Configuration (environment variables)¶
Vex Raptor is configured via environment variables (a .env file in
development, real environment in production). Copy .env.example to .env and
fill in values. Never commit .env.
Core / security¶
| Variable | Required | Description |
|---|---|---|
SECRET_KEY |
Yes | Signs JWT session tokens. Generate: python -c "import secrets; print(secrets.token_hex(64))" |
ENVIRONMENT |
Prod | dev / staging / prod. Enables fail-closed JWT revocation in prod/staging |
VEX_LICENSE_KEY |
Prod | RS256 license JWT issued by Vex (scripts/issue_license.py). Startup fails without it in prod |
ALLOWED_ORIGINS |
Prod | Comma-separated CORS allow-list. A wildcard * is rejected at startup in prod |
VIEWER_PASSWORD |
Optional | Password for the read-only viewer account |
Startup safety gate
In ENVIRONMENT=prod, insecure flags (wildcard CORS, disabled WS auth,
skipped OIDC signature verification, REQUIRE_TARGET_AUTHORIZATION=false,
missing/invalid VEX_LICENSE_KEY) block startup by design.
LLM / AI (for AI depth)¶
| Variable | Description |
|---|---|
VEX_LLM_PROVIDER |
gemini (default) / vertex / bedrock / mistral / ollama |
GEMINI_API_KEY + GEMINI_MODEL |
Google Generative Language API |
VERTEX_PROJECT_ID / VERTEX_LOCATION |
Google Vertex AI |
AWS_* + BEDROCK_MODEL |
Amazon Bedrock |
MISTRAL_API_KEY + MISTRAL_MODEL |
Mistral AI (EU) |
OLLAMA_MODEL + OLLAMA_BASE_URL |
Local model — zero egress (air-gap) |
See Sovereignty for choosing a provider.
Database & queue¶
| Variable | Description |
|---|---|
DATABASE_URL |
PostgreSQL DSN (postgresql+asyncpg://…). Empty → SQLite (sqlite+aiosqlite:///data/vex_raptor.db) |
POSTGRES_DB / POSTGRES_USER / POSTGRES_PASSWORD / POSTGRES_PORT |
Used by Docker Compose |
REDIS_URL |
Redis connection URL |
REDIS_ENABLED |
true routes rate-limit, quota, and shared scan-state through Redis; false → in-memory fallback |
ARQ_MAX_JOBS / ARQ_JOB_TIMEOUT_S |
Background worker concurrency and per-job timeout |
Scanning behavior¶
| Variable | Description |
|---|---|
REQUIRE_TARGET_AUTHORIZATION |
In dev/test: set true to require domain ownership proof. Ignored in prod (always on for external targets) |
VEX_LICENSE_REQUIRED |
Set true in non-prod to require VEX_LICENSE_KEY (mirrors prod licensing in staging labs) |
RAPTOR_SANDBOX_MODE |
Sandbox constraints for the agent |
OOB_ENABLED |
Enable out-of-band confirmation for blind classes (default off) |
OOB_MODE |
local / interactsh / disabled |
ALLOW_INTERNAL_SCANNING |
Dev only — allow scanning private ranges (never in prod) |
Optional enrichment (activate by setting the key)¶
SHODAN_API_KEY, VIRUSTOTAL_API_KEY, HIBP_API_KEY, OTX_API_KEY,
NVD_API_KEY. Each phase degrades gracefully and reports not configured when
its key is absent.
Alerts & website (optional)¶
ALERT_WEBHOOK_URL (Slack/Teams), and the demo-form / transactional email
settings (RESEND_API_KEY / SMTP_* / DEMO_EMAIL_TO) used by the marketing
site.
Note
This page lists the commonly used variables. The authoritative list is
.env.example in the repository — keep them in sync.