Documentation Index
Fetch the complete documentation index at: https://docs.experio.cloud/llms.txt
Use this file to discover all available pages before exploring further.
Overview
System settings provide access to low-level configuration values organized by category. These settings control database connections, authentication, job processing, infrastructure, and AI model behavior.
Navigate to Admin > Settings > System Settings.
Categories
Settings are organized into tabs by category:
| Category | Icon | Description |
|---|
| LLM | CPU | AI model and API configuration |
| DB | Database | Database connection settings |
| AUTH | Shield | Authentication and security settings |
| CORE | Settings | Core application settings |
| JOBS | Briefcase | Job processing and queue configuration |
| INFRA | Server | Infrastructure and deployment settings |
Viewing Settings
Settings are displayed as key-value pairs with:
- Setting name
- Current value (encrypted values are masked)
- Read-only indicator (for settings that cannot be changed from the UI)
Editing Settings
Settings marked as editable can be modified directly from the admin panel. Read-only settings must be changed through environment variables or the Django admin interface.
Only settings marked “Show in Dashboard” in the Django admin are visible here. If you need to access additional settings, use the Django admin interface or configure them via environment variables.
Changing system settings can affect the behavior of the entire platform. Ensure you understand the impact of a change before saving. Some changes may require a server restart to take effect.
Settings Reference
Legend: Settings prefixed with 🔒 store encrypted values. Settings marked (Dashboard) are visible in the admin dashboard UI. Settings marked (Client) are accessible to the frontend client application.
LLM Settings
| Setting | Description | Default | Related Docs |
|---|
USE_AZURE_OPENAI | Use Azure OpenAI for LLM | True | — |
USE_AZURE_OPENAI_EMBEDDINGS | Use Azure OpenAI for embeddings | True | — |
USE_GOOGLE_GENAI | Use Google Gemini | False | — |
🔒 AZURE_API_KEY | Azure OpenAI API key | — | — |
🔒 GOOGLE_API_KEY | Google Gemini API key | — | — |
GOOGLE_GENAI_MODEL | Google GenAI model name | gemini-2.0-flash | — |
AZURE_CHAT_API_CONTEXT_WINDOW | Azure OpenAI context window size (tokens) | 128000 | — |
AZURE_CHAT_API_DEPLOYMENT | Azure OpenAI chat deployment name | gpt-4o | — |
AZURE_CHAT_API_VERSION | Azure OpenAI API version for chat | 2024-04-01-preview | — |
AZURE_CHAT_API_ENDPOINT | Full Azure OpenAI endpoint URL for chat | (provider-specific) | — |
AZURE_CHAT_API_TEMPERATURE | Temperature for Azure OpenAI chat | 0.0 | — |
AZURE_CHAT_API_FREQUENCY_PENALTY | Frequency penalty for Azure OpenAI | 0.1 | — |
AZURE_CHAT_API_PRESENCE_PENALTY | Presence penalty for Azure OpenAI | -0.5 | — |
AZURE_EMBEDDINGS_API_DEPLOYMENT | Azure OpenAI embeddings model name | text-embedding-3-large | — |
AZURE_EMBEDDINGS_API_VERSION | Azure OpenAI API version for embeddings | 2023-05-15 | — |
AZURE_EMBEDDINGS_API_ENDPOINT | Full Azure OpenAI endpoint URL for embeddings | (provider-specific) | — |
AZURE_EMBEDDINGS_API_DIMENSIONS | Dimensions for Azure OpenAI embeddings | 1536 | — |
🔒 AZURE_EMBEDDINGS_API_KEY | Azure OpenAI API key for embeddings (optional fallback) | — | — |
GOOGLE_GENAI_CONTEXT_WINDOW | Google Gemini context window size (tokens) | 2000000 | — |
GOOGLE_GENAI_TEMPERATURE | Temperature for Google Gemini | 0.05 | — |
CONTEXT_SAFETY_MARGIN | Safety margin for context window (fraction of max) | 0.9 | — |
USE_AWS_BEDROCK | Use AWS Bedrock | False | — |
🔒 AWS_BEDROCK_ACCESS_KEY_ID | AWS Bedrock Access Key ID | — | — |
🔒 AWS_BEDROCK_SECRET_ACCESS_KEY | AWS Bedrock Secret Access Key | — | — |
REASONING_MODEL_CONFIG (Dashboard) | Default reasoning model configuration | azure-gpt4o-reasoning-default | Model Configurations |
EMBEDDING_MODEL_CONFIG (Dashboard) | Default embedding model configuration | azure-embedding-default | Model Configurations |
CLASSIFICATION_MODEL_CONFIG (Dashboard) | Default classification model config name or UUID | — | Model Configurations |
INGESTION_LARGE_MODEL_CONFIG (Dashboard) | Default model config used for large-document ingestion paths | — | Model Configurations |
INGESTION_SMALL_MODEL_CONFIG (Dashboard) | Default model config used for small-document ingestion paths | — | Model Configurations |
LARGE_DOCUMENT_TOKEN_THRESHOLD | Token threshold for large document handling | 5000 | — |
LEAD_PARAGRAPH_TOKEN_THRESHOLD | Token threshold for lead paragraph extraction | 20 | — |
MAX_LIST_CONTEXT_CHARS | Maximum characters for list context | 1000 | — |
DB Settings
| Setting | Description | Default | Related Docs |
|---|
USE_FALKOR | Enable FalkorDB support | False | — |
USE_PINECONE | Enable Pinecone vector search | False | — |
🔒 PINECONE_API_KEY | Pinecone API key | — | — |
USE_NEO4J | Enable Neo4j graph database | True | — |
🔒 NEO4J_URI (Dashboard) | Neo4j connection URI | — | — |
NEO4J_DATABASE (Dashboard) | Neo4j database name | neo4j | — |
DEFAULT_NEO4J_DATABASE (Dashboard) | Default Neo4j database | neo4j | — |
NEO4J_USER (Dashboard) | Neo4j username | neo4j | — |
🔒 NEO4J_PASSWORD (Dashboard) | Neo4j password | — | — |
FALKOR_DB_USER | FalkorDB username | — | — |
🔒 FALKOR_DB_PASSWORD | FalkorDB password | — | — |
AUTH Settings
| Setting | Description | Default | Related Docs |
|---|
VITE_USE_AUTH0 (Client) | Enable Auth0 integration | False | — |
VITE_CLIENT_ID (Client) | Auth0 client ID | — | — |
VITE_DOMAIN (Client) | Auth0 domain | — | — |
AUTH0_ISSUER | Auth0 issuer URL | — | — |
AUTH0_JWKS_URL | Auth0 JWKS URL | /.well-known/jwks.json | — |
USE_PROPELAUTH (Dashboard, Client) | Enable PropelAuth SSO authentication | False | SSO Configuration |
ALLOW_HYBRID_LOGIN (Dashboard, Client) | Allow both password and SSO login | False | SSO Configuration |
PROPELAUTH_AUTH_URL (Dashboard) | PropelAuth BYO sidecar URL | http://propelauth:2884 | SSO Configuration |
🔒 PROPELAUTH_API_KEY (Dashboard) | PropelAuth integration API key | — | SSO Configuration |
PROPELAUTH_SSO_USERS_ACTIVE_BY_DEFAULT (Dashboard) | Auto-activate SSO users on first login | True | SSO Configuration |
OAUTH2_REDIRECT_DOMAIN (Client) | OAuth2 redirect domain for callback URLs | http://localhost:8080 | — |
🔒 GOOGLE_MCP_CLIENT_ID (Dashboard, Client) | Google OAuth Client ID for MCP integration | — | Integrations |
🔒 GOOGLE_MCP_CLIENT_SECRET (Dashboard, Client) | Google OAuth Client Secret for MCP integration | — | Integrations |
ALLOW_PASSWORD_LOGIN (Dashboard) | Allow users to log in with email + password. Disable to force magic-link or SSO. | True | — |
ALLOW_MAGIC_LINK_LOGIN (Dashboard) | Allow users to request a one-time magic-link login email. | False | — |
ALLOW_SELF_REGISTRATION (Dashboard) | Allow anonymous users to request an account via the public register form. Disable for SSO-only tenants. | True | — |
MAGIC_LINK_TOKEN_TTL_MINUTES (Dashboard) | How long a magic-link token is valid for, in minutes. | 15 | — |
EMAIL_PROVIDER | Transactional email provider. Single supported value: azure_ecs. | azure_ecs | — |
🔒 AZURE_COMMUNICATION_CONNECTION_STRING (Dashboard) | Azure Email Communication Services connection string. Required when EMAIL_PROVIDER=azure_ecs. | — | — |
AZURE_ECS_SENDER_ADDRESS (Dashboard) | Sender address (MailFrom) used by Azure Email Communication Services. Must be a verified address on the linked domain. | login@experiolabs.ai | — |
AUTH_FROM_DISPLAY_NAME (Dashboard) | Display name rendered on the From: line of transactional emails (welcome, magic link, password reset, SSO pending approval). | Experio | — |
AUTH_REPLY_TO_ADDRESS (Dashboard) | Reply-To address added to every transactional email. Should point at a monitored mailbox so user replies are not silently dropped. | support@experiolabs.ai | — |
Login Methods
ALLOW_PASSWORD_LOGIN, ALLOW_MAGIC_LINK_LOGIN, and ALLOW_SELF_REGISTRATION control which authentication paths the public login/register pages expose. They compose with USE_PROPELAUTH and ALLOW_HYBRID_LOGIN:
- For SSO-only tenants, set
ALLOW_PASSWORD_LOGIN=False, ALLOW_MAGIC_LINK_LOGIN=False, ALLOW_SELF_REGISTRATION=False, USE_PROPELAUTH=True, and ALLOW_HYBRID_LOGIN=False.
- Magic-link login requires a working email provider (see Transactional Email below). The link is valid for
MAGIC_LINK_TOKEN_TTL_MINUTES minutes.
Transactional Email Deliverability
The AZURE_ECS_SENDER_ADDRESS, AUTH_FROM_DISPLAY_NAME, and AUTH_REPLY_TO_ADDRESS settings together control how outbound auth emails appear to recipients and to mailbox spam filters:
- The From: line is rendered as
"<AUTH_FROM_DISPLAY_NAME>" <AZURE_ECS_SENDER_ADDRESS> (e.g. "Experio" <login@experiolabs.ai>).
- A
Reply-To header points at AUTH_REPLY_TO_ADDRESS so replies land in a monitored inbox instead of bouncing off the no-reply sender.
- Every send also sets
Message-ID (with the sender’s host), Date, and Auto-Submitted: auto-generated, and ships a real plain-text alternative alongside the HTML body — these reduce the chance of the message landing in junk.
AZURE_ECS_SENDER_ADDRESS must be a verified MailFrom on the Azure ECS linked domain. Update it (and the corresponding domain verification) if you re-brand the sender.
SSO / PropelAuth
The five PropelAuth settings (USE_PROPELAUTH, PROPELAUTH_API_KEY, PROPELAUTH_AUTH_URL, PROPELAUTH_SSO_USERS_ACTIVE_BY_DEFAULT, and ALLOW_HYBRID_LOGIN) work together to enable enterprise Single Sign-On. See the SSO Configuration page for complete setup instructions, identity provider guides, and troubleshooting.
Google Workspace Integration
The GOOGLE_MCP_CLIENT_ID and GOOGLE_MCP_CLIENT_SECRET settings enable per-user Google Workspace MCP integration. See the Integrations page for setup instructions.
CORE Settings
| Setting | Description | Default | Related Docs |
|---|
STAFF_EMAIL | Staff notification email address | Experio <no-reply@experio.com> | — |
DEFAULT_FROM_EMAIL | Default sender email address | Experio <no-reply@experio.com> | — |
CLIENT_NAME (Client) | Client branding name | Experio | Client Configuration |
| (Icon/wide logos) | Stored as ClientLogo uploads in Admin — not writable as CLIENT_LOGO_* keys | — | Client Configuration |
DJANGO_SERVER_URL | Django server base URL | http://server:8000 | — |
VITE_DEV_BACKEND_URL (Client) | Development backend URL | — | — |
BOX_REDIRECT_URI | Box API redirect URI | http://localhost:8080 | — |
GOOGLE_DRIVE_REDIRECT_URI | Google Drive redirect URI | http://localhost:8080 | — |
SHOW_CHANNEL_ID_UI (Client) | Show channel ID in the UI | False | — |
CLIENT_TRACING_ENABLED (Client) | Enable client-side telemetry | False | — |
CLIENT_TRACING_SCOPE (Client) | Client tracing scope (disabled, errors, errors_api, full) | errors | — |
CLIENT_SIGNOZ_ENDPOINT (Client) | SigNoz OTLP endpoint for client telemetry | (provider-specific) | — |
CLIENT_SIGNOZ_INGESTION_KEY (Client) | SigNoz ingestion key for client telemetry | — | — |
USE_KREUZBERG_PARSER | Use Kreuzberg text extraction parser | True | — |
MCP_ENABLED | Enable Model Context Protocol | True | MCP Servers |
MCP_CONNECTION_TIMEOUT | MCP connection timeout (seconds) | 30 | MCP Servers |
SCOPE_MAX_COUNT_THRESHOLD (Dashboard) | Max count threshold for scope phase | 300 | — |
SKIP_CYPHER_VALIDATION (Dashboard) | Skip LLM-based Cypher validation | True | — |
JOBS Settings
| Setting | Description | Default | Related Docs |
|---|
DOCLING_SERVE_ENDPOINT | Docling service API endpoint | http://docling:5001 | — |
INGESTION_THREADS (Dashboard) | Number of ingestion worker threads | 6 | Jobs & Monitoring |
INGESTION_PARSER_CONNECTION_RETRIES | Max retries for Docling connection | 20 | — |
INGESTION_PARSER_RETRY_SLEEP_SECONDS | Sleep between Docling retries (seconds) | 30 | — |
INGESTION_USE_MULTI_THREADING | Enable multi-threaded ingestion | True | — |
MINIO_RETENTION_DAYS (Dashboard) | MinIO file retention (days) | 7 | — |
KREUZBERG_ENDPOINT | Kreuzberg text extractor endpoint | http://kreuzberg-text-extractor:8000 | — |
KREUZBERG_REQUEST_TIMEOUT_SECONDS | Kreuzberg request timeout (seconds) | 600 | — |
SERVICE_SECRET_KEY | Internal service authentication key | (auto-generated) | — |
STRUCTURED_DATA_THREADS | Structured data processing threads | 4 | — |
ENRICHMENT_THREADS | Enrichment job worker threads | 4 | Enrichment Rules |
ENRICHMENT_NODE_CONCURRENCY | Concurrent nodes per enrichment job | 4 | Enrichment Rules |
ENRICHMENT_RESULT_RETENTION_DAYS | Days to retain EnrichmentResult rows before purge (0 = keep forever) | 90 | Enrichment Rules |
SCALE_TO_ZERO_ENABLED (Dashboard) | Enable scale-to-zero for job services | False | — |
SCALE_TO_ZERO_DRY_RUN (Dashboard) | Scale-to-zero dry run mode | False | — |
SCALE_TO_ZERO_POLL_INTERVAL (Dashboard) | Scale-to-zero polling interval (seconds) | 60 | — |
OMNISTRATE_SIDECAR_URL | Omnistrate sidecar URL | http://127.0.0.1:49750 | — |
ENABLE_FULL_SCAN_DOCUMENT_CHECK | Check for existing documents during full scans | True | — |
MAX_PARSED_SIZE_MB | Max parsed file size (MB) | 10 | — |
MAX_INGESTION_CHUNKS | Max chunks per document | 120 | — |
INGESTION_TIMEOUT_SECONDS | Document ingestion timeout (seconds) | 900 | — |
PHOENIX_TRACING_MODE (Dashboard) | Phoenix tracing mode (disabled, central, cluster) | disabled | — |
PHOENIX_ENDPOINT (Dashboard) | Phoenix endpoint URL | (provider-specific) | — |
PHOENIX_TRACING_SCOPE (Dashboard) | Phoenix tracing scope (jobs, retrieval, all) | all | — |
INFRA Settings
| Setting | Description | Default | Related Docs |
|---|
RABBITMQ_HOST | RabbitMQ server hostname | rabbitmq-0 | — |
RABBITMQ_USER | RabbitMQ username | admin | — |
🔒 RABBITMQ_PASS | RabbitMQ password | — | — |
RABBITMQ_PORT | RabbitMQ server port | 5672 | — |
RABBITMQ_PUBLISHER_HEARTBEAT | Publisher heartbeat interval (seconds) | 20 | — |
RABBITMQ_PUBLISHER_BLOCKED_TIMEOUT | Publisher blocked connection timeout (seconds) | 60 | — |
RABBITMQ_CONSUMER_HEARTBEAT | Consumer heartbeat interval (seconds) | 20 | — |
RABBITMQ_CONSUMER_BLOCKED_TIMEOUT | Consumer blocked connection timeout (seconds) | 60 | — |
MINIO_ENDPOINT | MinIO server endpoint | minio-0:9000 | — |
MINIO_ACCESS_KEY | MinIO access key | admin | — |
🔒 MINIO_SECRET_KEY | MinIO secret key | — | — |
MINIO_SECURE | Enable MinIO TLS | False | — |
SIGNOZ_QUERY_ENDPOINT (Dashboard) | SigNoz Query API base URL | — | — |
🔒 SIGNOZ_QUERY_API_KEY (Dashboard) | SigNoz Query API access token | — | — |
