Authentication

A cornerstone of the Enterprise edition is its ability to integrate with centralized secret managers, eliminating the need for static credentials stored in local or .env files. The server dynamically fetches database credentials and API keys at startup, ensuring a secure and compliant operational posture.

Key Features

Multi-layered Authentication: JWT-based authentication (HS256/RS256) with bcrypt password hashing
Adaptive Architecture: Intelligent tool registration based on service availability
Role-Based Access Control (RBAC): Fine-grained permission management
Multiple Deployment Modes: Standalone, 1Password, Local Vault, and HCP Vault
Database-Enforced User Validation: Shared database ensures only registered users can access services

Authentication Flow

1. User Registration

3. Authenticated Request

Deployment Modes

1. Standalone

Purpose: Simple deployment with direct environment variables

Configuration: Direct environment variables

Key Settings:

# Direct values in config file
DB_HOST=localhost
DB_PASSWORD=your_password
SECRET_KEY=your_secret_key
JWT_SECRET_KEY=your_jwt_secret
GEMINI_API_KEY=your_api_key

When to Use: Development, testing, small deployments, No external secret management available

Startup:

# RAG API
rag-api.exe --config=config.env.secure.local

# MCP Server
$env:MCP_CONFIG="config.env.secure.local"
mcp-server.exe

2. 1Password

Purpose: Secure secret management using 1Password CLI

Configuration: op:// secret references

Key Settings:

# 1Password references
DB_USER=op://Employee/RAG-Database/username
DB_PASSWORD=op://Employee/RAG-Database/password
SECRET_KEY=op://Employee/RAG-Security/secret-key
JWT_SECRET_KEY=op://Employee/RAG-Security/jwt-secret
GEMINI_API_KEY=op://Employee/RAG-API-Keys/gemini

Prerequisites:

Install 1Password CLI
Authenticate: op signin
Create vault and items with required secrets

Startup:

# RAG API
op run --env-file=config.env.1password.employee -- rag-api.exe

# MCP Server
op run --env-file=config.env.1password.employee -- mcp-server.exe

When to Use: Team environments, shared secrets, Production

3. Local Vault

Purpose: Development with local HashiCorp Vault

Configuration: Local Vault server

Key Settings:

# Vault Configuration
VAULT_ADDR=http://127.0.0.1:8200
VAULT_TOKEN=rag-root-token
VAULT_SKIP_VERIFY=true
VAULT_SECRET_PATH=rag-in-a-box
VAULT_MOUNT_POINT=secret

Setup:

# Start Vault in dev mode
vault server -dev -dev-root-token-id="rag-root-token"

# Store secrets
vault kv put secret/rag-in-a-box/database \
    DB_USER=root \
    DB_PASSWORD=Password123! \
    DB_NAME=kb_chunks

vault kv put secret/rag-in-a-box/security \
    SECRET_KEY=your_secret_key \
    JWT_SECRET_KEY=your_jwt_secret

vault kv put secret/rag-in-a-box/api-keys \
    GEMINI_API_KEY=your_api_key

Startup:

# RAG API
rag-api.exe --config=config.env.vault.local

# MCP Server
$env:MCP_CONFIG="config.env.vault.local"
mcp-server.exe

When to Use: Development, Production with proper vault setup

4. HCP Vault

Purpose: Production deployment with HashiCorp Cloud Platform Vault

Configuration: HCP Vault cluster

Key Settings:

# HCP Vault Configuration
VAULT_ADDR=https://your-vault-cluster.hashicorp.cloud:8200
VAULT_NAMESPACE=admin
VAULT_SKIP_VERIFY=false
VAULT_SECRET_PATH=rag-in-a-box
VAULT_MOUNT_POINT=secret

# AppRole Authentication
VAULT_ROLE_ID=your-vault-role-id
VAULT_SECRET_ID=your-vault-secret-id

Setup:

Create HCP Vault cluster
Configure AppRole authentication
Create policies for application access
Store secrets in Vault
Generate role_id and secret_id

Startup:

# RAG API
rag-api.exe --config=config.env.hcp.live

# MCP Server
$env:MCP_CONFIG="config.env.hcp.live"
mcp-server.exe

When to Use: Production, enterprise deployments

PreviousFeatures NextToken Management

Last updated 1 month ago

Was this helpful?

Good night

Key Features

Authentication Flow

1. User Registration

2. User Login

3. Authenticated Request

Deployment Modes

1. Standalone

2. 1Password

3. Local Vault

4. HCP Vault