Skip to content

Configuration

All configuration is managed through environment variables in the .env file. Copy .env.example to get started:

cp .env.example .env

Required Variables

Variable Description Example
SECRET_KEY JWT signing key. Must be set for production — without it, sessions are lost on restart. python3 -c "import secrets; print(secrets.token_hex(32))"
SALIENT_DOMAIN Your domain name for Caddy auto-TLS. salient.example.com

Authentication

GitHub OAuth

Variable Description
GITHUB_CLIENT_ID OAuth App Client ID
GITHUB_CLIENT_SECRET OAuth App Client Secret

GitHub OAuth App Setup:

  1. Go to GitHub Settings > Developer settings > OAuth Apps > New OAuth App
  2. Set Homepage URL to https://your-domain.com
  3. Set Authorization callback URL to https://your-domain.com/auth/github/callback
  4. Copy the Client ID and Client Secret to .env

Google OAuth

Variable Description
GOOGLE_CLIENT_ID OAuth Client ID
GOOGLE_CLIENT_SECRET OAuth Client Secret

Google OAuth Setup:

  1. Go to Google Cloud Console > APIs & Services > Credentials
  2. Create an OAuth 2.0 Client ID (Web application)
  3. Add https://your-domain.com/auth/google/callback as an authorized redirect URI
  4. Copy the Client ID and Client Secret to .env

Access Control

Variable Description Default
ALLOWED_EMAILS Comma-separated email allowlist. Only these emails can create accounts. Empty (all allowed)
FRONTEND_URL Frontend URL for OAuth redirects. http://localhost:3000

AI Provider

Variable Description Default
AI_PROVIDER AI backend: anthropic, openai, google, ollama None (AI features disabled)
ANTHROPIC_API_KEY Anthropic API key (if using Claude) None
OPENAI_API_KEY OpenAI API key (if using GPT) None
GOOGLE_AI_API_KEY Google AI API key (if using Gemini) None
OLLAMA_BASE_URL Ollama server URL (if using local models) http://localhost:11434

AI is optional

The platform runs fully without an AI key. Scoring uses keyword matching, and playbooks use templates. Add an AI provider when you want contextual scoring and fact mining.

Network & Security

Variable Description Default
ALLOWED_IPS Comma-separated IPs allowed through Caddy. None (all allowed)
UPDATE_IP_TOKEN Token for self-service IP update endpoint. None
CORS_ORIGINS Allowed CORS origins. http://localhost:3000

Connector Credentials

Okta

Variable Description
OKTA_DOMAIN Okta tenant domain (e.g., your-org.okta.com)
OKTA_API_TOKEN Okta API token with read permissions

Entra ID

Variable Description
ENTRA_TENANT_ID Azure AD tenant ID
ENTRA_CLIENT_ID App registration client ID
ENTRA_CLIENT_SECRET App registration client secret

Connector credentials via UI

Connector credentials can also be configured through the browser UI setup wizard, which stores them in the database. Environment variables take precedence.

Database

Variable Description Default
DATABASE_URL SQLite database path. sqlite:///data/session_data.db

The database file is persisted in the data/ directory, which is mounted as a Docker volume in production.

Example Production .env

# Domain & TLS
SALIENT_DOMAIN=salient.example.com
FRONTEND_URL=https://salient.example.com
CORS_ORIGINS=https://salient.example.com

# Security
SECRET_KEY=your-64-char-hex-key
ALLOWED_IPS=203.0.113.50
UPDATE_IP_TOKEN=your-update-token

# Auth
GITHUB_CLIENT_ID=Ov23li...
GITHUB_CLIENT_SECRET=abc123...

# AI (optional)
AI_PROVIDER=anthropic
ANTHROPIC_API_KEY=sk-ant-...

Deployment · API Authentication