Environment Variables Reference

Prisme.ai services can be configured through various environment variables. This reference provides a comprehensive list of available configuration options for your deployment.

Configuration Methods

Docker Setup

In a Docker deployment, configure these variables in the root docker-compose.yml file. See the Docker Compose documentation for more details.

Developer Setup

In a development environment, create a services/*/.env file containing key/value pairs:

WORKSPACES_STORAGE_TYPE=S3_LIKE
WORKSPACES_STORAGE_S3_LIKE_BUCKET_NAME=someBucketName
...

To run a service directly from its Docker image, add an env_file option to its services/*/docker-compose.yml file:

console:
  entrypoint: npm start --prefix services/console
  restart: on-failure
  image: registry.gitlab.com/prisme.ai/prisme.ai/prisme.ai-console:latest
  ports:
    - "3000:3000"
  env_file: ./.env

Note 1: Default values may differ depending on the selected start mode (Docker or Developer), especially URL-related variables. Note 2: Relative paths start from the executing service directory.

Domains & URLs

Configure the URLs and domains used by Prisme.ai services.

Name	Service	Description	Default Value
INTERNAL_API_URL	api-gateway, workspaces, events, runtime, console, pages	api-gateway internal URL for internal requests (i.e., contact fetching, public JWKS, runtime fetches)	http://localhost:3001/v2
API_URL	console, pages, api-gateway, runtime, workspaces	api-gateway public URL	http://studio.local.prisme.ai:3001/v2
CONSOLE_URL	api-gateway, console, pages, runtime	Studio URL, used for emails, auth redirections & runtime variable `{{global.studioUrl}}`	http://studio.local.prisme.ai:3000
PAGES_HOST	api-gateway, console, pages, runtime	Pages base domain starting with a ’.’, workspace slug will be prefixed as a subdomain. Used for pages builder, pages sign-in redirection from api gateway, & runtime variable `{{global.pagesUrl}}`	.pages.local.prisme.ai:3100

Databases & Storage

Redis Configuration

Name	Service	Description	Default Value
BROKER_HOST	All services	Redis broker URL (must be the same across services)	redis://localhost:6379/0
BROKER_PASSWORD	All services	Redis broker password
BROKER_TLS_CA_FILE	All services	Redis TLS CA filepath
BROKER_NAMESPACE	All services	Optional namespace to segment events when database instance is shared by multiple platforms
BROKER_TOPIC_MAXLEN	All services	Redis streams max length before getting truncated (Capped Streams)	10000
BROKER_EMIT_MAXLEN	All services	Maximum size (in bytes) of emitted events	100000
BROKER_EMIT_EXECUTED_AUTOMATION_MAXLEN	runtime	Maximum size (in bytes) of emitted runtime.automations.executed events	10000
SESSIONS_STORAGE_HOST	api-gateway	Redis URL for sessions storage	redis://localhost:6379/0
SESSIONS_STORAGE_PASSWORD	api-gateway	Redis password for sessions storage
SESSIONS_STORAGE_TLS_CA_FILE	api-gateway	Redis TLS CA filepath
CONTEXTS_CACHE_HOST	runtime	Redis URL for contexts persistence	redis://localhost:6379/0
CONTEXTS_CACHE_PASSWORD	runtime	Redis password for contexts persistence
CONTEXTS_CACHE_TLS_CA_FILE	runtime	Redis TLS CA filepath
EVENTS_TOPICS_CACHE_HOST	events	Redis URL for event userTopics persistence	BROKER_HOST variable
EVENTS_TOPICS_CACHE_PASSWORD	events	Redis password for event userTopics persistence
EVENTS_TOPICS_CACHE_TLS_CA_FILE	events	Redis TLS CA filepath

MongoDB Configuration

Name	Service	Description	Default Value
PERMISSIONS_STORAGE_HOST	All services	MongoDB URL for permissions storage (must be the same for both workspaces & events)	mongodb://localhost:27017/permissions
USERS_STORAGE_HOST	api-gateway	MongoDB URL for users storage	mongodb://localhost:27017/users

Elasticsearch Configuration

Name	Service	Description	Default Value
EVENTS_STORAGE_DRIVER	events	Events storage driver (support elasticseach or opensearch)	elasticsearch
EVENTS_STORAGE_ES_HOST	events	Elasticsearch URL for events persistence	http://localhost:9200
EVENTS_STORAGE_ES_USER	events	Elasticsearch user for events persistence
EVENTS_STORAGE_ES_PASSWORD	events	Elasticsearch password for events persistence
EVENTS_STORAGE_ES_BULK_REFRESH	events	Enable Elastic “refresh” option when bulk inserting events (might cause overhead)	no

Storage Configuration

Prisme.ai supports multiple storage backends for workspaces and uploads. Available storage types are:

FILESYSTEM: Local file system storage
S3_LIKE: Amazon S3 or compatible services (MinIO, etc.)
AZURE_BLOB: Azure Blob Storage
GCS : Google Cloud Storage

Workspaces Storage

Name	Service	Description	Default Value
WORKSPACES_STORAGE_TYPE	runtime & workspaces	Storage driver type (FILESYSTEM, S3_LIKE, AZURE_BLOB or GCS)	FILESYSTEM
WORKSPACES_STORAGE_FILESYSTEM_DIRPATH	runtime & workspaces	Directory path for filesystem storage	../../data/models/

S3-Compatible Storage for Workspaces

Name	Service	Description	Default Value
WORKSPACES_STORAGE_S3_LIKE_ACCESS_KEY	runtime & workspaces	S3 access key
WORKSPACES_STORAGE_S3_LIKE_SECRET_KEY	runtime & workspaces	S3 secret key
WORKSPACES_STORAGE_S3_LIKE_ENDPOINT	runtime & workspaces	S3 endpoint
WORKSPACES_STORAGE_S3_LIKE_BUCKET_NAME	runtime & workspaces	S3 bucket name
WORKSPACES_STORAGE_S3_LIKE_REGION	runtime & workspaces	S3 region
STORAGE_S3_LIKE_MAX_RETRIES	runtime & workspaces	Maximum retries on rate-limited S3 requests	5

Azure Blob Storage for Workspaces

Name	Service	Description	Default Value
WORKSPACES_STORAGE_AZURE_BLOB_CONTAINER	runtime & workspaces	Azure Blob container name	models
WORKSPACES_STORAGE_AZURE_BLOB_CONNECTION_STRING	runtime & workspaces	Azure Blob connection string

GCS Storage for Workspaces

Name	Service	Description	Default Value
WORKSPACES_STORAGE_GCS_BUCKET	runtime & workspaces	GCS bucket name (required)
WORKSPACES_STORAGE_GCS_KEYFILEPATH	runtime & workspaces	Service account configuration filepath	`GOOGLE_APPLICATION_CREDENTIALS` environment variable
WORKSPACES_STORAGE_GCS_PROJECTID	runtime & workspaces	GCS project id, only required when using apiKey
WORKSPACES_STORAGE_GCS_APIKEY	runtime & workspaces	Api key
STORAGE_GCS_MAX_RETRIES	runtime & workspaces	Maximum retries on rate-limited GCS requests	5

If WORKSPACES_STORAGE_GCS_KEYFILEPATH or GOOGLE_APPLICATION_CREDENTIALS is provided, only WORKSPACES_STORAGE_GCS_BUCKET is required.

File Uploads Storage

Name	Service	Description	Default Value
UPLOADS_STORAGE_TYPE	workspaces	Storage driver type (FILESYSTEM, S3_LIKE, AZURE_BLOB or GCS)	FILESYSTEM
UPLOADS_STORAGE_FILESYSTEM_DIRPATH	workspaces	Directory path for filesystem storage	../../data/models/

S3-Compatible Storage for uploads

Name	Service	Description	Default Value
UPLOADS_STORAGE_S3_LIKE_ACCESS_KEY	workspaces	S3 access key
UPLOADS_STORAGE_S3_LIKE_SECRET_KEY	workspaces	S3 secret key
UPLOADS_STORAGE_S3_LIKE_ENDPOINT	workspaces	S3 endpoint
UPLOADS_STORAGE_S3_LIKE_BUCKET_NAME	workspaces	S3 bucket name
UPLOADS_PUBLIC_STORAGE_S3_LIKE_BUCKET_NAME	workspaces	S3 bucket name for public assets (required if the private uploads bucket does not support object level ACL)
UPLOADS_STORAGE_S3_LIKE_REGION	workspaces	S3 region
STORAGE_S3_LIKE_MAX_RETRIES	workspaces	Maximum retries on rate-limited S3 requests	5
UPLOADS_STORAGE_S3_LIKE_BASE_URL	workspaces	Base download URL (if omitted, workspaces API will be used as proxy)

Azure Blob Storage for uploads

Name	Service	Description	Default Value
UPLOADS_STORAGE_AZURE_BLOB_CONTAINER	workspaces	Azure Blob container name	models
UPLOADS_STORAGE_AZURE_BLOB_CONNECTION_STRING	workspaces	Azure Blob connection string
UPLOADS_STORAGE_AZURE_BLOB_BASE_URL	workspaces	Base download URL (if omitted, workspaces API will be used as proxy)

GCS Storage for uploads

Name	Service	Description	Default Value
UPLOADS_STORAGE_GCS_BUCKET	workspaces	GCS bucket name (required)
UPLOADS_PUBLIC_STORAGE_GCS_BUCKET	workspaces	GCS bucket name for public assets (required if the private uploads bucket does not support object level ACL)
UPLOADS_STORAGE_GCS_KEYFILEPATH	workspaces	Service account configuration filepath	`GOOGLE_APPLICATION_CREDENTIALS` environment variable
UPLOADS_STORAGE_GCS_PROJECTID	workspaces	GCS project id, only required when using apiKey
UPLOADS_STORAGE_GCS_APIKEY	workspaces	Api key
STORAGE_GCS_MAX_RETRIES	workspaces	Maximum retries on rate-limited GCS requests	5
UPLOADS_STORAGE_GCS_BASE_URL	workspaces	Base download URL (if omitted, workspaces API will be used as proxy)

If UPLOADS_STORAGE_GCS_KEYFILEPATH or GOOGLE_APPLICATION_CREDENTIALS is provided, only UPLOADS_STORAGE_GCS_BUCKET is required. Notes on uploads bucket: By default, the driver stores all uploads inside the same bucket for both public and private files. This bucket must allow public access and enable object-level ACLs, letting the driver selectively set objects as public or private. If these options are restricted in your environment, you can configure two separate buckets for public/private objects:

Both buckets can maintain default settings (which prohibit public access and disable object-level ACLs)
The public bucket could be served through a CDN allowed to access all objects (or any more restrictive pattern you prefer)

In this setup, UPLOADS_STORAGE_S3_* variables configure the private bucket, while UPLOADS_PUBLIC_STORAGE_S3_* variables configure the “public” bucket (i.e dedicated to public assets, but not necessarily public itself). You can provide separate credentials for the public bucket or simply set these two variables to use the same credentials:

UPLOADS_PUBLIC_STORAGE_S3_LIKE_BUCKET_NAME="your public uploads bucket name"
UPLOADS_PUBLIC_STORAGE_S3_LIKE_BASE_URL="your OPTIONAL CDN public base URL"

Equivalent variables exist for GCS :

UPLOADS_PUBLIC_STORAGE_GCS_BUCKET="your public uploads bucket name"
UPLOADS_PUBLIC_STORAGE_GCS_BASE_URL="your OPTIONAL CDN public base URL"

To avoid public buckets / CDN, you can force all file download requests to go through the Prisme.ai API by not providing the UPLOADS_STORAGE_*_BASE_URL environment variable.

Authentication & Security

OIDC Configuration

Name	Service	Description	Default Value
OIDC_PROVIDER_URL	api-gateway, pages, console, runtime	OIDC Authorization public server URL (rarely needs changing)	API_URL without base path
OIDC_INTERNAL_PROVIDER_URL	api-gateway	OIDC Authorization internal server URL (rarely needs changing)	By precedence: INTERNAL_API_URL, OIDC_PROVIDER_URL, or API_URL
OIDC_STUDIO_CLIENT_ID	api-gateway, console	Studio OIDC client ID	local-client-id
OIDC_STUDIO_CLIENT_SECRET	api-gateway	Studio OIDC client secret (known only by api-gateway)	local-client-id
OIDC_CLIENT_REGISTRATION_TOKEN	api-gateway	Access token required for OIDC clients registration API	local-client-id
OIDC_WELL_KNOWN_URL	api-gateway	OIDC provider configuration discovery URL (only for external providers)
JWKS_URL	api-gateway	Endpoint for retrieving JWKS as part of the JWKS strategy	OIDC_INTERNAL_PROVIDER_URL/oidc/jwks

Session & Token Configuration

Name	Service	Description	Default Value
SESSION_COOKIES_MAX_AGE	api-gateway	Auth server session cookies expiration (in seconds)	2592000 (1 month)
ACCESS_TOKENS_MAX_AGE	api-gateway	Session expiration for both anonymous & authenticated sessions (in seconds)	2592000 (1 month)
SESSION_COOKIES_SIGN_SECRET	api-gateway	Session cookies signing secret
SOCKETIO_COOKIE_MAX_AGE	events	Socket.io cookie maxAge	Default from ‘cookie’ NodeJS module

Security Settings

Name	Service	Description	Default Value
CORS_ADDITIONAL_ALLOWED_ORIGINS	api-gateway	Additional allowed CORS origins (beyond STUDIO_URL, PAGES_HOST, and workspace custom domains)
CSP_HEADER	console, pages	Content Security Policy header for frontend services (if undefined, no CSP header is returned)
PASSWORD_VALIDATION_REGEXP	api-gateway	Password validation regular expression	`.{8,32}`
ACCOUNT_VALIDATION_METHOD	api-gateway	Account validation method on signup: “auto”, “email”, or “manual”	email

Service-Specific Configuration

API Gateway

Name	Service	Description	Default Value
PORT	api-gateway	Listening port number	3001
GATEWAY_CONFIG_PATH	api-gateway	Path to gateway.config.yml	../../gateway.config.yml
AUTH_PROVIDERS_CONFIG	api-gateway	Path to authProviders.config.yml	../../authProviders.config.yml
INTERNAL_API_KEY	api-gateway, workspaces	API key for internal services to access events /sys/cleanup API
WORKSPACES_API_URL	api-gateway	prismeai-workspaces internal URL	http://workspaces:3002
EVENTS_API_URL	api-gateway	prismeai-events internal URL	http://events:3004
RUNTIME_API_URL	api-gateway	prismeai-runtime internal URL	http://runtime:3003
X_FORWARDED_HEADERS	api-gateway	Add X-Forwarded-* headers on proxied requests	yes
SUPER_ADMIN_EMAILS	api-gateway	Comma-separated list of user emails with access to all workspaces (e.g., “admin@example.com,user@company.com”)	None
REQUEST_MAX_SIZE	api-gateway	Maximum request body size (format from bodyParser.json)	1mb

Console

Name	Service	Description	Default Value
PORT	console	Listening port number	3000
CUSTOMIZATION_ENDPOINT	console, page	url toward ops_manager for customization webhook, using the internal API URL
WEBSOCKETS_DEFAULT_TRANSPORTS	console, pages	Default Socket.io transport methods	polling,websocket

Events Service

Name	Service	Description	Default Value
PORT	events	Listening port number	3004
EVENTS_BUFFER_FLUSH_AT	events	Persist events in data lake after this many events	128
EVENTS_BUFFER_HIGH_WATERMARK	events	Stop listening for new events when this many are waiting to be persisted	256
EVENTS_BUFFER_FLUSH_EVERY	events	Persist events every N milliseconds, even if EVENTS_BUFFER_FLUSH_AT not reached	5000
EVENTS_RETENTION_DAYS	events	Days events are kept in data lake before removal	180
EVENTS_CLEANUP_WORKSPACE_INACTIVITY_DAYS	events	Delete workspace events if inactive for more than N days & with fewer than EVENTS_CLEANUP_WORKSPACE_MAX_EVENTS	15
EVENTS_CLEANUP_WORKSPACE_MAX_EVENTS	events	Delete workspace events if inactive for more than EVENTS_CLEANUP_WORKSPACE_INACTIVITY_DAYS & with fewer than N events	100
EVENTS_SCHEDULED_DELETION_DAYS	events	Days events are kept in data lake after workspace deletion (min_age parameter for the `policy-events-deletion-scheduled` ILM policy)	90
ELASTIC_SEARCH_TIMEOUT	events	Best effort timeout for search requests : https://www.elastic.co/docs/solutions/search/the-search-api#search-timeout	20000ms
EVENTS_CLEANUP_AUTOMATION_EXECUTED_EXPIRATION	events	Expiration period enforced by `/cleanup` API for payload & output fields of runtime.automations.executed events. Can also be tuned from Helm `prismeai-events.events.automationExecutedExpiration` value	14d

Runtime Service

Name	Service	Description	Default Value
PORT	runtime	Listening port number	3003
MAXIMUM_SUCCESSIVE_CALLS	runtime	Maximum automation executions for the same correlation ID	20
CONTEXT_RUN_EXPIRE_TIME	runtime	Run context expiration time in seconds	60
CONTEXT_UNAUTHENTICATED_SESSION_EXPIRE_TIME	runtime	Session context expiration time in seconds for unauthenticated sessions	3600 (1 hour)
ADDITIONALGLOBAL_VARS*	runtime	Additional variables available from global context (e.g., ADDITIONAL_GLOBAL_VARS_apiUrl becomes `{{global.apiUrl}}`)	None
WORKSPACECONFIG`{{workspaceSlug}}`_`{{variableName}}`	runtime	Variables available for specific workspaces	None
APPCONFIG`{{appSlug}}`_`{{variableName}}`	runtime	Variables available for specific apps	None
FETCH_FORBIDDEN_HOSTS	runtime	Comma-separated list of forbidden hostnames in fetch instruction
FETCH_MAX_RETRIES	runtime	Maximum fetch retries	3
FETCH_RETRY_CODES	runtime	Error codes that trigger fetch retries	ECONNRESET,UND_ERR_SOCKET,EPIPE,EHOSTUNREACH,ENETUNREACH
FETCH_RETRY_STATUS	runtime	Response status codes that trigger fetch retries	429,503,502
RUNNER_MAX_THREADS	runtime	Number of worker_threads per runtime instance	1
AUTOMATION_FETCH_DIRECT_CALL	runtime	Force cross workspaces HTTP calls to be direct internal calls instead of HTTP requests	true

Workspaces Service

Name	Service	Description	Default Value
PORT	workspaces	Listening port number	3002
UPLOADS_ALLOWED_MIMETYPES	workspaces	Comma-separated list of allowed upload MIME types	image/,text/,video/,audio/,application/*
UPLOADS_FORBIDDEN_MIMETYPES	workspaces	Comma-separated list of forbidden upload MIME types (no wildcards)
UPLOADS_DEFAULT_VISIBILITY	workspaces	Default upload visibility if not specified in API request	public
UPLOADS_MAX_SIZE	workspaces, api-gateway, runtime	Maximum upload size in bytes	10000000 (10MB)
IMPORT_BATCH_SIZE	workspaces	Maximum parallel save requests during imports	50

Performance & Limits

Rate Limiting

Name	Service	Description	Default Value
RATE_LIMIT_SIGNUP	api-gateway	Maximum signups per IP per minute	1
RATE_LIMIT_ANONYMOUS_LOGIN	api-gateway	Maximum anonymous logins per IP per minute	10
RATE_LIMIT_PRISMEAI_LOGIN	api-gateway	Maximum email/password login attempts per email per minute	5
RATE_LIMIT_PASSWORD_RESET	api-gateway	Maximum password reset requests per IP per minute	1

Integration & APIs

Name	Service	Description	Default Value
OPENAPI_FILEPATH	All services	Path to Swagger file for requests & events validation	../specifications/swagger.yml

Examples

S3 Storage Configuration

# Configure workspace storage with S3
WORKSPACES_STORAGE_TYPE=S3_LIKE
WORKSPACES_STORAGE_S3_LIKE_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
WORKSPACES_STORAGE_S3_LIKE_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
WORKSPACES_STORAGE_S3_LIKE_BUCKET_NAME=prisme-workspaces
WORKSPACES_STORAGE_S3_LIKE_REGION=us-west-1
WORKSPACES_STORAGE_S3_LIKE_BASE_URL=https://prisme-workspaces.s3.us-west-1.amazonaws.com

# Configure uploads with the same credentials but different bucket
UPLOADS_STORAGE_TYPE=S3_LIKE
UPLOADS_STORAGE_S3_LIKE_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
UPLOADS_STORAGE_S3_LIKE_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
UPLOADS_STORAGE_S3_LIKE_BUCKET_NAME=prisme-uploads
UPLOADS_STORAGE_S3_LIKE_REGION=us-west-1
UPLOADS_STORAGE_S3_LIKE_BASE_URL=https://prisme-uploads.s3.us-west-1.amazonaws.com

Authentication and Rate Limiting for Production

# Set a strong password policy
PASSWORD_VALIDATION_REGEXP= "YOUR_REGEX"

# Enable manual account validation
ACCOUNT_VALIDATION_METHOD=manual

# Configure super admins
SUPER_ADMIN_EMAILS=admin@company.com,security@company.com

# Set stricter rate limits
RATE_LIMIT_SIGNUP=1
RATE_LIMIT_ANONYMOUS_LOGIN=5
RATE_LIMIT_PRISMEAI_LOGIN=3
RATE_LIMIT_PASSWORD_RESET=1

Custom Domain Configuration

# Configure custom domain for platform access
CONSOLE_URL=https://studio.company.com
API_URL=https://api.company.com/v2
PAGES_HOST=.apps.company.com

Overview

Cloud Providers

Docker & Kubernetes Deployment

Entreprise Services

AI Products

Operations

​Configuration Methods

​Docker Setup

​Developer Setup

​Variable Categories

​Domains & URLs

​Databases & Storage

​Redis Configuration

​MongoDB Configuration

​Elasticsearch Configuration

​Storage Configuration

​Workspaces Storage

​S3-Compatible Storage for Workspaces

​Azure Blob Storage for Workspaces

​GCS Storage for Workspaces

​File Uploads Storage

​S3-Compatible Storage for uploads

​Azure Blob Storage for uploads

​GCS Storage for uploads

​Authentication & Security

​OIDC Configuration

​Session & Token Configuration

​Security Settings

​Service-Specific Configuration

​API Gateway

​Console

​Events Service

​Runtime Service

​Workspaces Service

​Performance & Limits

​Rate Limiting

​Integration & APIs

​Examples

​S3 Storage Configuration

​Authentication and Rate Limiting for Production

​Custom Domain Configuration