Skip to content
VaultTerm
Browse docs

Get Started

Credential Vault

Terminal & SSH

Teams & Organizations

Browser Extension

Privacy-First AI

Self-Hosting

Administration

Configuration Reference

Security & Architecture

API & Integrations

Troubleshooting & FAQ

configuration-reference

AI & egress integrations

The AI provider (self-hosted Ollama by default, cloud only behind the redaction gate) and transactional mail — the variables for VaultTerm's outbound integrations.

Updated Jun 23, 2026

These variables configure VaultTerm’s outbound integrations: the AI assistant and transactional email. AI is privacy-first by design — it defaults to a self-hosted Ollama endpoint on your own network, and the cloud LLM is only ever reached behind the redaction gate with per-org opt-in. Mail is optional; with no SMTP configured the mailer is a no-op and invite links are shown inline instead of emailed. For the design and guarantees, see AI privacy model.

AI_PROVIDER=ollama
OLLAMA_URL=http://192.0.2.10:11434
AI_MODEL=llama3
SMTP_HOST=smtp.example.com
SMTP_PORT=465
SMTP_SECURE=true
[email protected]
SMTP_PASS=replace-with-smtp-password
SMTP_FROM="VaultTerm <[email protected]>"

AI

VariableTypeDefaultDescription
AI_PROVIDERstring(empty)LLM provider: empty (no AI) or ollama (self-hosted, LAN default).
OLLAMA_URLstring(empty)Self-hosted Ollama endpoint; required when AI_PROVIDER=ollama.
AI_MODELstringllama3Local model name at Ollama.
ANTHROPIC_API_KEYstring(empty)Cloud LLM key (Claude), used only behind the redaction gate + per-org opt-in; empty disables cloud.
CLOUD_AI_MODELstringclaude-haiku-4-5-20251001Cloud model id for the redaction-gated fallback.
AI_RATE_MAXnumber60Max AI requests per window.
AI_RATE_WINDOW_MSnumber60000AI rate-limit window.

Leave AI_PROVIDER empty to run with no AI at all. Set it to ollama and point OLLAMA_URL at your self-hosted endpoint to keep all inference on your own network — terminal output never leaves the LAN in this configuration. The cloud path is opt-in and gated: ANTHROPIC_API_KEY empty disables cloud entirely, and even when a key is present the cloud model is only invoked behind the redaction gate with per-organization consent. If your Ollama endpoint is on a private address, set EGRESS_ALLOW_PRIVATE=1 so the server-side call is allowed under production (see Core & database configuration). For setup, see Self-hosted AI setup.

Mail (transactional)

VariableTypeDefaultDescription
SMTP_HOSTstring(empty)SMTP server; empty makes the mailer a no-op (invite links shown inline).
SMTP_PORTnumber465SMTP port.
SMTP_SECUREbooleantrueUse TLS/SSL.
SMTP_USERstring(empty)SMTP username.
SMTP_PASSstring(empty)SMTP password.
SMTP_FROMstring(example sender)Envelope sender and display name.

Transactional email is used for invitations and verification. If SMTP_HOST is empty the mailer is a no-op and the relevant links (for example an invite link) are surfaced inline in the UI instead of being emailed — useful for an air-gapped install with no mail server. To send mail, set SMTP_HOST, credentials, and a SMTP_FROM address. Use SMTP_PORT=465 with SMTP_SECURE=true for implicit TLS, or adjust both for your provider’s STARTTLS port.

All docs · Ask a question