Skip to main content
The Compose services are agentos-api (the app) and agentos-db (Postgres with pgvector). Production runs the same files plus the compose.prod.yaml override; the full flow is on the deploy page.

Manage

Production auth

Token-Based Authorization is on by default. Without a JWT_VERIFICATION_KEY or JWT_JWKS_FILE, the app refuses to serve traffic in production. The platform’s job is to keep your data private, so the safe default is refuse to start. Token-Based Auth gives you three things:
  1. No public access. The server rejects requests without a valid token.
  2. Per-request identity. Middleware parses the token and extracts the user_id, session_id, and custom claims. Each request is tied to a user and session, giving you auditability and traceability.
  3. Granular permissions. User tokens can run an agent and view their own sessions. Admin tokens read everyone’s sessions and test any agent.
To opt out (not recommended), set authorization=False in app/main.py and restart. Use this only inside a private network behind another auth layer. Without it, anyone who finds your public URL can access your platform.

Customize

Ask your coding agent to run /create-new-agent, or do it by hand. Create agents/my_agent.py:
Register it in app/main.py:
Local containers hot-reload on save. For production, rebuild with docker compose -f compose.yaml -f compose.prod.yaml up -d --build.
app/settings.py defines default_model(), used by every agent. Change it in one place:
Add anthropic to pyproject.toml, set the provider key in your env, and regenerate pins:
Rebuild locally with docker compose up -d --build. For production:
Agno ships 100+ toolkits. See Toolkits.
  1. Edit pyproject.toml.
  2. Regenerate pins: ./scripts/generate_requirements.sh (add upgrade to refresh every pin).
  3. Rebuild locally with docker compose up -d --build, or in production with docker compose -f compose.yaml -f compose.prod.yaml up -d --build.
Set both variables in .env:
Apply with docker compose up -d (in production, docker compose -f compose.yaml -f compose.prod.yaml up -d). The interface activates automatically and routes messages to Agent Builder; change the agent= argument in app/main.py to point at another agent. See Slack setup.
The deployment check runs daily by default (ENABLE_DEPLOY_CHECK=True); it is deterministic and free. Scheduled evals are off by default (ENABLE_SCHEDULED_EVALS=False) because they use model calls. Both workflows stay runnable on demand regardless.

Format, validate, and run evals

The format, validate, and eval scripts run on the host and need a venv. Set it up once:
./scripts/mcp_check.sh runs inside the container, so it needs no venv.

Environment variables

Troubleshooting

The first build takes a few minutes. Read docker compose logs agentos-api and fix what you find.
The production override uses Compose merge tags that need Docker Compose v2.24.4 or newer. Upgrade Docker Compose and rerun.
JWT auth is on whenever RUNTIME_ENV is not dev. Set JWT_VERIFICATION_KEY or JWT_JWKS_FILE in .env and recreate the container with docker compose -f compose.yaml -f compose.prod.yaml up -d. To opt out inside a private network behind another auth layer, set authorization=False in app/main.py.
Postgres reads the password only when the pgdata volume is first initialized. On a host that already ran the dev Compose, the database keeps the old password and the API blocks waiting for it. Change the password in place and set .env to match:
Or reinitialize with docker compose down -v, which deletes all platform data.
AGENTOS_URL is still the localhost default. Set it in .env to your public URL and recreate the container with docker compose -f compose.yaml -f compose.prod.yaml up -d. Hosted chat apps also need this URL for their /mcp connector.