Org in a Box
Deployment

Environment Checklist

Every environment variable required for each deployment target.

Local Development

# Required
POSTGRES_PASSWORD=dev-only-password
ORGINABOX_API_KEY=dev-api-key

# LLM (at least one)
ANTHROPIC_API_KEY=sk-ant-...
# or OPENAI_API_KEY=sk-...

# Optional - auto-generated on first `bun orginabox up` / `bun compose:up`
OPENCODE_SERVER_PASSWORD=
OTEL_EXPORTER_OTLP_ENDPOINT=

Docker Compose (Self-hosted)

All of the above, plus:

# Sandbox - required if you bypass the CLI wrapper and call docker compose directly
OPENCODE_SERVER_PASSWORD=strong-random-secret

# ACS invite delivery for platform tenant provisioning
ACS_EMAIL_CONNECTION_STRING=
ACS_EMAIL_SENDER_ADDRESS=

# Gateways (only needed for enabled profiles)
SLACK_BOT_TOKEN=
SLACK_APP_TOKEN=
IMAP_HOST=
IMAP_USER=
IMAP_PASSWORD=
SMTP_HOST=
SMTP_USER=
SMTP_PASSWORD=

Azure Production — Sandbox Pool (worker only)

Required when dispatch-execute jobs run with remote or team_multi_vm mode:

# ACA provisioner
ACA_SUBSCRIPTION_ID=          # Azure subscription ID
ACA_RESOURCE_GROUP=oiab-dev-rg
ACA_ENVIRONMENT=              # Full resource ID of the ACA managed environment
ACA_SANDBOX_IMAGE=oiabdevacr.azurecr.io/orginabox-sandbox:latest
ACA_LOCATION=westus
ACA_CPU=1.0
ACA_MEMORY=2Gi

# Pool sizing
POOL_MIN=2
POOL_MAX=8
POOL_AUTOSCALE_ENABLED=true

The worker's managed identity also needs Contributor role on the resource group to create and delete sandbox containers.

Azure Production — Core services

All Docker Compose variables, plus:

# Customer-side Entra app registration (multi-tenant in SaaS prod; end users + tenant admins sign in here)
AZURE_CLIENT_ID=          # Customer app registration client ID
AZURE_CLIENT_SECRET=      # Customer app registration secret (fetch from Key Vault in prod)
AZURE_TENANT_ID=          # "organizations" for work accounts; "common" for any
AZURE_REDIRECT_URI=https://api.yourcompany.com/v1/auth/callback

# Platform-side Entra app registration (single-tenant, assigned to platform-admins group only)
# Each variable independently falls back to its AZURE_* counterpart when unset — self-hosted /
# single-app pilots can omit these entirely and the platform flow reuses the customer app reg.
AZURE_PLATFORM_CLIENT_ID=      # Platform app registration client ID
AZURE_PLATFORM_CLIENT_SECRET=  # Platform app registration secret (fetch from Key Vault in prod)
AZURE_PLATFORM_TENANT_ID=      # Specific platform tenant ID — MUST NOT be "common"
AZURE_PLATFORM_REDIRECT_URI=https://api.yourcompany.com/v1/platform/auth/callback

AZURE_MSI_CLIENT_ID=      # User-assigned identity client ID used for Key Vault access
AZURE_POSTGRES_ADMIN_PASSWORD=

# ACS invite delivery
ACS_EMAIL_CONNECTION_STRING=
ACS_EMAIL_SENDER_ADDRESS=

# Key Vault (replaces file keyring)
AZURE_KEYVAULT_URL=https://oiab-prod-kv.vault.azure.net
AZURE_KEYVAULT_SECRET_NAME=orginabox-keyring

# Embeddings (for semantic memory)
AZURE_OPENAI_API_KEY=     # or OPENAI_API_KEY
AZURE_OPENAI_ENDPOINT=https://your-instance.openai.azure.com

# Observability
OTEL_EXPORTER_OTLP_ENDPOINT=https://dc.applicationinsights.azure.com/v2/track
APPLICATIONINSIGHTS_CONNECTION_STRING=InstrumentationKey=...

# Runtime wiring
ORGINABOX_RUNTIME_ROOT=/runtime
OPENCODE_URL=http://oiab-prod-sandbox

# Runtime-injected public URLs for the promoted web image
ORGINABOX_PUBLIC_API_URL=https://api.yourcompany.com
ORGINABOX_PUBLIC_DOCS_URL=https://docs.yourcompany.com
ORGINABOX_PUBLIC_TENANT_WEB_URL=https://app.yourcompany.com
ORGINABOX_TENANT_WEB_URL=https://tenant-admin.yourcompany.com

The checked-in Azure Bicep sets the sandbox URL and runtime root for you. The promoted web image now reads its public URLs at runtime, so the same immutable image can move from Azure staging to production without rebuild.

Security Reminders

  • Never commit .env files — use .env.example as a template
  • Rotate ORGINABOX_API_KEY and OPENCODE_SERVER_PASSWORD before going to production
  • Store all production secrets in Azure Key Vault or your secret manager of choice
  • The keyring secret in Key Vault is the master encryption key — back it up before rotating
  • Azure preview now uses a shared /runtime volume across api, worker, and sandbox; treat its contents as sensitive runtime state and restrict who can mount or inspect that storage account.

Docker Compose Deployment

Self-hosted deployment with Docker Compose for small teams and on-premises.

Tips & Tricks

Power user tips for getting the most out of Org in a Box.

On this page

Local DevelopmentDocker Compose (Self-hosted)Azure Production — Sandbox Pool (worker only)Azure Production — Core servicesSecurity Reminders