Configuration Reference
Complete reference for company.yaml schema and environment variables in QUESTPIE Autopilot.
Autopilot configuration lives in two places: company.yaml for company-level settings and environment variables for runtime/secrets.
Precedence
Environment variables override company.yaml defaults. For secrets (API keys, master key), always use environment variables.
company.yaml Schema
# Identity
name: "My Company" # Display name
slug: "my-company" # URL-safe identifier (auto-generated from name)
description: "What this company does" # Optional description
timezone: "UTC" # IANA timezone for scheduling
language: "en" # Primary language code
languages: ["en"] # Supported languages
# Owner
owner:
name: "Founder"
email: "founder@example.com"
notification_channels: [] # ["telegram", "email"]
# Runtime settings
settings:
# Agent execution
auto_assign: true # Auto-assign tasks to agents based on workflow rules
require_approval: # Actions requiring human approval
- merge
- deploy
- spend
- publish
max_concurrent_agents: 4 # Max simultaneous agent sessions
agent_provider: "tanstack-ai" # Agent provider backend
agent_model: "claude-sonnet-4-6" # Default model for agents
# Budget
budget:
daily_token_limit: 2000000 # Max tokens per day across all agents
alert_at: 80 # Percentage threshold for budget alerts
# Authentication (see /docs/security/authentication for details)
auth:
enabled: false # Enable auth (required for exposed instances)
cors_origin: "*" # CORS allowed origin (set to your domain in production)
ip_allowlist: [] # CIDR ranges, e.g. ["10.0.0.0/8", "192.168.1.0/24"]
# Git integration
git:
auto_commit: true # Auto-commit changes made by agents
commit_batch_interval: 5000 # Milliseconds to batch file changes before committing
auto_push: false # Auto-push commits to remote
remote: "" # Git remote name (e.g., "origin")
branch: "main" # Target branch
# External integrations
integrations: {}settings.auth
| Field | Type | Default | Description |
|---|---|---|---|
enabled | boolean | false | Enable authentication. Must be true for any exposed instance. |
cors_origin | string | "*" | Allowed CORS origin. Set to your dashboard domain in production. |
ip_allowlist | string[] | [] | CIDR ranges for IP-based access control. Empty = allow all. |
trusted_proxies | string[] | ["127.0.0.1", "::1", "::ffff:127.0.0.1"] | IPs trusted to set X-Forwarded-For. Add your reverse proxy IP when not on localhost. |
For complete auth setup (creating users, managing roles, 2FA), see Authentication.
settings.budget
| Field | Type | Default | Description |
|---|---|---|---|
daily_token_limit | number | 2000000 | Maximum tokens consumed per day across all agents |
alert_at | number | 80 | Percentage of daily limit that triggers a budget alert |
settings.git
| Field | Type | Default | Description |
|---|---|---|---|
auto_commit | boolean | true | Automatically commit agent changes |
commit_batch_interval | number | 5000 | Milliseconds to wait before batching file changes into a commit |
auto_push | boolean | false | Push commits to remote after each batch |
remote | string | "" | Git remote name |
branch | string | "main" | Target branch for auto-push |
Environment Variables
| Variable | Required | Default | Description |
|---|---|---|---|
OPENROUTER_API_KEY | No | — | Claude API key (alternative to autopilot provider set openrouter --api-key sk-or-...) |
COMPANY_ROOT | Docker only | cwd | Path to company data directory |
AUTOPILOT_MASTER_KEY | Recommended | Auto-generated file | 256-bit base64 key for secrets encryption |
NODE_ENV | Recommended | development | Set production for secure cookies |
PORT | No | 7778 | API server port |
WEBHOOK_PORT | No | 7777 | Webhook server port |
MAX_CONCURRENT_AGENTS | No | 5 | Max simultaneous agent sessions |
CORS_ORIGIN | No | — | Allowed CORS origin for the API. Set to your domain URL when behind a reverse proxy (e.g., https://autopilot.yourdomain.com). Falls back to company.yaml auth.cors_origin, then http://localhost:3000. |
OPENROUTER_API_KEY
Alternative to subscription login. If you prefer API keys over autopilot provider set openrouter --api-key sk-or-..., set this variable. Get one at openrouter.ai/keys.
# Option A: Subscription login (recommended)
autopilot provider set openrouter --api-key sk-or-...
# Works on headless VPS — prints a URL to open on any device.
# Option B: API key
export OPENROUTER_API_KEY=sk-or-...AUTOPILOT_MASTER_KEY
Encrypts all credentials stored in secrets/. Uses AES-256-GCM with 12-byte random IV.
# Generate a key
openssl rand -base64 32
# Set it
export AUTOPILOT_MASTER_KEY="K7x9mR2pQ4wV8nB1cF6hJ3tY0uA5sD7g..."If not set, a key is auto-generated at secrets/.master-key (file permissions 0o600). For production, always use the env var — never rely on the auto-generated file.
NODE_ENV
When set to production, enables:
secure: trueon cookies (HTTPS-only)sameSite: strict(CSRF protection)httpOnly: true(XSS protection)
Embedding Providers
Autopilot uses embeddings for semantic search across knowledge, tasks, and company data. The embedding provider is configured through the agent provider setting.
settings:
agent_provider: "tanstack-ai" # Uses Anthropic's embedding modelEmbeddings are stored in the SQLite database (.data/autopilot.db) and rebuilt automatically on startup.
Agent Provider Configuration
settings:
agent_provider: "tanstack-ai" # Primary: TanStack AI
agent_model: "claude-sonnet-4-6" # Model for agent sessionsSupported providers:
tanstack-ai— TanStack AI + OpenRouter (primary, recommended). One key, 300+ models.
Rate Limiting
Rate limits are enforced at three levels:
| Level | Window | Max Requests | Scope |
|---|---|---|---|
| IP | 60s | 20 | All unauthenticated requests |
| Actor | 60s | 300 | Per authenticated human/agent |
| Auth endpoints | 300s | 5-10 | Sign-in and sign-up specifically |
Rate limit state is stored in SQLite. For details, see Rate Limiting.
IP Allowlist
Restrict access to specific IP ranges using CIDR notation:
settings:
auth:
ip_allowlist:
- "10.0.0.0/8" # Private network
- "192.168.1.0/24" # Office LAN
- "203.0.113.50/32" # Specific IPWhen the allowlist is non-empty, requests from IPs outside these ranges are rejected before authentication. For details, see IP Allowlist.