Prisme.ai services can be configured through various environment variables. This reference provides a comprehensive list of available configuration options for your deployment.
Configuration Methods
Docker Setup
In a Docker deployment, configure these variables in the root docker-compose.yml file. See the Docker Compose documentation for more details.
Developer Setup
In a development environment, create a services/*/.env file containing key/value pairs:
WORKSPACES_STORAGE_TYPE=S3_LIKE
WORKSPACES_STORAGE_S3_LIKE_BUCKET_NAME=someBucketName
...
env_file option to its services/*/docker-compose.yml file:
console:
entrypoint: npm start --prefix services/console
restart: on-failure
image: registry.gitlab.com/prisme.ai/prisme.ai/prisme.ai-console:latest
ports:
- "3000:3000"
env_file: ./.env
Variable Categories
Domains & URLs
Configure the URLs and domains used by Prisme.ai services.
| Name | Service | Description | Default Value |
|---|
| INTERNAL_API_URL | All services | api-gateway internal URL for internal requests ending with /v2 version suffix (i.e., contact fetching, public JWKS, runtime fetches) | http://localhost:3001/v2 |
| API_URL | All services | api-gateway public URL ending with /v2 version suffix | http://studio.local.prisme.ai:3001/v2 |
| CONSOLE_URL | api-gateway, console, runtime | Studio URL, used for emails, auth redirections & runtime variable {{global.studioUrl}}. Accepts a comma-separated list to expose the same frontend under several domains — every URL serves the same Studio and all of them call the single API_URL. All listed origins are auto-allowlisted for CORS and OIDC redirects. | http://studio.local.prisme.ai:3000 |
Databases & Storage
Redis Configuration
| Name | Service | Description | Default Value |
|---|
| BROKER_HOST | api-gateway, workspaces, events, runtime | Redis broker URL (must be the same across services) | redis://localhost:6379/0 |
| BROKER_PASSWORD | api-gateway, workspaces, events, runtime | Redis broker password | |
| BROKER_TLS_CA_FILE | api-gateway, workspaces, events, runtime | Redis TLS CA filepath | |
| BROKER_NAMESPACE | api-gateway, workspaces, events, runtime | Optional namespace to segment events when database instance is shared by multiple platforms | |
| BROKER_TOPIC_MAXLEN | api-gateway, workspaces, events, runtime | Redis streams max length before getting truncated (Capped Streams) | 10000 |
| BROKER_EMIT_MAXLEN | api-gateway, workspaces, events, runtime | Maximum size (in bytes) of emitted events | 100000 |
| BROKER_EMIT_EXECUTED_AUTOMATION_MAXLEN | runtime | Maximum size (in bytes) of emitted runtime.automations.executed events | 10000 |
| SESSIONS_STORAGE_HOST | api-gateway | Redis URL for sessions storage | redis://localhost:6379/0 |
| SESSIONS_STORAGE_PASSWORD | api-gateway | Redis password for sessions storage | |
| SESSIONS_STORAGE_TLS_CA_FILE | api-gateway | Redis TLS CA filepath | |
| CONTEXTS_CACHE_HOST | runtime | Redis URL for contexts persistence | redis://localhost:6379/0 |
| CONTEXTS_CACHE_PASSWORD | runtime | Redis password for contexts persistence | |
| CONTEXTS_CACHE_TLS_CA_FILE | runtime | Redis TLS CA filepath | |
| EVENTS_TOPICS_CACHE_HOST | events | Redis URL for event userTopics persistence | BROKER_HOST variable |
| EVENTS_TOPICS_CACHE_PASSWORD | events | Redis password for event userTopics persistence | |
| EVENTS_TOPICS_CACHE_TLS_CA_FILE | events | Redis TLS CA filepath | |
MongoDB/PostgreSQL Configuration
| Name | Service | Description | Default Value |
|---|
| PERMISSIONS_STORAGE_DRIVER | api-gateway, workspaces, events, runtime | Database driver for permissions storage (must be the same for both workspaces & events): mongodb, postgresql | mongodb |
| PERMISSIONS_STORAGE_HOST | api-gateway, workspaces, events, runtime | Database URL for permissions storage (must be the same for both workspaces & events) | mongodb://localhost:27017/permissions |
| PERMISSIONS_STORAGE_TLS_CA_FILE | api-gateway, workspaces, events, runtime | Database TLS CA filepath | |
| PERMISSIONS_STORAGE_TLS_SELF_SIGNED | api-gateway, workspaces, events, runtime | Set to true in order to disable server certificate validation | false |
| PERMISSIONS_STORAGE_DEBUG | workspaces, events, runtime | Enable database query logs | false |
| USERS_STORAGE_DRIVER | api-gateway | Database type for users storage: mongodb, postgresql | mongodb |
| USERS_STORAGE_HOST | api-gateway | Database URL for users storage | mongodb://localhost:27017/users |
| USERS_STORAGE_TLS_CA_FILE | api-gateway | Database TLS CA filepath | |
| USERS_STORAGE_TLS_SELF_SIGNED | api-gateway | Set to true in order to disable server certificate validation | false |
| USERS_STORAGE_DEBUG | api-gateway | Enable database query logs | false |
| COLLECTIONS_STORAGE_DRIVER | runtime | Database type for collections storage: mongodb, postgresql | mongodb |
| COLLECTIONS_STORAGE_HOST | runtime | Database URL for collections storage | mongodb://localhost:27017/users |
| COLLECTIONS_STORAGE_TLS_CA_FILE | runtime | Database TLS CA filepath | |
| COLLECTIONS_STORAGE_TLS_SELF_SIGNED | runtime | Set to true in order to disable server certificate validation | false |
| COLLECTIONS_STORAGE_DEBUG | runtime | Enable database query logs | false |
Elasticsearch Configuration
| Name | Service | Description | Default Value |
|---|
| EVENTS_STORAGE_DRIVER | events | Events storage driver (support elasticseach or opensearch) | elasticsearch |
| EVENTS_STORAGE_ES_HOST | events | Elasticsearch URL for events persistence | http://localhost:9200 |
| EVENTS_STORAGE_ES_USER | events | Elasticsearch user for events persistence | |
| EVENTS_STORAGE_ES_PASSWORD | events | Elasticsearch password for events persistence | |
| EVENTS_STORAGE_ES_BULK_REFRESH | events | Enable Elastic “refresh” option when bulk inserting events (might cause overhead) | no |
| EVENTS_STORAGE_NAMESPACE | events | Elasticsearch indices name prefix | “ |
Storage Configuration
Prisme.ai supports multiple storage backends for workspaces and uploads. Available storage types are:
- FILESYSTEM: Local file system storage
- S3_LIKE: Amazon S3 or compatible services (MinIO, etc.)
- AZURE_BLOB: Azure Blob Storage
- GCS : Google Cloud Storage
Workspaces Storage
| Name | Service | Description | Default Value |
|---|
| WORKSPACES_STORAGE_TYPE | runtime & workspaces | Storage driver type (FILESYSTEM, S3_LIKE, AZURE_BLOB or GCS) | FILESYSTEM |
| WORKSPACES_STORAGE_FILESYSTEM_DIRPATH | runtime & workspaces | Directory path for filesystem storage | ../../data/models/ |
S3-Compatible Storage for Workspaces
| Name | Service | Description | Default Value |
|---|
| WORKSPACES_STORAGE_S3_LIKE_ACCESS_KEY | runtime & workspaces | S3 access key | |
| WORKSPACES_STORAGE_S3_LIKE_SECRET_KEY | runtime & workspaces | S3 secret key | |
| WORKSPACES_STORAGE_S3_LIKE_ENDPOINT | runtime & workspaces | S3 endpoint | |
| WORKSPACES_STORAGE_S3_LIKE_BUCKET_NAME | runtime & workspaces | S3 bucket name | |
| WORKSPACES_STORAGE_S3_LIKE_REGION | runtime & workspaces | S3 region | |
| STORAGE_S3_LIKE_MAX_RETRIES | runtime & workspaces | Maximum retries on rate-limited S3 requests | 5 |
Azure Blob Storage for Workspaces
| Name | Service | Description | Default Value |
|---|
| WORKSPACES_STORAGE_AZURE_BLOB_CONTAINER | runtime & workspaces | Azure Blob container name | models |
| WORKSPACES_STORAGE_AZURE_BLOB_CONNECTION_STRING | runtime & workspaces | Azure Blob connection string | |
GCS Storage for Workspaces
| Name | Service | Description | Default Value | | |
|---|
| WORKSPACES_STORAGE_GCS_BUCKET | runtime & workspaces | GCS bucket name (required) | | | |
| WORKSPACES_STORAGE_GCS_KEYFILEPATH | runtime & workspaces | Service account configuration filepath | GOOGLE_APPLICATION_CREDENTIALS environment variable | | |
| WORKSPACES_STORAGE_GCS_PROJECTID | runtime & workspaces | GCS project id, only required when using apiKey | | | |
| WORKSPACES_STORAGE_GCS_APIKEY | runtime & workspaces | Api key | | | |
| STORAGE_GCS_MAX_RETRIES | runtime & workspaces | Maximum retries on rate-limited GCS requests | 5 | | |
File Uploads Storage
| Name | Service | Description | Default Value |
|---|
| UPLOADS_STORAGE_TYPE | workspaces | Storage driver type (FILESYSTEM, S3_LIKE, AZURE_BLOB or GCS) | FILESYSTEM |
| UPLOADS_STORAGE_FILESYSTEM_DIRPATH | workspaces | Directory path for filesystem storage | ../../data/models/ |
S3-Compatible Storage for uploads
| Name | Service | Description | Default Value |
|---|
| UPLOADS_STORAGE_S3_LIKE_ACCESS_KEY | workspaces | S3 access key | |
| UPLOADS_STORAGE_S3_LIKE_SECRET_KEY | workspaces | S3 secret key | |
| UPLOADS_STORAGE_S3_LIKE_ENDPOINT | workspaces | S3 endpoint | |
| UPLOADS_STORAGE_S3_LIKE_BUCKET_NAME | workspaces | S3 bucket name | |
| UPLOADS_PUBLIC_STORAGE_S3_LIKE_BUCKET_NAME | workspaces | Optional. Separate bucket for public assets, used only if you want public files served directly by a CDN instead of being proxied by the api-gateway. | |
| UPLOADS_STORAGE_S3_LIKE_REGION | workspaces | S3 region | |
| STORAGE_S3_LIKE_MAX_RETRIES | workspaces | Maximum retries on rate-limited S3 requests | 5 |
| UPLOADS_STORAGE_S3_LIKE_BASE_URL | workspaces | Base download URL (if omitted, workspaces API will be used as proxy) | |
Azure Blob Storage for uploads
| Name | Service | Description | Default Value |
|---|
| UPLOADS_STORAGE_AZURE_BLOB_CONTAINER | workspaces | Azure Blob container name | models |
| UPLOADS_STORAGE_AZURE_BLOB_CONNECTION_STRING | workspaces | Azure Blob connection string | |
| UPLOADS_STORAGE_AZURE_BLOB_BASE_URL | workspaces | Base download URL (if omitted, workspaces API will be used as proxy) | |
GCS Storage for uploads
| Name | Service | Description | Default Value | | |
|---|
| UPLOADS_STORAGE_GCS_BUCKET | workspaces | GCS bucket name (required) | | | |
| UPLOADS_PUBLIC_STORAGE_GCS_BUCKET | workspaces | Optional. Separate bucket for public assets, used only if you want public files served directly by a CDN instead of being proxied by the api-gateway. | | | |
| UPLOADS_STORAGE_GCS_KEYFILEPATH | workspaces | Service account configuration filepath | GOOGLE_APPLICATION_CREDENTIALS environment variable | | |
| UPLOADS_STORAGE_GCS_PROJECTID | workspaces | GCS project id, only required when using apiKey | | | |
| UPLOADS_STORAGE_GCS_APIKEY | workspaces | Api key | | | |
| STORAGE_GCS_MAX_RETRIES | workspaces | Maximum retries on rate-limited GCS requests | 5 | | |
| UPLOADS_STORAGE_GCS_BASE_URL | workspaces | Base download URL (if omitted, workspaces API will be used as proxy) | | | |
UPLOADS_STORAGE_*_BASE_URL is left unset.
If you want public files to be served directly from a CDN instead of through the api-gateway, you can opt into a two-bucket setup:
- Keep the private bucket as-is (
UPLOADS_STORAGE_S3_*).
- Add a second bucket dedicated to public assets (
UPLOADS_PUBLIC_STORAGE_S3_*), exposed through a CDN.
- Set
UPLOADS_STORAGE_S3_LIKE_BASE_URL (and/or UPLOADS_PUBLIC_STORAGE_S3_LIKE_BASE_URL) to the CDN’s public base URL — that is what tells the platform to hand out direct CDN URLs instead of proxying through the api-gateway.
You can reuse the same credentials for both buckets or provide separate ones:
UPLOADS_PUBLIC_STORAGE_S3_LIKE_BUCKET_NAME="your public uploads bucket name"
UPLOADS_PUBLIC_STORAGE_S3_LIKE_BASE_URL="your CDN public base URL"
UPLOADS_PUBLIC_STORAGE_GCS_BUCKET="your public uploads bucket name"
UPLOADS_PUBLIC_STORAGE_GCS_BASE_URL="your CDN public base URL"
UPLOADS_STORAGE_*_BASE_URL variables.
Authentication & Security
OIDC Configuration
| Name | Service | Description | Default Value |
|---|
| OIDC_PROVIDER_URL | api-gateway, console, runtime | OIDC Authorization public server URL (rarely needs changing) | API_URL without base path |
| OIDC_INTERNAL_PROVIDER_URL | api-gateway | OIDC Authorization internal server URL (rarely needs changing) | By precedence: INTERNAL_API_URL, OIDC_PROVIDER_URL, or API_URL |
| OIDC_STUDIO_CLIENT_ID | api-gateway, console | Studio OIDC client ID | local-client-id |
| OIDC_STUDIO_CLIENT_SECRET | api-gateway | Studio OIDC client secret (known only by api-gateway) | local-client-id |
| OIDC_CLIENT_REGISTRATION_TOKEN | api-gateway | Access token required for OIDC clients registration API | local-client-id |
| OIDC_WELL_KNOWN_URL | api-gateway | OIDC provider configuration discovery URL (only for external providers) | |
| JWKS_URL | api-gateway | Endpoint for retrieving JWKS as part of the JWKS strategy | OIDC_INTERNAL_PROVIDER_URL/oidc/jwks |
Session & Token Configuration
| Name | Service | Description | Default Value |
|---|
| SESSION_COOKIES_MAX_AGE | api-gateway | Auth server session cookies expiration (in seconds) | 2592000 (1 month) |
| ACCESS_TOKENS_MAX_AGE | api-gateway | Session expiration for both anonymous & authenticated sessions (in seconds) | 2592000 (1 month) |
| SESSION_COOKIES_SIGN_SECRET | api-gateway | Session cookies signing secret | |
| SOCKETIO_COOKIE_MAX_AGE | events | Socket.io cookie maxAge | Default from ‘cookie’ NodeJS module |
Security Settings
| Name | Service | Description | Default Value |
|---|
| CORS_ADDITIONAL_ALLOWED_ORIGINS | api-gateway | Additional allowed CORS origins (beyond CONSOLE_URL and workspace custom domains) | |
| CSP_HEADER | console | Content Security Policy header for the frontend (if undefined, no CSP header is returned) | |
| PASSWORD_VALIDATION_REGEXP | api-gateway | Password validation regular expression | .{8,32} |
| ACCOUNT_VALIDATION_METHOD | api-gateway | Account validation method on signup: “auto”, “email”, or “manual” | email |
| DISABLE_LOCAL_SIGNIN | api-gateway | Disable local username/password sign-in API. Only SSO providers remain available. | false |
| DISABLE_LOCAL_SIGNUP | api-gateway | Disable local sign-up API. | false |
| MFA_FORCE_LOCAL | api-gateway | Require TOTP multi-factor authentication for all local (password) accounts. SSO and anonymous accounts are exempt. Set to false to disable. | true |
Service-Specific Configuration
API Gateway
| Name | Service | Description | Default Value |
|---|
| PORT | api-gateway | Listening port number | 3001 |
| GATEWAY_CONFIG_PATH | api-gateway | Path to gateway.config.yml | ../../gateway.config.yml |
| AUTH_PROVIDERS_CONFIG | api-gateway | Path to authProviders.config.yml | ../../authProviders.config.yml |
| INTERNAL_API_KEY | api-gateway, workspaces | API key for internal services to access events /sys/cleanup API | |
| WORKSPACES_API_URL | api-gateway | prismeai-workspaces internal URL | http://workspaces:3002 |
| EVENTS_API_URL | api-gateway | prismeai-events internal URL | http://events:3004 |
| RUNTIME_API_URL | api-gateway | prismeai-runtime internal URL | http://runtime:3003 |
| X_FORWARDED_HEADERS | api-gateway | Add X-Forwarded-* headers on proxied requests | yes |
| SUPER_ADMIN_EMAILS | api-gateway | Comma-separated list of user emails with access to all workspaces (e.g., “admin@example.com,user@company.com”) | None |
| REQUEST_MAX_SIZE | api-gateway | Maximum request body size (format from bodyParser.json) | 1mb |
| EMAIL_DRIVER | api-gateway | Email driver to use. (“smtp”, “mailgun”) | mailgun |
| EMAIL_FROM | api-gateway | Email address to use as “from” when sending emails | "Prisme.ai" <no-reply@prisme.ai> |
| SMTP_HOST | api-gateway | Hostname or IP address of your SMTP server. (example: smtp.gmail.com) | |
| SMTP_PORT | api-gateway | Port to connect to | 587 |
| SMTP_USER | api-gateway | User authentication | |
| SMTP_PASS | api-gateway | User’s password | |
| SMTP_SECURE | api-gateway | If true, the connection will use TLS immediately (recommended for port 465). | false |
Console
| Name | Service | Description | Default Value |
|---|
| PORT | console | Listening port number | 3000 |
| WEBSOCKETS_DEFAULT_TRANSPORTS | console | Default Socket.io transport methods | websocket,polling |
Events Service
| Name | Service | Description | Default Value |
|---|
| PORT | events | Listening port number | 3004 |
| EVENTS_BUFFER_FLUSH_AT | events | Persist events in data lake after this many events | 128 |
| EVENTS_BUFFER_HIGH_WATERMARK | events | Stop listening for new events when this many are waiting to be persisted | 256 |
| EVENTS_BUFFER_FLUSH_EVERY | events | Persist events every N milliseconds, even if EVENTS_BUFFER_FLUSH_AT not reached | 5000 |
| EVENTS_RETENTION_DAYS | events | Days events are kept in data lake before removal | 180 |
| EVENTS_CLEANUP_WORKSPACE_INACTIVITY_DAYS | events | Delete workspace events if inactive for more than N days & with fewer than EVENTS_CLEANUP_WORKSPACE_MAX_EVENTS | 15 |
| EVENTS_CLEANUP_WORKSPACE_MAX_EVENTS | events | Delete workspace events if inactive for more than EVENTS_CLEANUP_WORKSPACE_INACTIVITY_DAYS & with fewer than N events | 100 |
| EVENTS_SCHEDULED_DELETION_DAYS | events | Days events are kept in data lake after workspace deletion (min_age parameter for the policy-events-deletion-scheduled ILM policy) | 90 |
| ELASTIC_SEARCH_TIMEOUT | events | Best effort timeout for search requests : https://www.elastic.co/docs/solutions/search/the-search-api#search-timeout | 20000ms |
| EVENTS_CLEANUP_AUTOMATION_EXECUTED_EXPIRATION | events | Expiration period enforced by /cleanup API for payload & output fields of runtime.automations.executed events. Can also be tuned from Helm prismeai-events.events.automationExecutedExpiration value | 14d |
Runtime Service
| Name | Service | Description | Default Value |
|---|
| PORT | runtime | Listening port number | 3003 |
| MAXIMUM_SUCCESSIVE_CALLS | runtime | Maximum automation executions for the same correlation ID | 20 |
| CONTEXT_RUN_EXPIRE_TIME | runtime | Run context expiration time in seconds | 60 |
| CONTEXT_UNAUTHENTICATED_SESSION_EXPIRE_TIME | runtime | Session context expiration time in seconds for unauthenticated sessions | 3600 (1 hour) |
| ADDITIONALGLOBAL_VARS* | runtime | Additional variables available from global context (e.g., ADDITIONAL_GLOBAL_VARS_apiUrl becomes {{global.apiUrl}}) | None |
WORKSPACECONFIG{{workspaceSlug}}_{{variableName}} | runtime | Variables available for specific workspaces | None |
APPCONFIG{{appSlug}}_{{variableName}} | runtime | Variables available for specific apps | None |
| FETCH_FORBIDDEN_HOSTS | runtime | Comma-separated list of forbidden hostnames in fetch instruction | |
| FETCH_MAX_RETRIES | runtime | Maximum fetch retries | 3 |
| FETCH_RETRY_CODES | runtime | Error codes that trigger fetch retries | ECONNRESET,UND_ERR_SOCKET,EPIPE,EHOSTUNREACH,ENETUNREACH |
| FETCH_RETRY_STATUS | runtime | Response status codes that trigger fetch retries | 429,503,502 |
| RUNNER_MAX_THREADS | runtime | Number of worker_threads per runtime instance | 1 |
| CONTEXT_SOCKET_MAX_SIZE | runtime | Maximum size in bytes of socket context (this limit only emits error but does not throw, for now | 100000 |
| CONTEXT_GLOBAL_MAX_SIZE | runtime | Maximum size in bytes of global context (this limit only emits error but does not throw, for now | 500000 |
| CONTEXT_RUN_MAX_SIZE | runtime | Maximum size in bytes of run context (this limit only emits error but does not throw, for now | 500000 |
| CONTEXT_USER_MAX_SIZE | runtime | Maximum size in bytes of user context (this limit only emits error but does not throw, for now | 100000 |
| CONTEXT_SESSION_MAX_SIZE | runtime | Maximum size in bytes of session context (this limit only emits error but does not throw, for now | 1000000 |
| CONTEXT_LOCAL_MAX_SIZE | runtime | Maximum size in bytes of local context (this limit only emits error but does not throw, for now | 50000000 |
| CONTEXT_CONFIG_MAX_SIZE | runtime | Maximum size in bytes of config context (this limit only emits error but does not throw, for now | 100000 |
Workspaces Service
| Name | Service | Description | Default Value |
|---|
| PORT | workspaces | Listening port number | 3002 |
| UPLOADS_ALLOWED_MIMETYPES | workspaces | Comma-separated list of allowed upload MIME types | image/,text/,video/,audio/,application/* |
| UPLOADS_FORBIDDEN_MIMETYPES | workspaces | Comma-separated list of forbidden upload MIME types (no wildcards) | |
| UPLOADS_DEFAULT_VISIBILITY | workspaces | Default upload visibility if not specified in API request | public |
| UPLOADS_MAX_SIZE | workspaces, api-gateway, runtime | Maximum upload size in bytes | 10000000 (10MB) |
| IMPORT_BATCH_SIZE | workspaces | Maximum parallel save requests during imports | 50 |
WORKSPACES_STORAGE_GIT_PLATFORM_{repoId}_{FIELD}
{repoId} is a unique identifier for the repository (e.g., prismeai, backup) and {FIELD} is one of the supported fields listed below.
| Field suffix | Description | Default Value |
|---|
TYPE | Repository type: git (remote Git repository) or filesystem (local directory) | git |
URL | Git repository URL (required for git type — the repository is only enabled if this is set) | |
NAME | Display name shown in the UI | {repoId} |
BRANCH | Git branch to use (only for git type) | main |
MODE | Access mode: read-write or read-only | read-write |
DIRPATH | For git type: base directory path inside the repository. Each workspace’s files are stored under {dirpath}/{workspaceSlug}. If omitted, workspace files are stored directly under {workspaceSlug} at the repository root. For filesystem type: required absolute path to the local directory containing workspace subdirectories. | |
AUTH_USER | Username for HTTPS authentication (only for git type) | |
AUTH_PASSWORD | Password or personal access token (PAT) for HTTPS authentication (only for git type) | |
AUTH_SSHKEY | SSH private key content for SSH authentication (only for git type) | |
The filesystem type is reserved for platform repositories and cannot be used in workspace-level repository configurations.
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_URL=https://github.com/myorg/workspaces.git
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_NAME=Platform Repository
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_BRANCH=main
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_AUTH_USER=your-user
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_AUTH_PASSWORD=github_pat_xxxxxxx
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_TYPE=filesystem
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_NAME=Built-in Workspaces
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_DIRPATH=/www/platform-workspaces
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_MODE=read-only
/www/platform-workspaces/ (e.g., /www/platform-workspaces/ai-knowledge/, etc.).
Example — with a custom directory path (Git):
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_URL=https://github.com/myorg/monorepo.git
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_NAME=Platform Repository
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_DIRPATH=workspaces
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_AUTH_USER=your-user
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_AUTH_PASSWORD=github_pat_xxxxxxx
myapp would be stored under workspaces/myapp/ in the repository.
Example — multiple platform repositories:
# Primary read-write Git repository
WORKSPACES_STORAGE_GIT_PLATFORM_primary_URL=https://github.com/myorg/workspaces.git
WORKSPACES_STORAGE_GIT_PLATFORM_primary_NAME=Main Repository
WORKSPACES_STORAGE_GIT_PLATFORM_primary_AUTH_USER=x-access-token
WORKSPACES_STORAGE_GIT_PLATFORM_primary_AUTH_PASSWORD=ghp_xxxxxxxxxxxx
# Read-only backup Git repository
WORKSPACES_STORAGE_GIT_PLATFORM_backup_URL=git@github.com:myorg/workspaces-backup.git
WORKSPACES_STORAGE_GIT_PLATFORM_backup_NAME=Backup (read-only)
WORKSPACES_STORAGE_GIT_PLATFORM_backup_MODE=read-only
WORKSPACES_STORAGE_GIT_PLATFORM_backup_AUTH_SSHKEY="-----BEGIN OPENSSH PRIVATE KEY-----\n..."
# Built-in filesystem repository (Docker image)
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_TYPE=filesystem
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_NAME=Built-in Workspaces
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_DIRPATH=/www/platform-workspaces
- Platform repositories are returned in the
platformRepositories field of the workspace API response — they do not include auth details, and are never persisted into the workspace configuration.
- Authentication credentials are never exposed in API responses.
- For GitHub HTTPS authentication, use your username as
AUTH_USER and a personal access token (PAT) with read-write permissions on Contents as AUTH_PASSWORD.
Workspace Groups
Workspace groups define logical sets of workspaces that can be imported together via bulk import. Groups are configured through environment variables:
WORKSPACES_GROUP_{groupName}_LABELS="label1,label2,..."
.import.yml file.
| Name | Service | Description | Default Value |
|---|
WORKSPACES_GROUP_{groupName}_LABELS | workspaces | Comma-separated list of labels for the group. A workspace with any matching label is included in this group. | |
# Core dependencies
WORKSPACES_GROUP_base1_LABELS=production:app:base1
WORKSPACES_GROUP_base2_LABELS=production:app:base2
# Core products
WORKSPACES_GROUP_extended_LABELS=production:app,production:product
- The bulk import API (
groups body parameter): POST /v2/workspaces/platform/versions/latest/pull
- The bulk push API (
groups body parameter): POST /v2/workspaces/platform/versions
STARTUP_IMPORT_GROUPS to select which workspaces to import automatically on startup
Automatic Import at Startup
The workspaces service can automatically trigger a bulk import when it starts. This is useful for initial deployments and platform upgrades, ensuring that reference workspaces from a platform repository are always up to date.
| Name | Service | Description | Default Value |
|---|
STARTUP_IMPORT_GROUPS | workspaces | Comma-separated list of group names to import at startup. Each group is imported sequentially. If any group encounters errors, remaining groups are skipped. If empty, no auto-import is performed. | |
STARTUP_IMPORT_REPOSITORY | workspaces | Repository ID (matching a configured platform repository) to import from at startup. | |
# Import core workspaces from the built-in filesystem repository at startup
STARTUP_IMPORT_GROUPS=base1,base2,extended
STARTUP_IMPORT_REPOSITORY=builtin
- Ensures the
platform workspace exists (creates it if needed)
- Waits for the platform to be ready (checks the
/v2/readiness endpoint, with a 5-minute timeout)
- Imports each group sequentially using the bulk import mechanism, with a 30s pause between each group
- Skips workspaces already at the correct version (based on
.import.yml version matching)
When multiple replicas start simultaneously (e.g., during a rollout), only one replica acquires the write lock on the Platform workspace and performs the import. Other replicas skip the import entirely.
Rate Limiting
The variables below are the api-gateway-side rate limits: requests above the threshold are rejected with HTTP 429.
For automation rate limits (also RATE_LIMIT_* but on prismeai-runtime), see API Reference — Rate Limits. Unlike the gateway limits, those don’t break execution — they deliberately slow automations down instead of failing them.
| Name | Service | Description | Default Value |
|---|
| DISABLE_RATE_LIMIT | api-gateway | Set it to true in order to disable all rate limits | |
| RATE_LIMIT_SIGNUP | api-gateway | Maximum signups per IP per minute | 1 |
| RATE_LIMIT_ANONYMOUS_LOGIN | api-gateway | Maximum anonymous logins per IP per minute | 10 |
| RATE_LIMIT_PRISMEAI_LOGIN | api-gateway | Maximum email/password login attempts per email per minute | 5 |
| RATE_LIMIT_PASSWORD_RESET | api-gateway | Maximum password reset requests per IP per minute | 1 |
Integration & APIs
| Name | Service | Description | Default Value |
|---|
| OPENAPI_FILEPATH | All services | Path to Swagger file for requests & events validation | ../specifications/swagger.yml |
Examples
S3 Storage Configuration
# Configure workspace storage with S3
WORKSPACES_STORAGE_TYPE=S3_LIKE
WORKSPACES_STORAGE_S3_LIKE_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
WORKSPACES_STORAGE_S3_LIKE_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
WORKSPACES_STORAGE_S3_LIKE_BUCKET_NAME=prisme-workspaces
WORKSPACES_STORAGE_S3_LIKE_REGION=us-west-1
WORKSPACES_STORAGE_S3_LIKE_BASE_URL=https://prisme-workspaces.s3.us-west-1.amazonaws.com
# Configure uploads with the same credentials but different bucket
UPLOADS_STORAGE_TYPE=S3_LIKE
UPLOADS_STORAGE_S3_LIKE_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
UPLOADS_STORAGE_S3_LIKE_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
UPLOADS_STORAGE_S3_LIKE_BUCKET_NAME=prisme-uploads
UPLOADS_STORAGE_S3_LIKE_REGION=us-west-1
UPLOADS_STORAGE_S3_LIKE_BASE_URL=https://prisme-uploads.s3.us-west-1.amazonaws.com
Authentication and Rate Limiting for Production
# Set a strong password policy
PASSWORD_VALIDATION_REGEXP= "YOUR_REGEX"
# Enable manual account validation
ACCOUNT_VALIDATION_METHOD=manual
# Configure super admins
SUPER_ADMIN_EMAILS=admin@company.com,security@company.com
# Set stricter rate limits
RATE_LIMIT_SIGNUP=1
RATE_LIMIT_ANONYMOUS_LOGIN=5
RATE_LIMIT_PRISMEAI_LOGIN=3
RATE_LIMIT_PASSWORD_RESET=1
