Skip to Content
Developer DocsGetting StartedEnvironment Variables

Environment Variables

AEGIS uses a single .env file at the repository root. All services load it at startup using python-dotenv. Copy .env.example to get started:

cp .env.example .env

Complete Variable Reference

Database

VariableRequiredDefaultDescription
DATABASE_URLYespostgresql://aegis:aegis_local@localhost:5432/aegisPostgreSQL connection string. Used by all Python services that need database access (orchestration engine, memory service, knowledge graph service, approval service, compliance monitor, flaring monitor).

Redis

VariableRequiredDefaultDescription
REDIS_URLYesredis://localhost:6379Redis connection URL. Used by the memory service for working memory (Redis Hash) and the injection ledger (Redis Hash at skill:ledger:{conversation_id}).

Kafka

VariableRequiredDefaultDescription
KAFKA_BOOTSTRAP_SERVERSYeslocalhost:9092Kafka broker address. Used by the ingestion service for publishing entity extraction events.

LLM Providers

VariableRequiredDefaultDescription
OPENAI_API_KEYYesNoneOpenAI API key for LLM calls (gpt-4o, gpt-4o-mini) and embeddings (text-embedding-3-small). Required for agent execution and episodic memory.
ANTHROPIC_API_KEYNoNoneAnthropic API key. Optional — only needed if routing LLM calls to Claude models via LiteLLM.
LITELLM_LOG_LEVELNoDEBUGLog verbosity for the LiteLLM library. Set to INFO or WARNING to reduce noise.

OPENAI_API_KEY is the only variable you must set manually. Without it, agent execution and episodic memory storage will fail. All other variables have working defaults for local development.

Service Ports

These variables configure which port each service listens on. The defaults match the standard AEGIS port assignments.

VariableRequiredDefaultDescription
API_GATEWAY_PORTNo8000Go API gateway listen port
ORCHESTRATION_PORTNo8001Orchestration engine listen port
MEMORY_PORTNo8002Memory service listen port
KNOWLEDGE_GRAPH_PORTNo8003Knowledge graph service listen port
APPROVAL_PORTNo8004Approval service listen port
INGESTION_PORTNo8005Ingestion service listen port
COMPLIANCE_PORTNo8006Compliance monitor listen port
FLARING_PORTNo8007Flaring monitor listen port

The auth service always runs on port 8009. Its port is not configurable via environment variable in the current implementation.

Authentication

VariableRequiredDefaultDescription
JWT_SECRETYesaegis-local-dev-secret-change-in-productionSecret key for signing and verifying JWT tokens (HS256 algorithm). The auth service uses this to generate tokens, and the gateway uses it to validate them. Must be changed for production.
BOOTSTRAP_ADMIN_EMAILYesadmin@aegis.localEmail of the initial admin user seeded by the auth service on startup (if no user with that email exists).
BOOTSTRAP_ADMIN_PASSWORDYesaegis-dev-adminPassword for the seeded bootstrap admin. Must be changed for production.
HMAC_SIGNING_KEYYesaegis-local-hmac-key-change-in-productionHMAC key used to sign entries in the append-only audit trail. Each audit log row includes an HMAC signature for tamper detection. Must be changed for production. In production, this is managed by HashiCorp Vault.

Observability

VariableRequiredDefaultDescription
LANGFUSE_PUBLIC_KEYNoNoneLangfuse public key for LLM observability tracing.
LANGFUSE_SECRET_KEYNoNoneLangfuse secret key.
LANGFUSE_HOSTNohttps://cloud.langfuse.comLangfuse server URL.

Internal Service URLs

These are used by the orchestration engine to call other services. You typically do not need to change these unless running services on non-default ports.

VariableDefaultUsed By
MEMORY_SERVICE_URLhttp://localhost:8002Orchestration engine
KNOWLEDGE_GRAPH_SERVICE_URLhttp://localhost:8003Orchestration engine, ingestion service
APPROVAL_SERVICE_URLhttp://localhost:8004Orchestration engine

Orchestration Engine Tuning

VariableDefaultDescription
DEFAULT_LLM_MODELgpt-4oDefault model for LLM calls when not specified in the request
DEFAULT_MAX_TOKENS_PER_EXECUTION100000Token budget per agent execution
DEFAULT_MAX_COST_PER_EXECUTION5.0Dollar cost budget per agent execution
MAX_GRAPH_ITERATIONS20Maximum number of tool-call loop iterations before forcing output
EPISODIC_TOP_K3Number of episodic memories to retrieve per query
R35_INTEGRITY_FAIL_LOUDtrueR35 startup integrity check mode. When true (default since R35 P2), an unresolved agent_definitions.root_skill_key / persona_key fails loudly at deploy rather than at a tester’s first message. The default was false in R35 P1 (warn-not-fail) while the rrc_rule37 / rrc_rule32 skills did not yet exist; R35 P2 seeds those skills and flips the default to true. Override to false only for an environment that has not yet run the P2 seeders.

Example .env File

# Database
DATABASE_URL=postgresql://aegis:aegis_local@localhost:5432/aegis
 
# Redis
REDIS_URL=redis://localhost:6379
 
# Kafka
KAFKA_BOOTSTRAP_SERVERS=localhost:9092
 
# LLM Providers (add your keys)
OPENAI_API_KEY=sk-...
ANTHROPIC_API_KEY=sk-ant-...
LITELLM_LOG_LEVEL=DEBUG
 
# Service Ports
API_GATEWAY_PORT=8000
ORCHESTRATION_PORT=8001
MEMORY_PORT=8002
KNOWLEDGE_GRAPH_PORT=8003
APPROVAL_PORT=8004
INGESTION_PORT=8005
COMPLIANCE_PORT=8006
FLARING_PORT=8007
 
# Auth (local dev)
JWT_SECRET=aegis-local-dev-secret-change-in-production
BOOTSTRAP_ADMIN_EMAIL=admin@aegis.local
BOOTSTRAP_ADMIN_PASSWORD=aegis-dev-admin
HMAC_SIGNING_KEY=aegis-local-hmac-key-change-in-production
 
# Observability
LANGFUSE_PUBLIC_KEY=
LANGFUSE_SECRET_KEY=
LANGFUSE_HOST=https://cloud.langfuse.com

Security Notes

Never commit your .env file. The repository .gitignore excludes it. For production deployments, secrets are managed by HashiCorp Vault — never store production keys in environment files.

The following variables contain sensitive values that must be rotated for production:

  • JWT_SECRET — compromised value allows forging authentication tokens
  • BOOTSTRAP_ADMIN_PASSWORD — the default seeds an admin account; set a strong value before deploying
  • HMAC_SIGNING_KEY — compromised value allows forging audit trail signatures
  • OPENAI_API_KEY — compromised value allows unauthorized LLM usage at your cost
Last updated on
Local SetupFirst Run