Authentication
A cornerstone of the Enterprise edition is its ability to integrate with centralized secret managers, eliminating the need for static credentials stored in local or .env files. The server dynamically fetches database credentials and API keys at startup, ensuring a secure and compliant operational posture.
Key Features
Multi-layered Authentication: JWT-based authentication (HS256/RS256) with bcrypt password hashing
Adaptive Architecture: Intelligent tool registration based on service availability
Role-Based Access Control (RBAC): Fine-grained permission management
Multiple Deployment Modes: Standalone, 1Password, Local Vault, and HCP Vault
Database-Enforced User Validation: Shared database ensures only registered users can access services
Authentication Flow
1. User Registration
2. User Login
3. Authenticated Request
Deployment Modes
1. Standalone
Purpose: Simple deployment with direct environment variables
Configuration: Direct environment variables
Key Settings:
# Direct values in config file
DB_HOST=localhost
DB_PASSWORD=your_password
SECRET_KEY=your_secret_key
JWT_SECRET_KEY=your_jwt_secret
GEMINI_API_KEY=your_api_keyWhen to Use: Development, testing, small deployments, No external secret management available
Startup:
# RAG API
rag-api.exe --config=config.env.secure.local
# MCP Server
$env:MCP_CONFIG="config.env.secure.local"
mcp-server.exe2. 1Password
Purpose: Secure secret management using 1Password CLI
Configuration: op:// secret references
Key Settings:
# 1Password references
DB_USER=op://Employee/RAG-Database/username
DB_PASSWORD=op://Employee/RAG-Database/password
SECRET_KEY=op://Employee/RAG-Security/secret-key
JWT_SECRET_KEY=op://Employee/RAG-Security/jwt-secret
GEMINI_API_KEY=op://Employee/RAG-API-Keys/geminiPrerequisites:
Install 1Password CLI
Authenticate:
op signinCreate vault and items with required secrets
Startup:
# RAG API
op run --env-file=config.env.1password.employee -- rag-api.exe
# MCP Server
op run --env-file=config.env.1password.employee -- mcp-server.exeWhen to Use: Team environments, shared secrets, Production
3. Local Vault
Purpose: Development with local HashiCorp Vault
Configuration: Local Vault server
Key Settings:
# Vault Configuration
VAULT_ADDR=http://127.0.0.1:8200
VAULT_TOKEN=rag-root-token
VAULT_SKIP_VERIFY=true
VAULT_SECRET_PATH=rag-in-a-box
VAULT_MOUNT_POINT=secretSetup:
# Start Vault in dev mode
vault server -dev -dev-root-token-id="rag-root-token"
# Store secrets
vault kv put secret/rag-in-a-box/database \
DB_USER=root \
DB_PASSWORD=Password123! \
DB_NAME=kb_chunks
vault kv put secret/rag-in-a-box/security \
SECRET_KEY=your_secret_key \
JWT_SECRET_KEY=your_jwt_secret
vault kv put secret/rag-in-a-box/api-keys \
GEMINI_API_KEY=your_api_keyStartup:
# RAG API
rag-api.exe --config=config.env.vault.local
# MCP Server
$env:MCP_CONFIG="config.env.vault.local"
mcp-server.exeWhen to Use: Development, Production with proper vault setup
4. HCP Vault
Purpose: Production deployment with HashiCorp Cloud Platform Vault
Configuration: HCP Vault cluster
Key Settings:
# HCP Vault Configuration
VAULT_ADDR=https://your-vault-cluster.hashicorp.cloud:8200
VAULT_NAMESPACE=admin
VAULT_SKIP_VERIFY=false
VAULT_SECRET_PATH=rag-in-a-box
VAULT_MOUNT_POINT=secret
# AppRole Authentication
VAULT_ROLE_ID=your-vault-role-id
VAULT_SECRET_ID=your-vault-secret-idSetup:
Create HCP Vault cluster
Configure AppRole authentication
Create policies for application access
Store secrets in Vault
Generate role_id and secret_id
Startup:
# RAG API
rag-api.exe --config=config.env.hcp.live
# MCP Server
$env:MCP_CONFIG="config.env.hcp.live"
mcp-server.exeWhen to Use: Production, enterprise deployments
This page is: Copyright © 2025 MariaDB. All rights reserved.
Last updated
Was this helpful?