Skip to main content

Overview

PentAGI provides comprehensive security features including SSL/TLS encryption, authentication, OAuth integration, and secrets management. This page covers all security-related configuration options.
Production Security: Change all default passwords, salts, and keys before deploying PentAGI in production environments.

SSL/TLS Configuration

PentAGI uses HTTPS by default with self-signed certificates. Configure custom certificates for production.

Server SSL Settings

SERVER_USE_SSL
boolean
default:"true"
Enable HTTPS for the PentAGI web server
SERVER_USE_SSL=true
SERVER_SSL_CRT
string
Path to custom SSL certificate file inside the container
SERVER_SSL_CRT=/opt/pentagi/ssl/cert.pem
SERVER_SSL_KEY
string
Path to custom SSL private key file inside the container
SERVER_SSL_KEY=/opt/pentagi/ssl/key.pem
PENTAGI_SSL_DIR
string
default:"pentagi-ssl"
Directory path or volume name for SSL certificates on host
PENTAGI_SSL_DIR=./ssl-certs

External SSL Configuration

EXTERNAL_SSL_CA_PATH
string
Path to custom CA certificate for external HTTPS connectionsUseful when connecting to internal LLM providers or search engines with self-signed certificates.
EXTERNAL_SSL_CA_PATH=/opt/pentagi/ssl/ca-bundle.crt
EXTERNAL_SSL_INSECURE
boolean
Skip SSL verification for external HTTPS connections
Only use in development. Never enable in production.
EXTERNAL_SSL_INSECURE=false

Custom Certificate Setup

  1. Generate or obtain SSL certificates:
# Option 1: Self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout ssl-certs/key.pem \
  -out ssl-certs/cert.pem \
  -subj "/CN=pentagi.example.com"

# Option 2: Use Let's Encrypt
certbot certonly --standalone -d pentagi.example.com
cp /etc/letsencrypt/live/pentagi.example.com/fullchain.pem ssl-certs/cert.pem
cp /etc/letsencrypt/live/pentagi.example.com/privkey.pem ssl-certs/key.pem
  1. Configure paths in docker-compose.yml:
docker-compose.yml
services:
  pentagi:
    volumes:
      - ./ssl-certs:/opt/pentagi/ssl
    environment:
      - SERVER_SSL_CRT=/opt/pentagi/ssl/cert.pem
      - SERVER_SSL_KEY=/opt/pentagi/ssl/key.pem
  1. Set proper permissions:
chmod 644 ssl-certs/cert.pem
chmod 600 ssl-certs/key.pem

Authentication Configuration

COOKIE_SIGNING_SALT
string
default:"salt"
Salt for cookie signing and session security
Change this to a random value in production
COOKIE_SIGNING_SALT=$(openssl rand -hex 32)

Public URL Configuration

PUBLIC_URL
string
default:"https://localhost:8443"
Public URL where PentAGI is accessibleUsed for OAuth callbacks and external integrations.
PUBLIC_URL=https://pentagi.example.com
CORS_ORIGINS
string
Allowed CORS origins (comma-separated)
CORS_ORIGINS=https://pentagi.example.com,https://admin.example.com

OAuth Integration

PentAGI supports OAuth authentication with Google and GitHub.

Google OAuth

OAUTH_GOOGLE_CLIENT_ID
string
Google OAuth client ID from Google Cloud Console
OAUTH_GOOGLE_CLIENT_ID=123456789-abc.apps.googleusercontent.com
OAUTH_GOOGLE_CLIENT_SECRET
string
Google OAuth client secret
OAUTH_GOOGLE_CLIENT_SECRET=GOCSPX-abc123...

Google OAuth Setup

  1. Create OAuth 2.0 credentials in Google Cloud Console
  2. Set authorized redirect URI: 
    https://pentagi.example.com/auth/google/callback
  3. Add client ID and secret to .env
  4. Restart PentAGI

GitHub OAuth

OAUTH_GITHUB_CLIENT_ID
string
GitHub OAuth client ID from GitHub Developer Settings
OAUTH_GITHUB_CLIENT_ID=Iv1.abc123...
OAUTH_GITHUB_CLIENT_SECRET
string
GitHub OAuth client secret
OAUTH_GITHUB_CLIENT_SECRET=abc123def456...

GitHub OAuth Setup

  1. Register a new OAuth app in GitHub Developer Settings
  2. Set authorization callback URL: 
    https://pentagi.example.com/auth/github/callback
  3. Add client ID and secret to .env
  4. Restart PentAGI

Secrets Management

All sensitive credentials should be changed from defaults before production deployment.

Database Credentials

PentAGI PostgreSQL:
PENTAGI_POSTGRES_USER
string
default:"postgres"
PostgreSQL username for PentAGI database
PENTAGI_POSTGRES_PASSWORD
string
default:"postgres"
PostgreSQL password for PentAGI database
Change this default value
PENTAGI_POSTGRES_PASSWORD=$(openssl rand -base64 32)
PENTAGI_POSTGRES_DB
string
default:"pentagidb"
PostgreSQL database name
Neo4j (Graphiti):
NEO4J_USER
string
default:"neo4j"
Neo4j database username
NEO4J_PASSWORD
string
default:"devpassword"
Neo4j database password
Change this default value
NEO4J_PASSWORD=$(openssl rand -base64 32)

Scraper Service Credentials

LOCAL_SCRAPER_USERNAME
string
default:"someuser"
Username for scraper basic authentication
Change this default value
LOCAL_SCRAPER_PASSWORD
string
default:"somepass"
Password for scraper basic authentication
Change this default value
LOCAL_SCRAPER_PASSWORD=$(openssl rand -base64 24)
SCRAPER_PRIVATE_URL
string
default:"https://someuser:somepass@scraper/"
Private URL with embedded credentials for scraper accessUpdate to match username and password:
SCRAPER_PRIVATE_URL=https://newuser:newpass@scraper/

Langfuse Security

See Observability Configuration for Langfuse security settings including:
  • LANGFUSE_POSTGRES_PASSWORD
  • LANGFUSE_CLICKHOUSE_PASSWORD
  • LANGFUSE_REDIS_AUTH
  • LANGFUSE_S3_ACCESS_KEY_ID
  • LANGFUSE_S3_SECRET_ACCESS_KEY
  • LANGFUSE_SALT
  • LANGFUSE_ENCRYPTION_KEY
  • LANGFUSE_NEXTAUTH_SECRET
  • LANGFUSE_INIT_USER_PASSWORD

Security Best Practices

Generate Strong Secrets

Use cryptographically secure random values for all secrets: 
# Generate random passwords
openssl rand -base64 32

# Generate hex keys
openssl rand -hex 32

# Generate alphanumeric strings
openssl rand -base64 48 | tr -dc 'a-zA-Z0-9' | head -c 32

Environment File Security

  1. Restrict permissions: 
    chmod 600 .env
  2. Never commit .env to version control:
    .gitignore
    .env
.env.local
.env.*.local
  3. Use environment-specific files: 
    .env.development
.env.staging
.env.production

Docker Security

DOCKER_HOST
string
default:"unix:///var/run/docker.sock"
Docker host connectionFor remote Docker:
DOCKER_HOST=tcp://remote-host:2376
DOCKER_TLS_VERIFY
boolean
Enable TLS verification for remote Docker
DOCKER_TLS_VERIFY=1
DOCKER_CERT_PATH
string
Path to Docker TLS certificates inside container
DOCKER_CERT_PATH=/opt/pentagi/docker/ssl
PENTAGI_DOCKER_CERT_PATH
string
default:"./docker-ssl"
Path to Docker TLS certificates on host

Network Security

Isolated Networks: PentAGI uses separate Docker networks for isolation:
  • pentagi-network: Core PentAGI services
  • langfuse-network: Langfuse observability stack
  • observability-network: Grafana monitoring stack
Firewall Configuration: Restrict access to PentAGI ports: 
# Allow only from specific IP
sudo ufw allow from 192.168.1.0/24 to any port 8443

# Or use SSH tunnel
ssh -L 8443:localhost:8443 user@pentagi-server

Production Security Checklist

1

Change Default Passwords

Update all default database passwords, scraper credentials, and admin passwords
2

Generate Secure Keys

Generate random values for:
  • COOKIE_SIGNING_SALT
  • LANGFUSE_SALT
  • LANGFUSE_ENCRYPTION_KEY
  • LANGFUSE_NEXTAUTH_SECRET
3

Configure SSL Certificates

Use valid SSL certificates from a trusted CA or Let’s Encrypt
4

Set Public URLs

Configure PUBLIC_URL and CORS_ORIGINS with production domains
5

Enable OAuth

Configure Google or GitHub OAuth for secure authentication
6

Restrict File Permissions

Set .env to 600 and SSL keys to 600
7

Configure Firewall

Restrict access to PentAGI ports using firewall rules
8

Enable Docker TLS

If using remote Docker, enable TLS verification
9

Regular Updates

Keep PentAGI and all dependencies up to date

Complete Security Configuration Example

.env
# SSL/TLS Configuration
SERVER_USE_SSL=true
SERVER_SSL_CRT=/opt/pentagi/ssl/cert.pem
SERVER_SSL_KEY=/opt/pentagi/ssl/key.pem
PENTAGI_SSL_DIR=./ssl-certs

# Authentication
COOKIE_SIGNING_SALT=$(openssl rand -hex 32)
PUBLIC_URL=https://pentagi.example.com
CORS_ORIGINS=https://pentagi.example.com

# OAuth
OAUTH_GOOGLE_CLIENT_ID=123456789-abc.apps.googleusercontent.com
OAUTH_GOOGLE_CLIENT_SECRET=GOCSPX-abc123...
OAUTH_GITHUB_CLIENT_ID=Iv1.abc123...
OAUTH_GITHUB_CLIENT_SECRET=abc123def456...

# Database Security
PENTAGI_POSTGRES_PASSWORD=$(openssl rand -base64 32)
NEO4J_PASSWORD=$(openssl rand -base64 32)

# Scraper Security
LOCAL_SCRAPER_USERNAME=secure_user
LOCAL_SCRAPER_PASSWORD=$(openssl rand -base64 24)
SCRAPER_PRIVATE_URL=https://secure_user:$(openssl rand -base64 24)@scraper/

# Docker TLS (if using remote Docker)
DOCKER_HOST=tcp://docker.example.com:2376
DOCKER_TLS_VERIFY=1
DOCKER_CERT_PATH=/opt/pentagi/docker/ssl
PENTAGI_DOCKER_CERT_PATH=./docker-ssl

# Langfuse Security
LANGFUSE_POSTGRES_PASSWORD=$(openssl rand -base64 32)
LANGFUSE_CLICKHOUSE_PASSWORD=$(openssl rand -base64 32)
LANGFUSE_REDIS_AUTH=$(openssl rand -base64 32)
LANGFUSE_S3_ACCESS_KEY_ID=$(openssl rand -base64 24)
LANGFUSE_S3_SECRET_ACCESS_KEY=$(openssl rand -base64 32)
LANGFUSE_SALT=$(openssl rand -hex 16)
LANGFUSE_ENCRYPTION_KEY=$(openssl rand -hex 32)
LANGFUSE_NEXTAUTH_SECRET=$(openssl rand -hex 32)
LANGFUSE_INIT_USER_PASSWORD=$(openssl rand -base64 24)

Next Steps

Configuration Overview

Return to configuration overview

LLM Providers

Configure AI providers

Observability

Set up monitoring

Deployment Guide

Deploy PentAGI securely

Build docs developers (and LLMs) love

Get started for freeTalk to us