Self-Hosting
Configuration reference
All environment variables for backend/.env. Copy backend/.env.example as a starting point.
Backend
H4CKBOT_LICENSE_KEY | required | Licence key for the h4ckbot model. Obtained after access approval. |
JWT_SECRET | required | Secret used to sign session tokens. Generate with python -c 'import secrets; print(secrets.token_hex(32))' |
DATABASE_URL | required | PostgreSQL connection string. Use the internal Docker hostname: postgresql+asyncpg://postgres:password@postgres:5432/pentest_ai |
REDIS_URL | required | Redis connection string. Internal: redis://redis:6379/0 |
COOKIE_SECURE | required | Set to true in production. Ensures the session cookie is only sent over HTTPS. |
APP_BASE_URL | required | Full URL of your instance, e.g. https://ai.example.com. Used in verification emails. |
ENVIRONMENT | required | Set to production for production deploys. |
RESEND_API_KEY | required | Resend API key for transactional email (verification, password reset). |
EMAIL_FROM | required | From address for outbound email, e.g. noreply@example.com. |
POSTGRES_USER | optional | Database user. Defaults to postgres. |
POSTGRES_PASSWORD | optional | Database password. Defaults to postgres — change this in production. |
POSTGRES_DB | optional | Database name. Defaults to pentest_ai. |
Frontend build args
These are baked in at build time. Set them in your shell or .env before running docker compose up --build.
NEXT_PUBLIC_PERSONA_NAME | optional | Display name shown in the navbar. Defaults to h4ckbot. |
NEXT_PUBLIC_PLAUSIBLE_DOMAIN | optional | Domain for Plausible analytics. Leave blank to disable analytics. |
BACKEND_INTERNAL_URL | optional | Internal URL the Next.js server uses to reach the backend. Defaults to http://backend:8000. |
See also