_base1_LABELS=production:app:base1
WORKSPACES_GROUP_base2_LABELS=production:app:base2

# Core products
WORKSPACES_GROUP_extended_LABELS=production:app,production:product
```

These group names are then used in:

* The **bulk import** API (`groups` body parameter): `POST /v2/workspaces/platform/versions/latest/pull`
* The **bulk push** API (`groups` body parameter): `POST /v2/workspaces/platform/versions`
* `STARTUP_IMPORT_GROUPS` to select which workspaces to import automatically on startup

#### Automatic Import at Startup

The workspaces service can automatically trigger a bulk import when it starts. This is useful for initial deployments and platform upgrades, ensuring that reference workspaces from a platform repository are always up to date.

| Name                        | Service    | Description                                                                                                                                                                                         | Default Value |
| --------------------------- | ---------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| `STARTUP_IMPORT_GROUPS`     | workspaces | Comma-separated list of group names to import at startup. Each group is imported sequentially. If any group encounters errors, remaining groups are skipped. If empty, no auto-import is performed. |               |
| `STARTUP_IMPORT_REPOSITORY` | workspaces | Repository ID (matching a configured platform repository) to import from at startup.                                                                                                                |               |

**Example:**

```dotenv theme={null}
# Import core workspaces from the built-in filesystem repository at startup
STARTUP_IMPORT_GROUPS=base1,base2,extended
STARTUP_IMPORT_REPOSITORY=builtin
```

At startup, the service:

1. Ensures the `platform` workspace exists (creates it if needed)
2. Waits for the platform to be ready (checks the `/v2/readiness` endpoint, with a 5-minute timeout)
3. Imports each group sequentially using the bulk import mechanism, with a 30s pause between each group
4. Skips workspaces already at the correct version (based on `.import.yml` version matching)

<Info>
  When multiple replicas start simultaneously (e.g., during a rollout), only one replica acquires the write lock on the Platform workspace and performs the import. Other replicas skip the import entirely.
</Info>

## Performance & Limits

### Rate Limiting

| Name                          | Service     | Description                                                | Default Value |
| ----------------------------- | ----------- | ---------------------------------------------------------- | ------------- |
| DISABLE\_RATE\_LIMIT          | api-gateway | Set it to true in order to disable all rate limits         |               |
| RATE\_LIMIT\_SIGNUP           | api-gateway | Maximum signups per IP per minute                          | 1             |
| RATE\_LIMIT\_ANONYMOUS\_LOGIN | api-gateway | Maximum anonymous logins per IP per minute                 | 10            |
| RATE\_LIMIT\_PRISMEAI\_LOGIN  | api-gateway | Maximum email/password login attempts per email per minute | 5             |
| RATE\_LIMIT\_PASSWORD\_RESET  | api-gateway | Maximum password reset requests per IP per minute          | 1             |

## Integration & APIs

| Name              | Service      | Description                                           | Default Value                 |
| ----------------- | ------------ | ----------------------------------------------------- | ----------------------------- |
| OPENAPI\_FILEPATH | All services | Path to Swagger file for requests & events validation | ../specifications/swagger.yml |

## Examples

### S3 Storage Configuration

```dotenv theme={null}
# Configure workspace storage with S3
WORKSPACES_STORAGE_TYPE=S3_LIKE
WORKSPACES_STORAGE_S3_LIKE_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
WORKSPACES_STORAGE_S3_LIKE_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
WORKSPACES_STORAGE_S3_LIKE_BUCKET_NAME=prisme-workspaces
WORKSPACES_STORAGE_S3_LIKE_REGION=us-west-1
WORKSPACES_STORAGE_S3_LIKE_BASE_URL=https://prisme-workspaces.s3.us-west-1.amazonaws.com

# Configure uploads with the same credentials but different bucket
UPLOADS_STORAGE_TYPE=S3_LIKE
UPLOADS_STORAGE_S3_LIKE_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
UPLOADS_STORAGE_S3_LIKE_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
UPLOADS_STORAGE_S3_LIKE_BUCKET_NAME=prisme-uploads
UPLOADS_STORAGE_S3_LIKE_REGION=us-west-1
UPLOADS_STORAGE_S3_LIKE_BASE_URL=https://prisme-uploads.s3.us-west-1.amazonaws.com
```

### Authentication and Rate Limiting for Production

```dotenv theme={null}
# Set a strong password policy
PASSWORD_VALIDATION_REGEXP= "YOUR_REGEX"

# Enable manual account validation
ACCOUNT_VALIDATION_METHOD=manual

# Configure super admins
SUPER_ADMIN_EMAILS=admin@company.com,security@company.com

# Set stricter rate limits
RATE_LIMIT_SIGNUP=1
RATE_LIMIT_ANONYMOUS_LOGIN=5
RATE_LIMIT_PRISMEAI_LOGIN=3
RATE_LIMIT_PASSWORD_RESET=1
```
