Saltar a contenido

Configuration (environment variables)

Vex Raptor is configured via environment variables (a .env file in development, real environment in production). Copy .env.example to .env and fill in values. Never commit .env.

Core / security

Variable Required Description
SECRET_KEY Yes Signs JWT session tokens. Generate: python -c "import secrets; print(secrets.token_hex(64))"
ENVIRONMENT Prod dev / staging / prod. Enables fail-closed JWT revocation in prod/staging
VEX_LICENSE_KEY Prod RS256 license JWT issued by Vex (scripts/issue_license.py). Startup fails without it in prod
ALLOWED_ORIGINS Prod Comma-separated CORS allow-list. A wildcard * is rejected at startup in prod
VIEWER_PASSWORD Optional Password for the read-only viewer account

Startup safety gate

In ENVIRONMENT=prod, insecure flags (wildcard CORS, disabled WS auth, skipped OIDC signature verification, REQUIRE_TARGET_AUTHORIZATION=false, missing/invalid VEX_LICENSE_KEY) block startup by design.

LLM / AI (for AI depth)

Variable Description
VEX_LLM_PROVIDER gemini (default) / vertex / bedrock / mistral / ollama
GEMINI_API_KEY + GEMINI_MODEL Google Generative Language API
VERTEX_PROJECT_ID / VERTEX_LOCATION Google Vertex AI
AWS_* + BEDROCK_MODEL Amazon Bedrock
MISTRAL_API_KEY + MISTRAL_MODEL Mistral AI (EU)
OLLAMA_MODEL + OLLAMA_BASE_URL Local model — zero egress (air-gap)

See Sovereignty for choosing a provider.

Database & queue

Variable Description
DATABASE_URL PostgreSQL DSN (postgresql+asyncpg://…). Empty → SQLite (sqlite+aiosqlite:///data/vex_raptor.db)
POSTGRES_DB / POSTGRES_USER / POSTGRES_PASSWORD / POSTGRES_PORT Used by Docker Compose
REDIS_URL Redis connection URL
REDIS_ENABLED true routes rate-limit, quota, and shared scan-state through Redis; false → in-memory fallback
ARQ_MAX_JOBS / ARQ_JOB_TIMEOUT_S Background worker concurrency and per-job timeout

Scanning behavior

Variable Description
REQUIRE_TARGET_AUTHORIZATION In dev/test: set true to require domain ownership proof. Ignored in prod (always on for external targets)
VEX_LICENSE_REQUIRED Set true in non-prod to require VEX_LICENSE_KEY (mirrors prod licensing in staging labs)
RAPTOR_SANDBOX_MODE Sandbox constraints for the agent
OOB_ENABLED Enable out-of-band confirmation for blind classes (default off)
OOB_MODE local / interactsh / disabled
ALLOW_INTERNAL_SCANNING Dev only — allow scanning private ranges (never in prod)

Optional enrichment (activate by setting the key)

SHODAN_API_KEY, VIRUSTOTAL_API_KEY, HIBP_API_KEY, OTX_API_KEY, NVD_API_KEY. Each phase degrades gracefully and reports not configured when its key is absent.

Alerts & website (optional)

ALERT_WEBHOOK_URL (Slack/Teams), and the demo-form / transactional email settings (RESEND_API_KEY / SMTP_* / DEMO_EMAIL_TO) used by the marketing site.

Note

This page lists the commonly used variables. The authoritative list is .env.example in the repository — keep them in sync.