YAML Reference

This page is a reference for the configuration values in the Rulebricks Helm chart, organized by component. Conceptual guides live elsewhere; each section links to the relevant one. For the exhaustive list of every value (including subchart internals), see the chart's values.yaml (opens in a new tab) and values.schema.json (opens in a new tab).

Core Configuration

Parameter	Type	Default	Required	Description
`global.domain`	string	`""`	Yes	The domain name for your Rulebricks instance. Must be a domain you control.
`global.email`	string	`"support@rulebricks.com"`	Yes	Email address for Let's Encrypt certificate registration.
`global.licenseKey`	string	`"evaluation"`	Yes	Your Rulebricks Enterprise license key.
`global.version`	string	`""`	Yes	Rulebricks product version. One semver selects the app, HPS, HPS worker, and migration images together.
`global.tlsEnabled`	boolean	`false`	No	Enable HTTPS. Set to `true` after DNS is configured or when using external-dns.
`global.externalDnsEnabled`	boolean	`false`	No	Enable external-dns annotations on ingresses for automatic DNS management.

Version Pinning

Production deployments should pin two versions: a Helm chart version (via helm install --version) and a Rulebricks product version (via global.version). The chart version controls Kubernetes packaging and infrastructure templates; global.version selects the application images. See Installing Updates.

global:
  version: '1.8.17'

Domain Configuration

Your domain should follow the pattern: rulebricks.yourdomain.com

When self-hosting Supabase, an additional subdomain is created: supabase.rulebricks.yourdomain.com

global:
  domain: 'rulebricks.acme.com'
  email: 'devops@acme.com'

⚠️

Important: The domain must resolve to your cluster's load balancer before enabling TLS. See DNS Configuration for automatic setup.

SMTP Configuration

SMTP is required for user authentication flows (invitations, password resets, email verification).

Parameter	Type	Default	Description
`global.smtp.host`	string	`"smtp.mailtrap.io"`	SMTP server hostname
`global.smtp.port`	integer	`2525`	SMTP server port (typically 25, 465, 587, or 2525)
`global.smtp.user`	string	`"demo-user"`	SMTP authentication username
`global.smtp.pass`	string	`"demo-password"`	SMTP authentication password
`global.smtp.from`	string	`"no-reply@rulebricks.com"`	Sender email address
`global.smtp.fromName`	string	`"Rulebricks"`	Sender display name

Production SMTP Providers

Provider	Host	Port	Notes
AWS SES	`email-smtp.<region>.amazonaws.com`	587	Requires verified domain
SendGrid	`smtp.sendgrid.net`	587	API key as password
Mailgun	`smtp.mailgun.org`	587	Domain verification required
Postmark	`smtp.postmarkapp.com`	587	Server token as password

global:
  smtp:
    host: 'email-smtp.us-east-1.amazonaws.com'
    port: 587
    user: 'AKIAIOSFODNN7EXAMPLE'
    pass: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
    from: 'no-reply@yourdomain.com'
    fromName: 'Your Company - Rulebricks'

Supabase Keys

These JWT keys are used for authentication between components.

Parameter	Type	Description
`global.supabase.anonKey`	string	Public/anonymous key for client-side auth
`global.supabase.serviceKey`	string	Service role key for server-side operations
`global.supabase.jwtSecret`	string	JWT signing secret (self-hosted only)

Security: For production, generate new keys using Supabase's key generator or a secure random string generator. The default keys are for demo purposes only.

Managed Supabase (Cloud)

When using Supabase Cloud instead of self-hosting:

Parameter	Type	Description
`global.supabase.url`	string	Project URL (e.g., `https://abcd1234.supabase.co`)
`global.supabase.projectRef`	string	Project reference ID (derived from URL if empty)
`global.supabase.accessToken`	string	Personal access token for Supabase CLI

global:
  supabase:
    url: 'https://abcd1234.supabase.co'
    anonKey: '<from-supabase-dashboard>'
    serviceKey: '<from-supabase-dashboard>'
    accessToken: '<personal-access-token>'
 
supabase:
  enabled: false # Disable self-hosted Supabase

Email Templates

Customize authentication email subjects and templates:

global:
  supabase:
    emails:
      subjects:
        invite: 'Join your team on Rulebricks'
        confirmation: 'Confirm Your Email'
        recovery: 'Reset Your Password'
        emailChange: 'Confirm Email Change'
      templates:
        invite: 'https://your-cdn.com/templates/invite.html'
        confirmation: 'https://your-cdn.com/templates/verify.html'
        recovery: 'https://your-cdn.com/templates/password_change.html'
        emailChange: 'https://your-cdn.com/templates/email_change.html'

AI Features

Enable AI-powered rule generation (optional):

Parameter	Type	Default	Description
`global.ai.enabled`	boolean	`false`	Enable AI features
`global.ai.openaiApiKey`	string	`""`	OpenAI API key

global:
  ai:
    enabled: true
    openaiApiKey: 'sk-...'

SSO Configuration

Enable Single Sign-On (SSO) via OpenID Connect (OIDC). For how user provisioning, claim mapping, and token passthrough work, see Authentication & SSO.

Parameter	Type	Default	Description
`global.sso.enabled`	boolean	`false`	Enable SSO
`global.sso.provider`	string	`""`	Provider name (azure, google, okta, keycloak, ory, other)
`global.sso.url`	string	`""`	Provider URL (required for all except Google)
`global.sso.clientId`	string	`""`	OAuth client ID
`global.sso.clientSecret`	string	`""`	OAuth client secret

Provider Types

You will need to go to your Supabase dashboard, and configure your provider in the Authentication tab. If you don't see your provider, use Keycloak; our proxy uses it as a bridge.

Native Providers (azure, google, okta, keycloak): Supabase handles authentication directly.
Custom Providers (ory, other): The app uses a built-in OIDC proxy we manage to translate paths for your IdP.

Identity Provider Setup

You must configure your Identity Provider (IdP) with the following settings:

Scopes: openid, email, profile
Response Type: code
Grant Types: authorization_code, refresh_token
Auth Method: http body
Redirect URIs:
1. https://<your-domain>/api/sso-proxy/callback
2. <your-supabase-url>/auth/v1/callback

External Secrets

For enterprise deployments using external secret management:

Parameter	Type	Description
`global.secrets.secretRef`	string	Name of existing Kubernetes secret
`global.secrets.secretRefKeys.*`	object	Key name mappings

global:
  secrets:
    secretRef: 'rulebricks-external-secrets'
    secretRefKeys:
      licenseKey: 'RULEBRICKS_LICENSE'
      smtpUser: 'SMTP_USERNAME'
      smtpPass: 'SMTP_PASSWORD'
      supabaseAnonKey: 'SUPABASE_ANON'
      supabaseServiceKey: 'SUPABASE_SERVICE'
      supabaseAccessToken: 'SUPABASE_TOKEN'
      openaiApiKey: 'OPENAI_KEY'
      ssoClientId: 'SSO_CLIENT_ID'
      ssoClientSecret: 'SSO_CLIENT_SECRET'

External Authentication (Token Passthrough)

For deployments behind an identity-aware proxy that has already authenticated the user, global.externalAuth.* (enabled, header, claims.id/email/name, publicPaths) delegates authentication to the upstream proxy. This carries real security implications; read Token Passthrough before enabling.

Scheduling, Labels, and Annotations

Parameter	Type	Default	Description
`global.scheduling.nodeSelector`	object	`{}`	Node selector for workloads that inherit global scheduling
`global.scheduling.tolerations`	list	`[]`	Tolerations (e.g. for ARM64-tainted node pools)
`global.scheduling.affinity`	object	`{}`	Affinity rules; prefer soft rules so installs aren't blocked
`global.labels` / `global.annotations`	object	`{}`	Applied to all resource metadata (compliance, cost allocation)
`global.podLabels` / `global.podAnnotations`	object	`{}`	Applied to pod templates only (e.g. mesh injection)

Rulebricks workloads and migration jobs honor global.scheduling; dependency subcharts (Kafka, Supabase, cert-manager, Traefik, KEDA, Vector) may require their own scheduling values. Most components also accept per-component podLabels and podDisruptionBudget blocks for clusters with admission policies.

Object Storage & Backups

Value prefix	Purpose
`global.storage.*`	Shared bucket, region, per-provider identity, and key prefixes
`backup.*`	Scheduled database backups for self-hosted Supabase (Barman, CronJob)

Full tables, identity options per provider, and the backup/restore workflow live in Storage & Backups.

Rulebricks Application

The core application and high-performance solver (HPS).

Application Image

Parameter	Type	Default	Description
`rulebricks.app.image.repository`	string	`"index.docker.io/rulebricks/app"`	Docker image repository
`rulebricks.app.image.pullPolicy`	string	`"IfNotPresent"`	Image pull policy

Image tags are selected by global.version, the single product semver shared by the app, HPS, and HPS worker images. There is no per-component tag to set.

Logging Configuration

Parameter	Type	Default	Description
`rulebricks.app.logging.enabled`	boolean	`true`	Enable decision logging
`rulebricks.app.logging.kafkaBrokers`	string	`""`	Kafka brokers (auto-discovered if empty)
`rulebricks.app.logging.kafkaTopic`	string	`"logs"`	Kafka topic for logs
`rulebricks.app.logging.kafkaTopicPrefix`	string	`"com.rulebricks."`	Prefix applied to all Kafka topic names; set `""` to disable prefixing
`rulebricks.app.logging.kafkaSsl`	boolean	`false`	Enable TLS for external Kafka brokers
`rulebricks.app.logging.kafkaSasl.*`	object	`{}`	SASL auth for external Kafka: `aws-iam`, `scram-sha-256`, `scram-sha-512`, or `plain`

For how decision logs flow through the system, see Decision Logs. For external Kafka authentication (including AWS MSK IAM and Azure Event Hubs examples), see External Kafka & Redis.

Ingress

Parameter	Type	Default	Description
`rulebricks.ingress.enabled`	boolean	`true`	Enable chart-managed routing
`rulebricks.ingress.app.enabled`	boolean	`true`	Set `false` when an external auth proxy owns the app catch-all route
`rulebricks.ingress.type`	string	`"ingress"`	`ingress` (standard) or `gateway-api` (renders `HTTPRoute`)
`rulebricks.ingress.className`	string	`"traefik"`	Ingress class name
`rulebricks.ingress.hostname`	string	`""`	Override when the app hostname differs from `global.domain`
`rulebricks.ingress.gatewayApi.*`	object	`{}`	`gatewayName` / `gatewayNamespace` for Gateway API mode
`rulebricks.ingress.paths`	list	`[{...}]`	List of paths to route

Gateway API mode requires an implementation (Envoy Gateway, Cilium, Istio) in your cluster.

Redis

Redis is used for caching and session management.

Parameter	Type	Default	Recommendation
`rulebricks.redis.resources.requests.cpu`	string	`"200m"`	Increase for high traffic
`rulebricks.redis.resources.requests.memory`	string	`"256Mi"`
`rulebricks.redis.resources.limits.cpu`	string	`"500m"`
`rulebricks.redis.resources.limits.memory`	string	`"4Gi"`	Increase for large rule sets
`rulebricks.redis.persistence.enabled`	boolean	`true`	Keep enabled for production
`rulebricks.redis.persistence.size`	string	`"4Gi"`
`rulebricks.redis.persistence.storageClass`	string	`"gp3"`	Match your storage class

To use a managed Redis instance (ElastiCache, Memorystore, Upstash, and so on) instead of the bundled deployment, set rulebricks.redis.enabled: false and configure the external block:

Parameter	Type	Default	Description
`rulebricks.redis.external.host`	string	`""`	Redis hostname (required when `redis.enabled` is `false`)
`rulebricks.redis.external.port`	integer	`6379`	Redis port
`rulebricks.redis.external.password`	string	`""`	Inline password (injected at runtime, never in ConfigMaps)
`rulebricks.redis.external.existingSecret`	string	`""`	Existing secret name (preferred for production)
`rulebricks.redis.external.existingSecretKey`	string	`""`	Key within the secret
`rulebricks.redis.external.tls.enabled`	boolean	`false`	Use `rediss://`
`rulebricks.redis.external.httpApi.*`	object	`{}`	Upstash-style HTTP API (url/token or existing secret)

See External Kafka & Redis for how each component connects.

High Performance Server (HPS)

HPS handles rule execution with horizontal scaling. For the sizing model behind these values (partition ceilings, worker resources, KEDA thresholds), see Performance & Scaling.

Parameter	Type	Default	Description
`rulebricks.hps.enabled`	boolean	`true`	Enable HPS
`rulebricks.hps.replicas`	integer	`3`	Number of HPS gateway replicas
`rulebricks.hps.workers.enabled`	boolean	`true`	Enable worker pods
`rulebricks.hps.workers.replicas`	integer	`4`	Base worker replica count
`rulebricks.hps.workers.solutionPartitions`	integer	`64`	Partition count of the `solution` topic; the worker fleet's concurrency ceiling
`rulebricks.hps.workers.resources.*`	object	1 CPU / 1Gi	Per-worker resources; keep CPU request equal to limit
`rulebricks.hps.workers.keda.*`	object	see Performance & Scaling	KEDA autoscaling configuration

HPS Image

Parameter	Type	Default	Description
`rulebricks.hps.image.repository`	string	`"index.docker.io/rulebricks/hps"`	Docker image repository
`rulebricks.hps.image.pullPolicy`	string	`"Always"`	Image pull policy

HPS and worker image tags are derived from global.version (<version> and worker-<version> respectively).

HPS Resources

Parameter	Type	Default
`rulebricks.hps.resources.requests.cpu`	string	`"1000m"`
`rulebricks.hps.resources.requests.memory`	string	`"1Gi"`
`rulebricks.hps.resources.limits.cpu`	string	`"2000m"`
`rulebricks.hps.resources.limits.memory`	string	`"2Gi"`

Database (Supabase)

Self-Hosted vs. Managed

Mode	`supabase.enabled`	Use Case
Self-hosted	`true`	Full control, air-gapped environments
Managed (Cloud)	`false`	Simplified operations, managed backups

Self-Hosted Configuration

Parameter	Type	Default	Description
`supabase.enabled`	boolean	`true`	Deploy self-hosted Supabase
`supabase.secret.db.username`	string	`"postgres"`	Database username
`supabase.secret.db.password`	string	`"postgres-password-change-me"`	Change this!
`supabase.secret.db.database`	string	`"postgres"`	Database name
`supabase.secret.dashboard.username`	string	`"supabase"`	Studio dashboard username
`supabase.secret.dashboard.password`	string	`"dashboard-password-change-me"`	Change this!

Database Resources

Parameter	Type	Default	Production Recommendation
`supabase.db.resources.requests.cpu`	string	`"500m"`	`"1000m"` or higher
`supabase.db.resources.requests.memory`	string	`"1Gi"`	`"2Gi"` or higher
`supabase.db.persistence.enabled`	boolean	`true`	Always `true` for production
`supabase.db.persistence.size`	string	`"10Gi"`	Based on data volume
`supabase.db.persistence.storageClassName`	string	`"gp3"`	Use fast storage

External PostgreSQL

The Supabase services can run in-cluster while pointing at an external PostgreSQL server (e.g. a managed instance). Set supabase.db.enabled: false and configure the connection once:

Parameter	Type	Default	Description
`supabase.externalDatabase.enabled`	boolean	`false`	Use an external PostgreSQL server
`supabase.externalDatabase.host`	string	`""`	PostgreSQL host shared across Supabase services
`supabase.externalDatabase.port`	integer	`5432`	PostgreSQL port
`supabase.externalDatabase.secretRef`	string	`""`	Existing secret with credentials (else `secret.db`)
`supabase.externalDatabase.secretRefKey.*`	object	`username`/`password`/`database`	Key mappings within the secret

Migration jobs reach the same server through migrations.externalDb.*.

Kong Ingress

Parameter	Type	Default	Description
`supabase.kong.ingress.enabled`	boolean	`true`	Enable Supabase API ingress
`supabase.kong.ingress.className`	string	`"traefik"`	Must match Traefik class

Studio and Auth URLs

Supabase Studio can be exposed on its own hostname via supabase.studio.ingress.* (enabled, type, className, hostname, defaulting to studio.<global.domain>); dashboard credentials come from supabase.secret.dashboard.*. When your application hostname differs from the base domain, override the computed auth URLs with supabase.auth.siteUrl, supabase.auth.externalUrl, and supabase.auth.additionalRedirectUrls.

Migrations

Parameter	Type	Default	Description
`migrations.strategy`	string	`"hook"`	`hook` (post-install/upgrade), `deployment` (regular resource, supports post-rendering), or `manual` (render without hooks)
`migrations.ttlSecondsAfterFinished`	integer	`2592000`	Seconds to retain completed migration Jobs and pod logs
`migrations.backoffLimit`	integer	`3`	Retries before marking the Job failed
`migrations.externalDb.*`	object	`{}`	Host/port/secret for migrations against an external PostgreSQL

Migration pods inherit global.scheduling and accept their own nodeSelector, tolerations, and annotations.

Message Queue (Kafka)

Kafka handles async rule execution and logging.

Basic Settings

Parameter	Type	Default	Description
`kafka.enabled`	boolean	`true`	Deploy Kafka
`kafka.kraft.enabled`	boolean	`true`	Use KRaft mode (no Zookeeper)
`kafka.zookeeper.enabled`	boolean	`false`	Disable Zookeeper

Controller/Broker Configuration

Parameter	Type	Default	Description
`kafka.controller.replicaCount`	integer	`1`	Number of Kafka nodes
`kafka.controller.resources.requests.cpu`	string	`"500m"`	CPU request
`kafka.controller.resources.requests.memory`	string	`"2Gi"`	Memory request
`kafka.controller.resources.limits.cpu`	string	`"2000m"`	CPU limit
`kafka.controller.resources.limits.memory`	string	`"3Gi"`	Memory limit
`kafka.controller.persistence.size`	string	`"20Gi"`	Storage size
`kafka.controller.heapOpts`	string	`"-Xmx1g -Xms1g..."`	JVM heap settings

The chart also ships pre-tuned broker settings (JVM options, network threads, socket buffers, message size limits) as kafka.controller.extraEnvVars and kafka.overrideConfiguration. These defaults are correct for the topics the chart provisions; override them only with a specific reason, using the chart's values.yaml (opens in a new tab) as the reference.

Kafka Topic Provisioning

The chart manages application topics explicitly rather than relying on broker auto-creation. The kafka.provisioning block is consumed by two post-install/post-upgrade Jobs: the Kafka subchart's provisioning Job creates topics if they don't exist, and the parent chart's kafka-topic-align Job idempotently converges pre-existing topics (partition increases, retention and size configs) so upgrades of existing installs don't require manual steps.

Parameter	Type	Default	Description
`kafka.provisioning.enabled`	boolean	`true`	Enable explicit topic management
`kafka.provisioning.topics`	list	three topics	Per-topic name, partitions, replication, and config

The defaults provision solution, solution-response, and logs topics with per-topic retention and size limits. Each entry looks like:

kafka:
  provisioning:
    enabled: true
    topics:
      - name: com.rulebricks.solution
        partitions: 64
        replicationFactor: 1
        config:
          retention.ms: '300000'
      # ... see the chart's values.yaml for the full default topic list

⚠️

Topic names must carry the configured kafkaTopicPrefix. If you change the prefix, change these names to match. The CLI does this automatically. The solution topic's partition count must also equal rulebricks.hps.workers.solutionPartitions; see Performance & Scaling.

When using external Kafka (kafka.enabled: false), provisioning is disabled and topics are customer-managed. See External Kafka & Redis.

Kafka Bridge (Token-Auth External Kafka)

When external Kafka uses a token-based SASL mechanism (AWS MSK IAM, GCP OAUTHBEARER), Vector consumes through a kafka-proxy bridge sidecar that authenticates upstream via workload identity:

Parameter	Type	Default	Description
`kafkaBridge.enabled`	boolean	`false`	Enable the bridge sidecar path
`kafkaBridge.provider`	string	`""`	`aws` or `gcp`
`kafkaBridge.region`	string	`""`	Region (required for AWS MSK IAM signing)
`kafkaBridge.brokers`	string	`""`	Upstream managed-Kafka broker list
`kafkaBridge.localPort`	integer	`19092`	Local plaintext port Vector consumes from
`kafkaBridge.awsRoleArn`	string	`""`	IRSA role ARN (AWS)
`kafkaBridge.gcpServiceAccountEmail`	string	`""`	Workload Identity service account email (GCP)

The CLI sets all of this automatically when you externalize Kafka. See External Kafka & Redis.

High Availability

kafka:
  controller:
    replicaCount: 3
  overrideConfiguration:
    default.replication.factor: '3'
    min.insync.replicas: '2'

Ingress (Traefik)

Traefik handles all incoming traffic and TLS termination.

Parameter	Type	Default	Description
`traefik.enabled`	boolean	`true`	Deploy Traefik
`traefik.ingressClass.name`	string	`"traefik"`	Ingress class name
`traefik.autoscaling.enabled`	boolean	`true`	Enable HPA
`traefik.autoscaling.minReplicas`	integer	`1`	Minimum replicas
`traefik.autoscaling.maxReplicas`	integer	`2`	Maximum replicas

Traefik resources, ports, and persistence follow the upstream subchart's values under traefik.*; the chart's defaults expose 80/443 and need no changes for typical deployments.

Autoscaling (KEDA)

KEDA provides event-driven autoscaling for HPS workers. Scaling behavior is configured per-worker under rulebricks.hps.workers.keda.*; see Performance & Scaling.

Parameter	Type	Default	Description
`keda.enabled`	boolean	`true`	Deploy KEDA
`keda.crds.install`	boolean	`false`	CRDs managed by parent chart

Certificates (cert-manager)

cert-manager provisions TLS certificates from Let's Encrypt.

Parameter	Type	Default	Description
`cert-manager.enabled`	boolean	`true`	Deploy cert-manager
`cert-manager.installCRDs`	boolean	`false`	CRDs managed by parent chart

The chart creates a ClusterIssuer for Let's Encrypt production and Certificate resources for your domain(s).

Decision Logging (Vector & ClickHouse)

Value prefix	Purpose
`vector.*`	Log aggregator consuming the Kafka `logs` topic; sinks and replicas
`clickhouse.*`	Stateless query engine over the decision log archive

Vector's Kafka connection (brokers, TLS, SASL, and the prefixed log topic) is templated automatically into a vector-kafka-env ConfigMap from rulebricks.app.logging.*; you don't set it by hand. How the pipeline fits together, the values tables, and custom sink examples live in Decision Logs.

DNS (external-dns)

external-dns automatically creates DNS records for your ingresses.

Parameter	Type	Default	Description
`external-dns.enabled`	boolean	`false`	Deploy external-dns
`external-dns.provider`	string	`"route53"`	DNS provider
`external-dns.sources`	list	`["ingress"]`	Resource types to watch
`external-dns.domainFilters`	list	`[]`	Restrict to specific domains
`external-dns.policy`	string	`"upsert-only"`	Record management policy

Provider Configuration

AWS Route53

external-dns:
  enabled: true
  provider: route53
  # Uses IRSA - ensure service account has Route53 permissions

Cloudflare

external-dns:
  enabled: true
  provider: cloudflare
  extraEnvVars:
    - name: CF_API_TOKEN
      valueFrom:
        secretKeyRef:
          name: cloudflare-api-token
          key: api-token

Google Cloud DNS

external-dns:
  enabled: true
  provider: google
  google:
    project: 'your-gcp-project'

Azure DNS

external-dns:
  enabled: true
  provider: azure
  azure:
    resourceGroup: 'your-resource-group'
    subscriptionId: 'your-subscription-id'

Monitoring (Prometheus)

Parameter	Type	Default	Description
`monitoring.enabled`	boolean	`true`	Enable monitoring
`rulebricks.metrics.enabled`	boolean	`true`	Rulebricks ServiceMonitors
`kube-prometheus-stack.*`	object	see values	Upstream Prometheus stack configuration

What's scraped, the metric label policy, remote write, and retention examples live in Monitoring.

Storage

StorageClass

The chart can create a gp3 StorageClass for AWS EBS:

Parameter	Type	Default	Description
`storageClass.create`	boolean	`true`	Create StorageClass
`storageClass.name`	string	`"gp3"`	StorageClass name
`storageClass.provisioner`	string	`"ebs.csi.aws.com"`	CSI provisioner
`storageClass.type`	string	`"gp3"`	EBS volume type
`storageClass.fsType`	string	`"ext4"`	File system type
`storageClass.reclaimPolicy`	string	`"Delete"`	Reclaim policy
`storageClass.volumeBindingMode`	string	`"WaitForFirstConsumer"`	Binding mode
`storageClass.allowVolumeExpansion`	boolean	`true`	Allow expansion

For non-AWS clusters, set storageClass.create: false and ensure a compatible StorageClass exists. Provider-specific examples are in Quick Start.

Token Passthrough Architecture