> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cognisafe.uk/llms.txt
> Use this file to discover all available pages before exploring further.

# Environment variables

> All environment variables for the Cognisafe stack.

All Cognisafe services are configured exclusively via environment variables. No config files need to be edited.

## api (FastAPI backend)

| Variable                | Required | Description                                                                                                                                                   |
| ----------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `POSTGRES_URL`          | Yes      | asyncpg connection string. Format: `postgresql+asyncpg://user:password@host:5432/dbname`                                                                      |
| `REDIS_URL`             | Yes      | Redis connection string. Format: `redis://host:6379`                                                                                                          |
| `STRIPE_SECRET_KEY`     | Yes      | Stripe secret API key (`sk_live_...` or `sk_test_...`)                                                                                                        |
| `STRIPE_WEBHOOK_SECRET` | Yes      | Stripe webhook signing secret (`whsec_...`). Required for billing webhooks to be accepted.                                                                    |
| `STRIPE_PRICE_PRO`      | Yes      | Stripe Price ID for the Pro tier (\$49/mo). Format: `price_...`                                                                                               |
| `STRIPE_PRICE_TEAM`     | Yes      | Stripe Price ID for the Team tier (\$199/mo). Format: `price_...`                                                                                             |
| `INTERNAL_API_SECRET`   | Yes      | A long random secret shared between the `api` and `web` services. Used to authenticate internal server-to-server calls. Generate with `openssl rand -hex 32`. |

## proxy (Go reverse proxy)

| Variable          | Required | Description                                                                                                                                  |
| ----------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
| `UPSTREAM_URL`    | Yes      | The LLM provider to forward requests to. Default: `https://api.openai.com`. Change for Mistral (`https://api.mistral.ai`), Azure, or Ollama. |
| `API_BACKEND_URL` | Yes      | URL of the `api` service. The proxy POSTs logs here. Example: `http://api:8000` (Docker) or `https://api.cognisafe.uk` (Railway).            |
| `PROXY_API_KEY`   | Yes      | The API key that clients must send to authenticate with the proxy. Must match a valid Cognisafe project API key.                             |

## web (Next.js dashboard)

| Variable                            | Required | Description                                                                                                                                                          |
| ----------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY` | Yes      | Clerk publishable key for client-side auth (`pk_live_...`). Embedded in the browser bundle.                                                                          |
| `CLERK_SECRET_KEY`                  | Yes      | Clerk secret key for server-side auth (`sk_live_...`). Never exposed to the browser.                                                                                 |
| `INTERNAL_API_SECRET`               | Yes      | Same value as the `api` service. Used by Next.js server-side routes to authenticate calls to the FastAPI backend.                                                    |
| `API_URL`                           | Yes      | Server-side URL of the `api` service. Used by Next.js server components and API routes. Example: `http://api:8000` (Docker) or `https://api.cognisafe.uk` (Railway). |
| `NEXT_PUBLIC_API_URL`               | Yes      | Client-side URL of the `api` service. Embedded in the browser bundle — must be publicly accessible. Example: `https://api.cognisafe.uk`.                             |

## safety\_worker (PyRIT scoring worker)

| Variable         | Required | Description                                                                                                             |
| ---------------- | -------- | ----------------------------------------------------------------------------------------------------------------------- |
| `POSTGRES_URL`   | Yes      | Same connection string as the `api` service. The worker writes scored results directly to PostgreSQL.                   |
| `REDIS_URL`      | Yes      | Same connection string as the `api` service. The worker reads jobs from the `safety_score_jobs` queue.                  |
| `OPENAI_API_KEY` | No       | OpenAI API key used by PyRIT to run LLM-based scorers. If not set, all requests fall back to `score_label: "unscored"`. |
| `SCORER_MODEL`   | No       | The OpenAI model used by PyRIT for scoring. Default: `gpt-4o-mini`. Override to use a different model, e.g., `gpt-4o`.  |

## Docker Compose shared variables

When using `infra/docker-compose.yml`, these variables are set in `.env` at the repo root and shared across services via `env_file`:

| Variable       | Default                                                          | Description                      |
| -------------- | ---------------------------------------------------------------- | -------------------------------- |
| `POSTGRES_URL` | `postgresql+asyncpg://postgres:postgres@postgres:5432/cognisafe` | Overridden per service if needed |
| `REDIS_URL`    | `redis://redis:6379`                                             | —                                |

<Note>
  In Docker Compose, service hostnames resolve to container names (e.g., `postgres`, `redis`, `api`). In Railway or Kubernetes, use the actual service URLs provided by your infrastructure.
</Note>

## Generating secrets

```bash theme={null}
# Generate INTERNAL_API_SECRET
openssl rand -hex 32

# Generate a PROXY_API_KEY (if not using the dashboard)
python -c "import secrets; print('csk_' + secrets.token_hex(24))"
```
