Configuration
Configure LLM providers, API keys and system settings.
Overview
OpenCognit stores all configuration in the SQLite database under the einstellungen table. Settings can be managed via Dashboard → Settings or directly through the API.
LLM Providers
Anthropic (Claude)
The default provider for complex tasks.
Navigate to Settings → API Keys and paste your Anthropic API key.
curl -X PUT http://localhost:3201/api/einstellungen/anthropic_api_key \
-H "Authorization: Bearer <your-jwt-token>" \
-H "Content-Type: application/json" \
-d '{"wert": "sk-ant-..."}'OpenAI
curl -X PUT http://localhost:3201/api/einstellungen/openai_api_key \
-H "Authorization: Bearer <your-jwt-token>" \
-H "Content-Type: application/json" \
-d '{"wert": "sk-..."}'OpenRouter
OpenRouter provides access to 100+ models (GPT-4, Gemini, Mistral, Llama, etc.) through a single API.
curl -X PUT http://localhost:3201/api/einstellungen/openrouter_api_key \
-H "Authorization: Bearer <your-jwt-token>" \
-H "Content-Type: application/json" \
-d '{"wert": "sk-or-..."}'Ollama (Local)
For local models without cloud dependency. Defaults to http://localhost:11434.
curl -X PUT http://localhost:3201/api/einstellungen/ollama_base_url \
-H "Authorization: Bearer <your-jwt-token>" \
-H "Content-Type: application/json" \
-d '{"wert": "http://localhost:11434"}'Ollama must be installed and running separately. Models can be downloaded with ollama pull llama3.
Settings Keys Reference
| Key | Description | Example |
|---|---|---|
anthropic_api_key | Claude API key | sk-ant-api03-... |
openai_api_key | OpenAI API key | sk-proj-... |
openrouter_api_key | OpenRouter API key | sk-or-v1-... |
ollama_base_url | Ollama server URL | http://localhost:11434 |
Server Configuration
Environment variables — must be set before startup. The install.sh installer generates a secure .env automatically.
| Variable | Default | Description |
|---|---|---|
JWT_SECRET | (dev fallback — insecure) | JWT signing secret. Always set in production. |
ENCRYPTION_KEY | Auto-generated | 32-byte hex key for encrypting API keys at rest. Auto-created in data/.encryption_key if not set. |
PORT | 3201 | Backend server port |
APP_URL | http://localhost:3200 | Public frontend URL. Required for OAuth callbacks (GitHub, Google). |
The default JWT secret is publicly known. In production, always set a custom JWT_SECRET. The install.sh installer generates one automatically.
Example .env file:
JWT_SECRET=my-secure-random-key-abc123xyz
ENCRYPTION_KEY=a1b2c3d4e5f6... # 32-byte hex
PORT=3201
APP_URL=https://my-opencognit.example.comAgent Configuration
Each expert (agent) has its own connection configuration, set when creating the agent.
Connection Types
verbindungsTyp | Description | Config fields |
|---|---|---|
claude | Claude API directly | model, maxTokens |
claude-code | Claude Code CLI (session persistence) | workDir, sessionPrefix |
openrouter | OpenRouter multi-model | model, maxTokens |
ollama | Local Ollama model | model, baseUrl |
openai | OpenAI API | model, maxTokens |
bash | Execute shell commands | shell, timeout |
http | HTTP requests to external APIs | baseUrl, headers |
Agent Workspaces
Every agent task runs in an isolated workspace directory — agents cannot write files into the OpenCognit installation itself.
How it works
When a task is executed, OpenCognit automatically assigns a dedicated folder:
data/workspaces/{taskId}/ ← isolated per task
.meta.json ← task metadata
<agent output files> ← everything the agent producesIf no workspace is configured, agents always fall back to data/workspaces/agent-default/ — never to the OpenCognit project root.
Forbidden zones
The Workspace Guard blocks agents from operating inside the OpenCognit installation directory. Only these paths inside the install folder are allowed:
| Path | Allowed |
|---|---|
data/workspaces/** | ✅ Yes |
data/sessions/** | ✅ Yes |
src/, server/, node_modules/ | ⛔ Blocked |
| OpenCognit root itself | ⛔ Blocked |
Any path outside the OpenCognit installation is allowed — this is how you point agents at your own projects.
Pointing agents at your own project
Set a Company Work Directory in Settings → Company → Work Directory:
/home/you/my-project/Agents will then operate inside your project folder. The work directory must be an absolute path outside the OpenCognit installation.
If the configured work directory is accidentally set to a path inside the OpenCognit root, the system logs a warning and automatically falls back to an isolated data/workspaces/ directory.
Heartbeat Settings
Per-agent autonomous cycle behavior:
| Field | Default | Description |
|---|---|---|
zyklusAktiv | false | Enable/disable autonomous cycles |
zyklusIntervallSek | 300 | Interval between heartbeats (seconds) |
budgetMonatCent | 0 | Monthly cost budget in cents (0 = no limit) |
The global scheduler runs every 30 seconds and checks which agents need their next heartbeat.
Bash Adapter Security
The Bash adapter executes shell commands with two layers of protection:
1. Blocked commands:
rm -rf, mkfs, dd, fdisk, format, deltree, rmdir /s2. Workspace Guard (always active):
The Bash adapter always runs inside the assigned workspace — never in the OpenCognit project directory. Agent erlaubtePfade (allowed paths) permissions are also enforced (fail-closed — missing permission = task blocked, not silently allowed).
The Bash adapter should only be enabled for trusted agents. Runtime timeout: 5 minutes.