Documentation Index
Fetch the complete documentation index at: https://cognisafeltd.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
All Cognisafe services are configured exclusively via environment variables. No config files need to be edited.
api (FastAPI backend)
| Variable | Required | Description |
|---|
POSTGRES_URL | Yes | asyncpg connection string. Format: postgresql+asyncpg://user:password@host:5432/dbname |
REDIS_URL | Yes | Redis connection string. Format: redis://host:6379 |
STRIPE_SECRET_KEY | Yes | Stripe secret API key (sk_live_... or sk_test_...) |
STRIPE_WEBHOOK_SECRET | Yes | Stripe webhook signing secret (whsec_...). Required for billing webhooks to be accepted. |
STRIPE_PRICE_PRO | Yes | Stripe Price ID for the Pro tier ($49/mo). Format: price_... |
STRIPE_PRICE_TEAM | Yes | Stripe Price ID for the Team tier ($199/mo). Format: price_... |
INTERNAL_API_SECRET | Yes | A long random secret shared between the api and web services. Used to authenticate internal server-to-server calls. Generate with openssl rand -hex 32. |
proxy (Go reverse proxy)
| Variable | Required | Description |
|---|
UPSTREAM_URL | Yes | The LLM provider to forward requests to. Default: https://api.openai.com. Change for Mistral (https://api.mistral.ai), Azure, or Ollama. |
API_BACKEND_URL | Yes | URL of the api service. The proxy POSTs logs here. Example: http://api:8000 (Docker) or https://api.cognisafe.uk (Railway). |
PROXY_API_KEY | Yes | The API key that clients must send to authenticate with the proxy. Must match a valid Cognisafe project API key. |
web (Next.js dashboard)
| Variable | Required | Description |
|---|
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY | Yes | Clerk publishable key for client-side auth (pk_live_...). Embedded in the browser bundle. |
CLERK_SECRET_KEY | Yes | Clerk secret key for server-side auth (sk_live_...). Never exposed to the browser. |
INTERNAL_API_SECRET | Yes | Same value as the api service. Used by Next.js server-side routes to authenticate calls to the FastAPI backend. |
API_URL | Yes | Server-side URL of the api service. Used by Next.js server components and API routes. Example: http://api:8000 (Docker) or https://api.cognisafe.uk (Railway). |
NEXT_PUBLIC_API_URL | Yes | Client-side URL of the api service. Embedded in the browser bundle — must be publicly accessible. Example: https://api.cognisafe.uk. |
safety_worker (PyRIT scoring worker)
| Variable | Required | Description |
|---|
POSTGRES_URL | Yes | Same connection string as the api service. The worker writes scored results directly to PostgreSQL. |
REDIS_URL | Yes | Same connection string as the api service. The worker reads jobs from the safety_score_jobs queue. |
OPENAI_API_KEY | No | OpenAI API key used by PyRIT to run LLM-based scorers. If not set, all requests fall back to score_label: "unscored". |
SCORER_MODEL | No | The OpenAI model used by PyRIT for scoring. Default: gpt-4o-mini. Override to use a different model, e.g., gpt-4o. |
Docker Compose shared variables
When using infra/docker-compose.yml, these variables are set in .env at the repo root and shared across services via env_file:
| Variable | Default | Description |
|---|
POSTGRES_URL | postgresql+asyncpg://postgres:postgres@postgres:5432/cognisafe | Overridden per service if needed |
REDIS_URL | redis://redis:6379 | — |
In Docker Compose, service hostnames resolve to container names (e.g., postgres, redis, api). In Railway or Kubernetes, use the actual service URLs provided by your infrastructure.
Generating secrets
# Generate INTERNAL_API_SECRET
openssl rand -hex 32
# Generate a PROXY_API_KEY (if not using the dashboard)
python -c "import secrets; print('csk_' + secrets.token_hex(24))"
