Configuration

All Admina settings are configured via admina.yaml (v2.0) or environment variables. Secrets are auto-generated on first launch and stored in an encrypted vault (.admina/secrets.json). The defaults are tuned so that a fresh install lands in the OISG adequate band out of the box; turning any capability off immediately lowers the score. There are three supported bootstrap paths: 

# 1. CLI (recommended)
admina init my-project
admina dev

# 2. Docker Compose without the CLI
./scripts/bootstrap-secrets.sh   # writes random creds to .env
docker compose up --build

# 3. Manual
cp .env.example .env                # then fill in values

Authentication

Admina ships with dashboard authentication enabled by default. Two credentials drive the platform:

  • ADMINA_API_KEY โ€” protects every governance endpoint. /health and /docs (OpenAPI) remain public.
  • ADMINA_DASHBOARD_PASSWORD โ€” shared login for the React dashboard, Grafana, MinIO, and ClickHouse.

Both can be managed via the CLI:

admina password show      # display current credentials
admina password reset     # regenerate all credentials
admina password set       # set a custom password

Include the API key in every request to a protected endpoint:

# Via header
curl http://localhost:8080/api/stats \
  -H "X-API-Key: $ADMINA_API_KEY"

# Via Bearer token
curl http://localhost:8080/api/stats \
  -H "Authorization: Bearer $ADMINA_API_KEY"

For local development only, set ALLOW_UNAUTHENTICATED=true to disable auth. A warning is logged at startup. The docker-compose default is false.

All variables

Proxy & Upstream
VariableDefaultDescription
UPSTREAM_MCP_URL โ€” Default upstream MCP server URL
CORS_ORIGINS http://localhost:3000 Comma-separated allowed CORS origins
LOG_LEVEL INFO Logging verbosity: DEBUG, INFO, WARNING, ERROR
ROUTING_CONFIG_PATH โ€” Path to multi-upstream routing config (OpenClaw mode)
Authentication
ADMINA_API_KEY โ€” API key for all endpoints. Auto-generated by the vault or bootstrap-secrets.sh
ADMINA_DASHBOARD_PASSWORD โ€” Shared password for dashboard, Grafana, MinIO, and ClickHouse UIs
ALLOW_UNAUTHENTICATED false Set true only for local development โ€” bypasses the API key check
Storage โ€” Redis
REDIS_URL redis://localhost:6379/0 Redis connection URL โ€” session state, rate limiting, hash chain
Storage โ€” MinIO (Forensic Black Box)
MINIO_ENDPOINT localhost:9000 MinIO or S3-compatible endpoint
MINIO_ACCESS_KEY admina MinIO access key
MINIO_SECRET_KEY admina-secret-key Change in production. MinIO secret key
MINIO_BUCKET forensic-blackbox S3 bucket name for forensic records
MINIO_SECURE false Enable TLS for MinIO. Set true in production
Storage โ€” ClickHouse
CLICKHOUSE_HOST localhost ClickHouse host for analytics
CLICKHOUSE_PORT 8123 ClickHouse HTTP port
CLICKHOUSE_DB admina ClickHouse database name
CLICKHOUSE_PASSWORD โ€” ClickHouse password. Change in production.
Telemetry โ€” OpenTelemetry
OTEL_ENDPOINT http://localhost:4317 OTLP gRPC collector endpoint
Governance Domains
ADMINA_DOMAINS data_sovereignty,agent_security,compliance Comma-separated active governance domains. Add ai_infra to enable AI Infrastructure
Rate Limiting
RATE_LIMIT_MAX_REQUESTS 100 Max requests per session per window
RATE_LIMIT_WINDOW_SECONDS 60 Rate limit window in seconds
Governance Thresholds โ€” Loop Breaker
LOOP_WINDOW_SIZE 10 Number of past requests to compare for loop detection
LOOP_SIMILARITY_THRESHOLD 0.85 Cosine similarity threshold (0.0โ€“1.0) to trigger loop detection
Storage โ€” Grafana
GRAFANA_ADMIN_PASSWORD admin Grafana admin password. Change in production.
CLI
ADMINA_CONFIG_PATH admina.yaml Path to the admina.yaml configuration file

Docker Compose environment

When using the included docker-compose.yml, run ./scripts/bootstrap-secrets.sh to generate all secrets at once. The script writes random values to .env and is idempotent โ€” rerun with --force to regenerate. 

./scripts/bootstrap-secrets.sh
docker compose up --build

# Credentials are printed in the proxy startup banner and stored in .env:
ADMINA_API_KEY=<random 32-byte hex>
ADMINA_DASHBOARD_PASSWORD=<random 20-char>
CLICKHOUSE_PASSWORD=<random>
MINIO_SECRET_KEY=<random>
GRAFANA_ADMIN_PASSWORD=<random>

Production checklist

  • Run bootstrap-secrets.sh (or let the CLI vault generate them) โ€” never commit .env
  • Leave ALLOW_UNAUTHENTICATED at its false default
  • Set MINIO_SECURE=true if using a remote MinIO/S3
  • Configure CORS_ORIGINS to your actual frontend domains (the proxy warns on wildcard)
  • Set LOG_LEVEL=WARNING to reduce log volume
  • Point OTEL_ENDPOINT to your observability platform