Skip to content


The production environment consists of

  • backend
  • auth
  • (optional but recommended) frontend

and the databases

  • TigerBeetle or Postgres (accounting)
  • Postgres (Open Payments resources, auth resources)
  • Redis (STREAM details)

To integrate Rafiki with your own services, view the integration documentation.

Running the production environment


Rafiki cannot be run by itself but needs at least a Postgres and a Redis instance running with it. If you prefer to use Tigerbeetle instead of Postgres for accounting, a Tigerbeetle instance is required as well.

An example Chart including Rafiki, Postgres, and Redis can be found here.

To install this chart, run

Terminal window
helm install rafiki PATH_TO_RAFIKI_REPO/infrastructure/helm/rafiki

In this alpha version, by default, no ports are exposed. You can port-forward the frontend (Admin UI) port by running

Terminal window
// get list of pod names
kubectl get pods
// port forward
kubectl port-forward rafiki-rafiki-frontend-YOUR-SEQUENCE 3010:3010

Now, the Admin UI can be found on localhost:3010.

❗ Update at least the values.yaml file before running the example Chart in production.

Environment Variables


VariableHelm Value NameDefaultDescription
ADMIN_PORTbackend.port.admin3001Admin API GraphQL Server port
AUTH_SERVER_GRANT_URLhttp:// on the Open Payments Auth Server to request a grant
AUTH_SERVER_INTROSPECTION_URLhttp:// on the Open Payments Auth Server to introspect an access token
AUTO_PEERING_SERVER_PORT3005If auto-peering is enabled, its server will use this port
CONNECTOR_PORTbackend.port.connector3002port of the ILP connector for for sending packets over ILP over HTTP, backend.postgresql.port, backend.postgresql.username, backend.postgresql.database, backend.postgresql.passwordpostgresql://postgres:password@localhost:5432/developmentPostgres database URL of database storing the resource data; For Helm, these components are provided individually.
ENABLE_AUTO_PEERINGfalseFlag to enable auto peering. View documentation.
EXCHANGE_RATES_LIFETIMEbackend.lifetime.exchangeRate15_000time in milliseconds the exchange rates provided by the ASE via the EXCHANGE_RATES_URL are valid for
EXCHANGE_RATES_URLbackend.serviceUrls.EXCHANGE_RATES_URLundefinedendpoint on the Account Servicing Entity to request exchange rates
GRAPHQL_IDEMPOTENCY_KEY_TTL_MSbackend.idempotencyTTL86400000TTL in milliseconds for idempotencyKey on GraphQL mutations (Admin API). Default: 24hrs
GRAPHQL_IDEMPOTENCY_KEY_LOCK_MS2000TTL in milliseconds for idempotencyKey concurrency lock on GraphQL mutations (Admin API)
ILP_ADDRESSbackend.ilp.addresstest.rafikiILP address of this Rafiki instance
ILP_CONNECTOR_ADDRESShttp:// ILP connector address where ILP packets are received. Communicated during auto-peering
INCOMING_PAYMENT_EXPIRY_MAX_MS2592000000Maximum milliseconds into the future incoming payments expiry can be set to on creation. Default: 30 days
INCOMING_PAYMENT_WORKERSbackend.workers.incomingPayment1number of workers processing incoming payment requests
INCOMING_PAYMENT_WORKER_IDLEbackend.workerIdle200time in milliseconds that INCOMING_PAYMENT_WORKERS will wait until they check an empty incoming payment request queue again
INSTANCE_NAMERafikithis Rafiki instance’s name used to communicate for auto-peering
KEY_IDbackend.key.idrafikithis Rafiki instance’s client key id
LOG_LEVELbackend.logLevelinfoPino Log Level
NODE_ENVbackend.nodeEnvdevelopmentnode environment, development, test, or production
OPEN_PAYMENTS_PORTbackend.port.openPayments3003port of the Open Payments resource server port
OPEN_PAYMENTS_URLbackend.serviceUrls.OPEN_PAYMENTS_URLhttp:// endpoint of this Open Payments Resource Server
OUTGOING_PAYMENT_WORKERSbackend.workers.outgoingPayment4number of workers processing outgoing payment requests
OUTGOING_PAYMENT_WORKER_IDLEbackend.workerIdle200time in milliseconds that OUTGOING_PAYMENT_WORKERS will wait until they check an empty outgoing payment request queue again
PRIVATE_KEY_FILEbackend.key.fileundefinedthe path to this Rafiki instance’s client private key
QUOTE_LIFESPANbackend.lifetime.quote5 * 60_000time in milliseconds an Open Payments quote is valid for
REDIS_TLS_CA_FILE_PATHbackend.redis.tlsCaFile''Redis TLS config
REDIS_TLS_CERT_FILE_PATHbackend.redis.tlsCertFile''Redis TLS config
REDIS_TLS_KEY_FILE_PATHbackend.redis.tlsKeyFile''Redis TLS config, backend.redis.portredis:// URL of database handling ILP packet data URL; For Helm, these components are provided individually.
SIGNATURE_SECRETbackend.quoteSignatureSecretundefinedsecret to generate request header signatures for webhook event requests
SIGNATURE_VERSION1version number to generate request header signatures for webhook event requests
SLIPPAGEbackend.ilp.slippage0.01accepted ILP rate fluctuation, default 1%
STREAM_SECRETbackend.ilp.streamSecret32 random bytesseed secret to generate shared STREAM secrets
TIGERBEETLE_CLUSTER_ID0Tigerbeetle cluster ID picked by the system that starts the TigerBeetle cluster to create a Tigerbeetle client
TIGERBEETLE_REPLICA_ADDRESSES3004Tigerbeetle replica addresses for all replicas in the cluster, which are comma separated IP addresses/ports, to create a Tigerbeetle client
TRUST_PROXYfalseflag to use X-Forwarded-Proto header to determine if connections is secure
USE_TIGERBEETLEfalseflag - use TigerBeetle or Postgres for accounting
WALLET_ADDRESS_DEACTIVATION_PAYMENT_GRACE_PERIOD_MS86400000time in milliseconds into the future to set expiration of open incoming payments when deactivating wallet address. Default: 1 days
WALLET_ADDRESS_LOOKUP_TIMEOUT_MS1500time in milliseconds the ASE has to create a missing wallet address until timeout
WALLET_ADDRESS_POLLING_FREQUENCY_MS100frequency of polling while waiting for ASE to create a missing wallet address
WALLET_ADDRESS_URLbackend.serviceUrls.WALLET_ADDRESS_URLhttp:// Rafiki instance’s internal wallet address
WALLET_ADDRESS_WORKERSbackend.workers.walletAddress1number of workers processing wallet address requests
WALLET_ADDRESS_WORKER_IDLEbackend.workerIdle200time in milliseconds that WALLET_ADDRESS_WORKERS will wait until they check an empty wallet address request queue again
WEBHOOK_URLbackend.serviceUrls.WEBHOOK_URLhttp:// on the Account Servicing Entity that consumes webhook events
WEBHOOK_WORKERSbackend.workers.webhook1number of workers processing webhook events
WEBHOOK_WORKER_IDLEbackend.workerIdle200time in milliseconds that WEBHOOK_WORKERS will wait until they check an empty webhook event queue again
WITHDRAWAL_THROTTLE_DELAYbackend.withdrawalThrottleDelayundefineddelay in liquidity withdrawal processing


VariableHelm Value NameDefaultDescription
ACCESS_TOKEN_DELETION_DAYSauth.accessToken.deletionDays30days until expired or revoked access tokens are deleted
ACCESS_TOKEN_EXPIRY_SECONDSauth.accessToken.expirySeconds10 * 60expiry time in seconds for access tokens (default: 10 minutes)
ADMIN_PORTauth.port.admin3003Admin API GraphQL Server port, auth.postgresql.port, auth.postgresql.username, auth.postgresql.database, auth.postgresql.passwordpostgresql://postgres:password@localhost:5432/auth_developmentPostgres database URL of database storing the grant data; For Helm, these components are provided individually.
AUTH_PORTauth.port.auth3006port of this Open Payments Auth Server
AUTH_SERVER_DOMAINhttp://localhost:3006public endpoint of this Open Payments Auth Server
COOKIE_KEYauth.cookieKey32 random byteskoa KeyGrip key that is used to sign cookies for an interaction session
DATABASE_CLEANUP_WORKERSauth.workers.cleanup1number of workers processing expired or revoked access tokens
IDENTITY_SERVER_DOMAINauth.identityServer.domainhttp://localhost:3030/mock-idp/endpoint of the identity server controlled by the Account Servicing Entity
IDENTITY_SERVER_SECRETauth.identityServer.secretreplace-meAPI key to fetch the identity server endpoint
INCOMING_PAYMENT_INTERACTIONauth.interaction.incomingPaymentfalseflag - incoming payments grant requests are interactive or not
INTERACTION_EXPIRY_SECONDSauth.interactionExpirySeconds600time in seconds for which a user can interact with a grant request
INTROSPECTION_PORTauth.port.introspection3007port of this Open Payments Auth - Token Introspection Server
LIST_ALL_ACCESS_INTERACTIONtrueSpecify whether grant requests including a list-all action should require interaction. In these requests, the client asks to list resources that they themselves did not create.
LOG_LEVELauth.logLevelinfoPino Log Level
NODE_ENVauth.nodeEnvdevelopmentnode environment, development, test, or production
QUOTE_INTERACTIONauth.interaction.quotefalseflag - quote grants are interactive or not
TRUST_PROXYfalseflag to use X-Forwarded-Proto header to determine if connections is secure
WAIT_SECONDSauth.grant.waitSeconds5wait time included in grant request response (grant.continue)


VariableHelm Value NameDefaultDescription
GRAPHQL_URLfrontend.serviceUrls.GRAPHQL_URLhttp://localhost:3001/graphqlURL for the GraphQL Admin API
OPEN_PAYMENTS_URLfrontend.serviceUrls.OPEN_PAYMENTS_URLhttp://localhost:3003/Open Payments API Endpoint
PORTfrontend.port3005Port from which to host the Remix app
ENABLE_INSECURE_MESSAGE_COOKIEundefinedValues of true, t, 1 will not use a secure message cookie which is required for flash messages to work over http. When not set, the secure flag is set according to NODE_ENV.