Prisme.ai services can be configured through various environment variables. This reference provides a comprehensive list of available configuration options for your deployment.
Configuration Methods
Docker Setup
In a Docker deployment, configure these variables in the root docker-compose.yml file. See the Docker Compose documentation for more details.
Developer Setup
In a development environment, create a services/*/.env file containing key/value pairs:
WORKSPACES_STORAGE_TYPE=S3_LIKE
WORKSPACES_STORAGE_S3_LIKE_BUCKET_NAME=someBucketName
...
env_file option to its services/*/docker-compose.yml file:
console:
entrypoint: npm start --prefix services/console
restart: on-failure
image: registry.gitlab.com/prisme.ai/prisme.ai/prisme.ai-console:latest
ports:
- "3000:3000"
env_file: ./.env
Variable Categories
Domains & URLs
Configure the URLs and domains used by Prisme.ai services.
| Name | Service | Description | Default Value |
|---|
| INTERNAL_API_URL | All services | api-gateway internal URL for internal requests ending with /v2 version suffix (i.e., contact fetching, public JWKS, runtime fetches) | http://localhost:3001/v2 |
| API_URL | All services | api-gateway public URL ending with /v2 version suffix | http://studio.local.prisme.ai:3001/v2 |
| CONSOLE_URL | api-gateway, console, pages, runtime | Studio URL, used for emails, auth redirections & runtime variable {{global.studioUrl}} | http://studio.local.prisme.ai:3000 |
| PAGES_HOST | api-gateway, console, pages, runtime | Pages base domain starting with a ’.’, workspace slug will be prefixed as a subdomain. Used for pages builder, pages sign-in redirection from api gateway, & runtime variable {{global.pagesUrl}} | .pages.local.prisme.ai:3100 |
Databases & Storage
Redis Configuration
| Name | Service | Description | Default Value |
|---|
| BROKER_HOST | api-gateway, workspaces, events, runtime | Redis broker URL (must be the same across services) | redis://localhost:6379/0 |
| BROKER_PASSWORD | api-gateway, workspaces, events, runtime | Redis broker password | |
| BROKER_TLS_CA_FILE | api-gateway, workspaces, events, runtime | Redis TLS CA filepath | |
| BROKER_NAMESPACE | api-gateway, workspaces, events, runtime | Optional namespace to segment events when database instance is shared by multiple platforms | |
| BROKER_TOPIC_MAXLEN | api-gateway, workspaces, events, runtime | Redis streams max length before getting truncated (Capped Streams) | 10000 |
| BROKER_EMIT_MAXLEN | api-gateway, workspaces, events, runtime | Maximum size (in bytes) of emitted events | 100000 |
| BROKER_EMIT_EXECUTED_AUTOMATION_MAXLEN | runtime | Maximum size (in bytes) of emitted runtime.automations.executed events | 10000 |
| SESSIONS_STORAGE_HOST | api-gateway | Redis URL for sessions storage | redis://localhost:6379/0 |
| SESSIONS_STORAGE_PASSWORD | api-gateway | Redis password for sessions storage | |
| SESSIONS_STORAGE_TLS_CA_FILE | api-gateway | Redis TLS CA filepath | |
| CONTEXTS_CACHE_HOST | runtime | Redis URL for contexts persistence | redis://localhost:6379/0 |
| CONTEXTS_CACHE_PASSWORD | runtime | Redis password for contexts persistence | |
| CONTEXTS_CACHE_TLS_CA_FILE | runtime | Redis TLS CA filepath | |
| EVENTS_TOPICS_CACHE_HOST | events | Redis URL for event userTopics persistence | BROKER_HOST variable |
| EVENTS_TOPICS_CACHE_PASSWORD | events | Redis password for event userTopics persistence | |
| EVENTS_TOPICS_CACHE_TLS_CA_FILE | events | Redis TLS CA filepath | |
MongoDB/PostgreSQL Configuration
| Name | Service | Description | Default Value |
|---|
| PERMISSIONS_STORAGE_DRIVER | api-gateway, workspaces, events, runtime | Database driver for permissions storage (must be the same for both workspaces & events): mongodb, postgresql | mongodb |
| PERMISSIONS_STORAGE_HOST | api-gateway, workspaces, events, runtime | Database URL for permissions storage (must be the same for both workspaces & events) | mongodb://localhost:27017/permissions |
| PERMISSIONS_STORAGE_TLS_CA_FILE | api-gateway, workspaces, events, runtime | Database TLS CA filepath | |
| PERMISSIONS_STORAGE_TLS_SELF_SIGNED | api-gateway, workspaces, events, runtime | Set to true in order to disable server certificate validation | false |
| PERMISSIONS_STORAGE_DEBUG | workspaces, events, runtime | Enable database query logs | false |
| USERS_STORAGE_DRIVER | api-gateway | Database type for users storage: mongodb, postgresql | mongodb |
| USERS_STORAGE_HOST | api-gateway | Database URL for users storage | mongodb://localhost:27017/users |
| USERS_STORAGE_TLS_CA_FILE | api-gateway | Database TLS CA filepath | |
| USERS_STORAGE_TLS_SELF_SIGNED | api-gateway | Set to true in order to disable server certificate validation | false |
| USERS_STORAGE_DEBUG | api-gateway | Enable database query logs | false |
| COLLECTIONS_STORAGE_DRIVER | runtime | Database type for collections storage: mongodb, postgresql | mongodb |
| COLLECTIONS_STORAGE_HOST | runtime | Database URL for collections storage | mongodb://localhost:27017/users |
| COLLECTIONS_STORAGE_TLS_CA_FILE | runtime | Database TLS CA filepath | |
| COLLECTIONS_STORAGE_TLS_SELF_SIGNED | runtime | Set to true in order to disable server certificate validation | false |
| COLLECTIONS_STORAGE_DEBUG | runtime | Enable database query logs | false |
Elasticsearch Configuration
| Name | Service | Description | Default Value |
|---|
| EVENTS_STORAGE_DRIVER | events | Events storage driver (support elasticseach or opensearch) | elasticsearch |
| EVENTS_STORAGE_ES_HOST | events | Elasticsearch URL for events persistence | http://localhost:9200 |
| EVENTS_STORAGE_ES_USER | events | Elasticsearch user for events persistence | |
| EVENTS_STORAGE_ES_PASSWORD | events | Elasticsearch password for events persistence | |
| EVENTS_STORAGE_ES_BULK_REFRESH | events | Enable Elastic “refresh” option when bulk inserting events (might cause overhead) | no |
Storage Configuration
Prisme.ai supports multiple storage backends for workspaces and uploads. Available storage types are:
- FILESYSTEM: Local file system storage
- S3_LIKE: Amazon S3 or compatible services (MinIO, etc.)
- AZURE_BLOB: Azure Blob Storage
- GCS : Google Cloud Storage
Workspaces Storage
| Name | Service | Description | Default Value |
|---|
| WORKSPACES_STORAGE_TYPE | runtime & workspaces | Storage driver type (FILESYSTEM, S3_LIKE, AZURE_BLOB or GCS) | FILESYSTEM |
| WORKSPACES_STORAGE_FILESYSTEM_DIRPATH | runtime & workspaces | Directory path for filesystem storage | ../../data/models/ |
S3-Compatible Storage for Workspaces
| Name | Service | Description | Default Value |
|---|
| WORKSPACES_STORAGE_S3_LIKE_ACCESS_KEY | runtime & workspaces | S3 access key | |
| WORKSPACES_STORAGE_S3_LIKE_SECRET_KEY | runtime & workspaces | S3 secret key | |
| WORKSPACES_STORAGE_S3_LIKE_ENDPOINT | runtime & workspaces | S3 endpoint | |
| WORKSPACES_STORAGE_S3_LIKE_BUCKET_NAME | runtime & workspaces | S3 bucket name | |
| WORKSPACES_STORAGE_S3_LIKE_REGION | runtime & workspaces | S3 region | |
| STORAGE_S3_LIKE_MAX_RETRIES | runtime & workspaces | Maximum retries on rate-limited S3 requests | 5 |
Azure Blob Storage for Workspaces
| Name | Service | Description | Default Value |
|---|
| WORKSPACES_STORAGE_AZURE_BLOB_CONTAINER | runtime & workspaces | Azure Blob container name | models |
| WORKSPACES_STORAGE_AZURE_BLOB_CONNECTION_STRING | runtime & workspaces | Azure Blob connection string | |
GCS Storage for Workspaces
| Name | Service | Description | Default Value | | |
|---|
| WORKSPACES_STORAGE_GCS_BUCKET | runtime & workspaces | GCS bucket name (required) | | | |
| WORKSPACES_STORAGE_GCS_KEYFILEPATH | runtime & workspaces | Service account configuration filepath | GOOGLE_APPLICATION_CREDENTIALS environment variable | | |
| WORKSPACES_STORAGE_GCS_PROJECTID | runtime & workspaces | GCS project id, only required when using apiKey | | | |
| WORKSPACES_STORAGE_GCS_APIKEY | runtime & workspaces | Api key | | | |
| STORAGE_GCS_MAX_RETRIES | runtime & workspaces | Maximum retries on rate-limited GCS requests | 5 | | |
File Uploads Storage
| Name | Service | Description | Default Value |
|---|
| UPLOADS_STORAGE_TYPE | workspaces | Storage driver type (FILESYSTEM, S3_LIKE, AZURE_BLOB or GCS) | FILESYSTEM |
| UPLOADS_STORAGE_FILESYSTEM_DIRPATH | workspaces | Directory path for filesystem storage | ../../data/models/ |
S3-Compatible Storage for uploads
| Name | Service | Description | Default Value |
|---|
| UPLOADS_STORAGE_S3_LIKE_ACCESS_KEY | workspaces | S3 access key | |
| UPLOADS_STORAGE_S3_LIKE_SECRET_KEY | workspaces | S3 secret key | |
| UPLOADS_STORAGE_S3_LIKE_ENDPOINT | workspaces | S3 endpoint | |
| UPLOADS_STORAGE_S3_LIKE_BUCKET_NAME | workspaces | S3 bucket name | |
| UPLOADS_PUBLIC_STORAGE_S3_LIKE_BUCKET_NAME | workspaces | S3 bucket name for public assets (required if the private uploads bucket does not support object level ACL) | |
| UPLOADS_STORAGE_S3_LIKE_REGION | workspaces | S3 region | |
| STORAGE_S3_LIKE_MAX_RETRIES | workspaces | Maximum retries on rate-limited S3 requests | 5 |
| UPLOADS_STORAGE_S3_LIKE_BASE_URL | workspaces | Base download URL (if omitted, workspaces API will be used as proxy) | |
Azure Blob Storage for uploads
| Name | Service | Description | Default Value |
|---|
| UPLOADS_STORAGE_AZURE_BLOB_CONTAINER | workspaces | Azure Blob container name | models |
| UPLOADS_STORAGE_AZURE_BLOB_CONNECTION_STRING | workspaces | Azure Blob connection string | |
| UPLOADS_STORAGE_AZURE_BLOB_BASE_URL | workspaces | Base download URL (if omitted, workspaces API will be used as proxy) | |
GCS Storage for uploads
| Name | Service | Description | Default Value | | |
|---|
| UPLOADS_STORAGE_GCS_BUCKET | workspaces | GCS bucket name (required) | | | |
| UPLOADS_PUBLIC_STORAGE_GCS_BUCKET | workspaces | GCS bucket name for public assets (required if the private uploads bucket does not support object level ACL) | | | |
| UPLOADS_STORAGE_GCS_KEYFILEPATH | workspaces | Service account configuration filepath | GOOGLE_APPLICATION_CREDENTIALS environment variable | | |
| UPLOADS_STORAGE_GCS_PROJECTID | workspaces | GCS project id, only required when using apiKey | | | |
| UPLOADS_STORAGE_GCS_APIKEY | workspaces | Api key | | | |
| STORAGE_GCS_MAX_RETRIES | workspaces | Maximum retries on rate-limited GCS requests | 5 | | |
| UPLOADS_STORAGE_GCS_BASE_URL | workspaces | Base download URL (if omitted, workspaces API will be used as proxy) | | | |
- Both buckets can maintain default settings (which prohibit public access and disable object-level ACLs)
- The public bucket could be served through a CDN allowed to access all objects (or any more restrictive pattern you prefer)
In this setup, UPLOADS_STORAGE_S3_* variables configure the private bucket, while UPLOADS_PUBLIC_STORAGE_S3_* variables configure the “public” bucket (i.e dedicated to public assets, but not necessarily public itself).
You can provide separate credentials for the public bucket or simply set these two variables to use the same credentials:
UPLOADS_PUBLIC_STORAGE_S3_LIKE_BUCKET_NAME="your public uploads bucket name"
UPLOADS_PUBLIC_STORAGE_S3_LIKE_BASE_URL="your OPTIONAL CDN public base URL"
UPLOADS_PUBLIC_STORAGE_GCS_BUCKET="your public uploads bucket name"
UPLOADS_PUBLIC_STORAGE_GCS_BASE_URL="your OPTIONAL CDN public base URL"
UPLOADS_STORAGE_*_BASE_URL environment variable.
Authentication & Security
OIDC Configuration
| Name | Service | Description | Default Value |
|---|
| OIDC_PROVIDER_URL | api-gateway, pages, console, runtime | OIDC Authorization public server URL (rarely needs changing) | API_URL without base path |
| OIDC_INTERNAL_PROVIDER_URL | api-gateway | OIDC Authorization internal server URL (rarely needs changing) | By precedence: INTERNAL_API_URL, OIDC_PROVIDER_URL, or API_URL |
| OIDC_STUDIO_CLIENT_ID | api-gateway, console | Studio OIDC client ID | local-client-id |
| OIDC_STUDIO_CLIENT_SECRET | api-gateway | Studio OIDC client secret (known only by api-gateway) | local-client-id |
| OIDC_CLIENT_REGISTRATION_TOKEN | api-gateway | Access token required for OIDC clients registration API | local-client-id |
| OIDC_WELL_KNOWN_URL | api-gateway | OIDC provider configuration discovery URL (only for external providers) | |
| JWKS_URL | api-gateway | Endpoint for retrieving JWKS as part of the JWKS strategy | OIDC_INTERNAL_PROVIDER_URL/oidc/jwks |
Session & Token Configuration
| Name | Service | Description | Default Value |
|---|
| SESSION_COOKIES_MAX_AGE | api-gateway | Auth server session cookies expiration (in seconds) | 2592000 (1 month) |
| ACCESS_TOKENS_MAX_AGE | api-gateway | Session expiration for both anonymous & authenticated sessions (in seconds) | 2592000 (1 month) |
| SESSION_COOKIES_SIGN_SECRET | api-gateway | Session cookies signing secret | |
| SOCKETIO_COOKIE_MAX_AGE | events | Socket.io cookie maxAge | Default from ‘cookie’ NodeJS module |
Security Settings
| Name | Service | Description | Default Value |
|---|
| CORS_ADDITIONAL_ALLOWED_ORIGINS | api-gateway | Additional allowed CORS origins (beyond STUDIO_URL, PAGES_HOST, and workspace custom domains) | |
| CSP_HEADER | console, pages | Content Security Policy header for frontend services (if undefined, no CSP header is returned) | |
| PASSWORD_VALIDATION_REGEXP | api-gateway | Password validation regular expression | .{8,32} |
| ACCOUNT_VALIDATION_METHOD | api-gateway | Account validation method on signup: “auto”, “email”, or “manual” | email |
Service-Specific Configuration
API Gateway
| Name | Service | Description | Default Value |
|---|
| PORT | api-gateway | Listening port number | 3001 |
| GATEWAY_CONFIG_PATH | api-gateway | Path to gateway.config.yml | ../../gateway.config.yml |
| AUTH_PROVIDERS_CONFIG | api-gateway | Path to authProviders.config.yml | ../../authProviders.config.yml |
| INTERNAL_API_KEY | api-gateway, workspaces | API key for internal services to access events /sys/cleanup API | |
| WORKSPACES_API_URL | api-gateway | prismeai-workspaces internal URL | http://workspaces:3002 |
| EVENTS_API_URL | api-gateway | prismeai-events internal URL | http://events:3004 |
| RUNTIME_API_URL | api-gateway | prismeai-runtime internal URL | http://runtime:3003 |
| X_FORWARDED_HEADERS | api-gateway | Add X-Forwarded-* headers on proxied requests | yes |
| SUPER_ADMIN_EMAILS | api-gateway | Comma-separated list of user emails with access to all workspaces (e.g., “admin@example.com,user@company.com”) | None |
| REQUEST_MAX_SIZE | api-gateway | Maximum request body size (format from bodyParser.json) | 1mb |
| EMAIL_DRIVER | api-gateway | Email driver to use. (“smtp”, “mailgun”) | mailgun |
| EMAIL_FROM | api-gateway | Email address to use as “from” when sending emails | "Prisme.ai" <no-reply@prisme.ai> |
| SMTP_HOST | api-gateway | Hostname or IP address of your SMTP server. (example: smtp.gmail.com) | |
| SMTP_PORT | api-gateway | Port to connect to | 587 |
| SMTP_USER | api-gateway | User authentication | |
| SMTP_PASS | api-gateway | User’s password | |
| SMTP_SECURE | api-gateway | If true, the connection will use TLS immediately (recommended for port 465). | false |
Console
| Name | Service | Description | Default Value |
|---|
| PORT | console | Listening port number | 3000 |
| WORKSPACE_OPS_MANAGER | console, page | Public base url towards AI Governance workspace webhooks for automatically deducing below endpoints (customization, suggestions, products, …). Example: https://<API_URL>/v2/workspaces/{AIG_WORKSPACE_ID}/webhooks/ | |
| CUSTOMIZATION_ENDPOINT | console, page | Public url for /customization webhook (retrieves platform theme settings) | $WORKSPACE_OPS_MANAGER/customization |
| TRACKING_WEBHOOK | console, page | url towards /tracking webhook (tracks builder activity) | $WORKSPACE_OPS_MANAGER/tracking |
| SUGGESTIONS_ENDPOINT | console, page | url towards /suggestions webhook (retrieves suggestions on builder left menu) | $WORKSPACE_OPS_MANAGER/suggestions |
| PRODUCTS_ENDPOINT | console, page | url towards /products webhook (retrieves products on left menu) | $WORKSPACE_OPS_MANAGER/products |
| TRANSLATIONS_OVERRIDE | console, page | url towards /translations webhook (retrieves platform custom translations) | $WORKSPACE_OPS_MANAGER/translations |
| WEBSOCKETS_DEFAULT_TRANSPORTS | console, pages | Default Socket.io transport methods | polling,websocket |
*_ENDPOINT, *_WEBHOOK or *_OVERRIDE should be configured if the generic WORKSPACE_OPS_MANAGER environment variable is set (recommended). In helm, it can be tuned from prismeai-console.workspace_ops_manager and prismeai-pages.workspace_ops_manager environment variables.
Events Service
| Name | Service | Description | Default Value |
|---|
| PORT | events | Listening port number | 3004 |
| EVENTS_BUFFER_FLUSH_AT | events | Persist events in data lake after this many events | 128 |
| EVENTS_BUFFER_HIGH_WATERMARK | events | Stop listening for new events when this many are waiting to be persisted | 256 |
| EVENTS_BUFFER_FLUSH_EVERY | events | Persist events every N milliseconds, even if EVENTS_BUFFER_FLUSH_AT not reached | 5000 |
| EVENTS_RETENTION_DAYS | events | Days events are kept in data lake before removal | 180 |
| EVENTS_CLEANUP_WORKSPACE_INACTIVITY_DAYS | events | Delete workspace events if inactive for more than N days & with fewer than EVENTS_CLEANUP_WORKSPACE_MAX_EVENTS | 15 |
| EVENTS_CLEANUP_WORKSPACE_MAX_EVENTS | events | Delete workspace events if inactive for more than EVENTS_CLEANUP_WORKSPACE_INACTIVITY_DAYS & with fewer than N events | 100 |
| EVENTS_SCHEDULED_DELETION_DAYS | events | Days events are kept in data lake after workspace deletion (min_age parameter for the policy-events-deletion-scheduled ILM policy) | 90 |
| ELASTIC_SEARCH_TIMEOUT | events | Best effort timeout for search requests : https://www.elastic.co/docs/solutions/search/the-search-api#search-timeout | 20000ms |
| EVENTS_CLEANUP_AUTOMATION_EXECUTED_EXPIRATION | events | Expiration period enforced by /cleanup API for payload & output fields of runtime.automations.executed events. Can also be tuned from Helm prismeai-events.events.automationExecutedExpiration value | 14d |
Runtime Service
| Name | Service | Description | Default Value |
|---|
| PORT | runtime | Listening port number | 3003 |
| MAXIMUM_SUCCESSIVE_CALLS | runtime | Maximum automation executions for the same correlation ID | 20 |
| CONTEXT_RUN_EXPIRE_TIME | runtime | Run context expiration time in seconds | 60 |
| CONTEXT_UNAUTHENTICATED_SESSION_EXPIRE_TIME | runtime | Session context expiration time in seconds for unauthenticated sessions | 3600 (1 hour) |
| ADDITIONALGLOBAL_VARS* | runtime | Additional variables available from global context (e.g., ADDITIONAL_GLOBAL_VARS_apiUrl becomes {{global.apiUrl}}) | None |
WORKSPACECONFIG{{workspaceSlug}}_{{variableName}} | runtime | Variables available for specific workspaces | None |
APPCONFIG{{appSlug}}_{{variableName}} | runtime | Variables available for specific apps | None |
| FETCH_FORBIDDEN_HOSTS | runtime | Comma-separated list of forbidden hostnames in fetch instruction | |
| FETCH_MAX_RETRIES | runtime | Maximum fetch retries | 3 |
| FETCH_RETRY_CODES | runtime | Error codes that trigger fetch retries | ECONNRESET,UND_ERR_SOCKET,EPIPE,EHOSTUNREACH,ENETUNREACH |
| FETCH_RETRY_STATUS | runtime | Response status codes that trigger fetch retries | 429,503,502 |
| RUNNER_MAX_THREADS | runtime | Number of worker_threads per runtime instance | 1 |
| CONTEXT_SOCKET_MAX_SIZE | runtime | Maximum size in bytes of socket context (this limit only emits error but does not throw, for now | 100000 |
| CONTEXT_GLOBAL_MAX_SIZE | runtime | Maximum size in bytes of global context (this limit only emits error but does not throw, for now | 500000 |
| CONTEXT_RUN_MAX_SIZE | runtime | Maximum size in bytes of run context (this limit only emits error but does not throw, for now | 500000 |
| CONTEXT_USER_MAX_SIZE | runtime | Maximum size in bytes of user context (this limit only emits error but does not throw, for now | 100000 |
| CONTEXT_SESSION_MAX_SIZE | runtime | Maximum size in bytes of session context (this limit only emits error but does not throw, for now | 1000000 |
| CONTEXT_LOCAL_MAX_SIZE | runtime | Maximum size in bytes of local context (this limit only emits error but does not throw, for now | 50000000 |
| CONTEXT_CONFIG_MAX_SIZE | runtime | Maximum size in bytes of config context (this limit only emits error but does not throw, for now | 100000 |
Workspaces Service
| Name | Service | Description | Default Value |
|---|
| PORT | workspaces | Listening port number | 3002 |
| UPLOADS_ALLOWED_MIMETYPES | workspaces | Comma-separated list of allowed upload MIME types | image/,text/,video/,audio/,application/* |
| UPLOADS_FORBIDDEN_MIMETYPES | workspaces | Comma-separated list of forbidden upload MIME types (no wildcards) | |
| UPLOADS_DEFAULT_VISIBILITY | workspaces | Default upload visibility if not specified in API request | public |
| UPLOADS_MAX_SIZE | workspaces, api-gateway, runtime | Maximum upload size in bytes | 10000000 (10MB) |
| IMPORT_BATCH_SIZE | workspaces | Maximum parallel save requests during imports | 50 |
WORKSPACES_STORAGE_GIT_PLATFORM_{repoId}_{FIELD}
{repoId} is a unique identifier for the repository (e.g., prismeai, backup) and {FIELD} is one of the supported fields listed below.
| Field suffix | Description | Default Value |
|---|
TYPE | Repository type: git (remote Git repository) or filesystem (local directory) | git |
URL | Git repository URL (required for git type — the repository is only enabled if this is set) | |
NAME | Display name shown in the UI | {repoId} |
BRANCH | Git branch to use (only for git type) | main |
MODE | Access mode: read-write or read-only | read-write |
DIRPATH | For git type: base directory path inside the repository. Each workspace’s files are stored under {dirpath}/{workspaceSlug}. If omitted, workspace files are stored directly under {workspaceSlug} at the repository root. For filesystem type: required absolute path to the local directory containing workspace subdirectories. | |
AUTH_USER | Username for HTTPS authentication (only for git type) | |
AUTH_PASSWORD | Password or personal access token (PAT) for HTTPS authentication (only for git type) | |
AUTH_SSHKEY | SSH private key content for SSH authentication (only for git type) | |
The filesystem type is reserved for platform repositories and cannot be used in workspace-level repository configurations.
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_URL=https://github.com/myorg/workspaces.git
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_NAME=Platform Repository
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_BRANCH=main
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_AUTH_USER=your-user
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_AUTH_PASSWORD=github_pat_xxxxxxx
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_TYPE=filesystem
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_NAME=Built-in Workspaces
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_DIRPATH=/www/platform-workspaces
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_MODE=read-only
/www/platform-workspaces/ (e.g., /www/platform-workspaces/ai-knowledge/, etc.).
Example — with a custom directory path (Git):
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_URL=https://github.com/myorg/monorepo.git
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_NAME=Platform Repository
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_DIRPATH=workspaces
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_AUTH_USER=your-user
WORKSPACES_STORAGE_GIT_PLATFORM_prismeai_AUTH_PASSWORD=github_pat_xxxxxxx
myapp would be stored under workspaces/myapp/ in the repository.
Example — multiple platform repositories:
# Primary read-write Git repository
WORKSPACES_STORAGE_GIT_PLATFORM_primary_URL=https://github.com/myorg/workspaces.git
WORKSPACES_STORAGE_GIT_PLATFORM_primary_NAME=Main Repository
WORKSPACES_STORAGE_GIT_PLATFORM_primary_AUTH_USER=x-access-token
WORKSPACES_STORAGE_GIT_PLATFORM_primary_AUTH_PASSWORD=ghp_xxxxxxxxxxxx
# Read-only backup Git repository
WORKSPACES_STORAGE_GIT_PLATFORM_backup_URL=git@github.com:myorg/workspaces-backup.git
WORKSPACES_STORAGE_GIT_PLATFORM_backup_NAME=Backup (read-only)
WORKSPACES_STORAGE_GIT_PLATFORM_backup_MODE=read-only
WORKSPACES_STORAGE_GIT_PLATFORM_backup_AUTH_SSHKEY="-----BEGIN OPENSSH PRIVATE KEY-----\n..."
# Built-in filesystem repository (Docker image)
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_TYPE=filesystem
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_NAME=Built-in Workspaces
WORKSPACES_STORAGE_GIT_PLATFORM_builtin_DIRPATH=/www/platform-workspaces
- Platform repositories are returned in the
platformRepositories field of the workspace API response — they do not include auth details, and are never persisted into the workspace configuration.
- Authentication credentials are never exposed in API responses.
- For GitHub HTTPS authentication, use your username as
AUTH_USER and a personal access token (PAT) with read-write permissions on Contents as AUTH_PASSWORD.
Workspace Groups
Workspace groups define logical sets of workspaces that can be imported together via bulk import. Groups are configured through environment variables:
WORKSPACES_GROUP_{groupName}_LABELS="label1,label2,..."
.import.yml file.
| Name | Service | Description | Default Value |
|---|
WORKSPACES_GROUP_{groupName}_LABELS | workspaces | Comma-separated list of labels for the group. A workspace with any matching label is included in this group. | |
# Core dependencies
WORKSPACES_GROUP_base1_LABELS=production:app:base1
WORKSPACES_GROUP_base2_LABELS=production:app:base2
# Core products
WORKSPACES_GROUP_extended_LABELS=production:app,production:product
- The bulk import API (
groups body parameter): POST /v2/workspaces/platform/versions/latest/pull
- The bulk push API (
groups body parameter): POST /v2/workspaces/platform/versions
STARTUP_IMPORT_GROUPS to select which workspaces to import automatically on startup
Automatic Import at Startup
The workspaces service can automatically trigger a bulk import when it starts. This is useful for initial deployments and platform upgrades, ensuring that reference workspaces from a platform repository are always up to date.
| Name | Service | Description | Default Value |
|---|
STARTUP_IMPORT_GROUPS | workspaces | Comma-separated list of group names to import at startup. Each group is imported sequentially. If any group encounters errors, remaining groups are skipped. If empty, no auto-import is performed. | |
STARTUP_IMPORT_REPOSITORY | workspaces | Repository ID (matching a configured platform repository) to import from at startup. | |
# Import core workspaces from the built-in filesystem repository at startup
STARTUP_IMPORT_GROUPS=base1,base2,extended
STARTUP_IMPORT_REPOSITORY=builtin
- Ensures the
platform workspace exists (creates it if needed)
- Waits for the platform to be ready (checks the
/v2/readiness endpoint, with a 5-minute timeout)
- Imports each group sequentially using the bulk import mechanism, with a 30s pause between each group
- Skips workspaces already at the correct version (based on
.import.yml version matching)
When multiple replicas start simultaneously (e.g., during a rollout), only one replica acquires the write lock on the Platform workspace and performs the import. Other replicas skip the import entirely.
Rate Limiting
| Name | Service | Description | Default Value |
|---|
| DISABLE_RATE_LIMIT | api-gateway | Set it to true in order to disable all rate limits | |
| RATE_LIMIT_SIGNUP | api-gateway | Maximum signups per IP per minute | 1 |
| RATE_LIMIT_ANONYMOUS_LOGIN | api-gateway | Maximum anonymous logins per IP per minute | 10 |
| RATE_LIMIT_PRISMEAI_LOGIN | api-gateway | Maximum email/password login attempts per email per minute | 5 |
| RATE_LIMIT_PASSWORD_RESET | api-gateway | Maximum password reset requests per IP per minute | 1 |
Integration & APIs
| Name | Service | Description | Default Value |
|---|
| OPENAPI_FILEPATH | All services | Path to Swagger file for requests & events validation | ../specifications/swagger.yml |
Examples
S3 Storage Configuration
# Configure workspace storage with S3
WORKSPACES_STORAGE_TYPE=S3_LIKE
WORKSPACES_STORAGE_S3_LIKE_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
WORKSPACES_STORAGE_S3_LIKE_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
WORKSPACES_STORAGE_S3_LIKE_BUCKET_NAME=prisme-workspaces
WORKSPACES_STORAGE_S3_LIKE_REGION=us-west-1
WORKSPACES_STORAGE_S3_LIKE_BASE_URL=https://prisme-workspaces.s3.us-west-1.amazonaws.com
# Configure uploads with the same credentials but different bucket
UPLOADS_STORAGE_TYPE=S3_LIKE
UPLOADS_STORAGE_S3_LIKE_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
UPLOADS_STORAGE_S3_LIKE_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
UPLOADS_STORAGE_S3_LIKE_BUCKET_NAME=prisme-uploads
UPLOADS_STORAGE_S3_LIKE_REGION=us-west-1
UPLOADS_STORAGE_S3_LIKE_BASE_URL=https://prisme-uploads.s3.us-west-1.amazonaws.com
Authentication and Rate Limiting for Production
# Set a strong password policy
PASSWORD_VALIDATION_REGEXP= "YOUR_REGEX"
# Enable manual account validation
ACCOUNT_VALIDATION_METHOD=manual
# Configure super admins
SUPER_ADMIN_EMAILS=admin@company.com,security@company.com
# Set stricter rate limits
RATE_LIMIT_SIGNUP=1
RATE_LIMIT_ANONYMOUS_LOGIN=5
RATE_LIMIT_PRISMEAI_LOGIN=3
RATE_LIMIT_PASSWORD_RESET=1
