Configuration
All environment variables, feature flags, and auth modes
All configuration is via environment variables, prefixed with EPISTOM_. Create .env.local from the template:
LLM Provider
| Variable | Default | Description |
|---|---|---|
EPISTOM_LLM_PROVIDER | anthropic | Provider: anthropic, openai, bedrock, ollama |
EPISTOM_LLM_MODEL_ID | claude-sonnet-4-5 | Model identifier |
EPISTOM_ANTHROPIC_API_KEY | — | Anthropic API key |
EPISTOM_OPENAI_API_KEY | — | OpenAI API key |
EPISTOM_AWS_REGION | us-east-1 | AWS region for Bedrock |
EPISTOM_AWS_PROFILE | — | AWS profile for Bedrock |
EPISTOM_OLLAMA_BASE_URL | http://localhost:11434 | Ollama server URL |
Database
| Variable | Default | Description |
|---|---|---|
EPISTOM_DATABASE_URL | — | PostgreSQL connection string |
EPISTOM_POSTGRES_HOST | localhost | Database host (alternative to URL) |
EPISTOM_POSTGRES_PORT | 5432 | Database port |
EPISTOM_POSTGRES_USER | epistom | Database user |
EPISTOM_POSTGRES_PASSWORD | epistom | Database password |
EPISTOM_POSTGRES_DB | epistom | Database name |
Triplestore
| Variable | Default | Description |
|---|---|---|
EPISTOM_OXIGRAPH_ENDPOINT | http://localhost:7878 | Oxigraph SPARQL endpoint |
EPISTOM_NEPTUNE_SPARQL_ENDPOINT | — | AWS Neptune endpoint (production alternative) |
Authentication
| Variable | Default | Description |
|---|---|---|
EPISTOM_AUTH_DISABLED | false | Disable all auth (local dev only) |
EPISTOM_AUTH_MODE | production | Auth mode: production, demo |
EPISTOM_JWT_SECRET | — | JWT signing secret (256-bit hex) |
EPISTOM_DEMO_JWT_SECRET | — | Demo mode JWT secret |
EPISTOM_COOKIE_DOMAIN | — | Cookie domain for JWT |
EPISTOM_BASE_URL | — | Base URL for auth redirects |
EPISTOM_AZURE_AD_TENANT_ID | — | Azure AD tenant for SSO |
EPISTOM_AZURE_AD_CLIENT_ID | — | Azure AD client ID |
Security
| Variable | Default | Description |
|---|---|---|
EPISTOM_ENCRYPTION_KEY | — | Fernet key for credential encryption |
EPISTOM_AEGIS_SIGNING_KEY | — | Ed25519 private key for attestation signing |
EPISTOM_AUDIT_HMAC_SECRET | — | HMAC secret for audit log tamper detection |
EPISTOM_CORS_ALLOWED_ORIGINS | — | Comma-separated CORS origins |
Query Safety
| Variable | Default | Description |
|---|---|---|
EPISTOM_MAX_QUERY_ROWS | 1000 | Maximum rows returned per query |
EPISTOM_QUERY_TIMEOUT_SECONDS | 300 | Query execution timeout |
EPISTOM_SQL_READONLY | true | Prevent LLM-generated SQL from writing |
Rate Limiting
| Variable | Default | Description |
|---|---|---|
EPISTOM_RATE_LIMIT | 100 | Requests per minute (0 = disabled) |
EPISTOM_RATE_LIMIT_REDIS_URL | — | Redis URL for shared counters across pods |
Observability
| Variable | Default | Description |
|---|---|---|
EPISTOM_OTLP_ENDPOINT | — | OpenTelemetry gRPC endpoint for tracing |
Feature Flags
| Variable | Default | Description |
|---|---|---|
EPISTOM_REGISTRATION_OPEN | true | Allow new user registration |
EPISTOM_TRINO_ENABLED | false | Enable Trino cross-source federation |