Configuration
Atlas is configured through environment variables (see .env.example) and per-tenant settings
managed in the Console's Studio. This page groups the environment surface by concern; the full
list is in Reference → Environment variables.
Static configuration (environment)
| Group | Representative variables |
|---|---|
| API | API_PORT, API_BIND_HOST, API_HOST, API_DEBUG |
| Frontend | UI_PORT |
| PostgreSQL | POSTGRES_HOST/PORT/DB/USER/PASSWORD |
| Redis | REDIS_HOST/PORT/PASSWORD |
| LLM | OPENROUTER_BASE_URL, OPENROUTER_MODEL_PRIMARY/FAST/REASONING, LLM_TEMPERATURE/TIMEOUT/MAX_RETRIES |
| Tools | MCP_BEARER_TOKEN, DIGITAL_FOOTPRINT_ENDPOINT |
| Auth | KEYCLOAK_URL/PUBLIC_URL/HOSTNAME/PORT/REALM/CLIENT_ID, KEYCLOAK_ADMIN_*, AUTH_ENABLED, AUTH_*_GROUPS, AUTH_ADMIN_PATH_PREFIXES, AUTH_EXEMPT_PATHS |
| Agents | AGENT_MAX_ITERATIONS, AGENT_RETRY_ON_FAIL, AGENT_MAX_RETRIES, AGENT_RETRY_WAIT_MS, MAX_CONCURRENT_INVESTIGATIONS, INVESTIGATION_TIMEOUT |
| Limits | RATE_LIMIT_REQUESTS_PER_MINUTE, RATE_LIMIT_DEFAULT/WRITE/EXPENSIVE/STATUS, CACHE_TTL_SECONDS |
| Storage | ATLAS_MINIO_ACCESS_KEY/SECRET_KEY/ENDPOINT/EXTERNAL_URL |
| Observability | LANGFUSE_*, SENTRY_DSN, LOG_LEVEL, LOG_FORMAT |
| Notifications | SLACK_WEBHOOK_URL, SMTP_*, NOTIFICATION_EMAIL |
| Retention | REPORT_RETENTION_DAYS |
| CORS | CORS_ALLOWED_ORIGINS |
Never commit a populated .env. In production these are injected as Kubernetes secrets / Helm
values. The credential-encryption key that protects per-tenant provider credentials is itself an
environment secret — rotate it through the documented key-rotation procedure.
Dynamic configuration (per tenant)
Some configuration is intentionally not static because it differs per tenant and changes at runtime through the Console:
| Setting | Where | Notes |
|---|---|---|
| Provider & LLM credentials | Studio → Data Providers / Settings | Stored AES-GCM encrypted, see Security |
| Active ontology schema | Studio → Ontology | One active version per tenant; drift-checked |
| Risk matrices & categories | Studio → Risk Matrices / Categories | See Risk scoring |
| Data segments | Settings → Segments | Compliance workstream segmentation |
| MCP servers, crew/LLM config, prompts | Settings | Per-tenant tool & model routing |
Authentication toggles
AUTH_ENABLED gates the whole auth layer, and the AUTH_*_GROUPS / AUTH_ADMIN_PATH_PREFIXES /
AUTH_EXEMPT_PATHS variables map Keycloak groups to roles and declare which paths are admin-only or
exempt. Keep AUTH_ENABLED=true in any shared or production environment. See
Authentication.
Precedence
Per-tenant settings override environment defaults for tenant-scoped behaviour (credentials, schema, matrices); infrastructure settings (ports, hosts, secrets) come only from the environment.