Skip to content
TapPass

Enterprise TapPass Setup

Production deployment of TapPass with persistent storage, HTTPS, and full security hardening.

Quick Overview

Section titled “Quick Overview”
tappass up        # 1. Start server (wizard on first run, instant after)
tappass init      # 2. CISO configures governance
tappass agents add  # 3. Developers register agents

Step 1: Server Infrastructure

Section titled “Step 1: Server Infrastructure”
Section titled “Option A: Docker (recommended)”
Terminal window
# On your server
mkdir tappass && cd tappass


# Run the setup wizard
pip install tappass
tappass up

The wizard asks:

  1. License key (from tappass license issue)
  2. Storage: postgres or supabase for production
  3. Secrets: auto-generated JWT secret, vault key, admin API key
  4. Runtime: choose docker to generate docker-compose.yml

Then:

Terminal window
docker compose up -d

Option B: Kubernetes

Section titled “Option B: Kubernetes”
Terminal window
tappass up
# Choose "kubernetes" as runtime
# Generates tappass-values.yaml


helm install tappass oci:/ghcr.io/cogniqor/charts/tappass \
  -f tappass-values.yaml

Option C: Bare Metal

Section titled “Option C: Bare Metal”
Terminal window
tappass up
# Choose "here" as runtime
# Or run directly:
TAPPASS_LICENSE=<key> python -m uvicorn tappass.api.main:app \
  --host 0.0.0.0 --port 9621

Step 2: Database

Section titled “Step 2: Database”

PostgreSQL (self-hosted)

Section titled “PostgreSQL (self-hosted)”
Terminal window
# tappass up wizard handles this, or manually:
export DATABASE_URL="postgresql:/tappass:secure_password@db.internal:5432/tappass"

TapPass runs migrations automatically on startup.

Supabase (managed)

Section titled “Supabase (managed)”
Terminal window
export SUPABASE_URL="https://your-project.supabase.co"
export SUPABASE_KEY="your-service-role-key"

Run migrations/*.sql in the Supabase SQL Editor (001 through 009 in order).

Memory Mode (evaluation only)

Section titled “Memory Mode (evaluation only)”

No configuration needed. Data persists across restarts via .tappass/state.json but is not suitable for production.

Step 3: HTTPS

Section titled “Step 3: HTTPS”

With Caddy (auto-TLS)

Section titled “With Caddy (auto-TLS)”
/etc/caddy/Caddyfile
tappass.yourcompany.eu {
    reverse_proxy localhost:9621
}

With nginx

Section titled “With nginx”
server {
    listen 443 ssl;
    server_name tappass.yourcompany.eu;
    ssl_certificate /etc/letsencrypt/live/tappass.yourcompany.eu/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tappass.yourcompany.eu/privkey.pem;


    location / {
        proxy_pass http://localhost:9621;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Step 4: Environment Variables

Section titled “Step 4: Environment Variables”

Required for Production

Section titled “Required for Production”
VariableDescription
TAPPASS_LICENSELicense key from tappass license issue
TAPPASS_PRODUCTIONSet to 1 to enable production hardening
AGENT_AUTH_ADMIN_API_KEYAdmin API key (starts with tp_)
AGENT_AUTH_JWT_SECRETJWT signing secret (48+ chars)
TAPPASS_VAULT_KEYAES-256 key for credential encryption
DATABASE_URL or SUPABASE_URL+SUPABASE_KEYStorage backend

Optional

Section titled “Optional”
VariableDefaultDescription
TAPPASS_LICENSE_SERVERhttps://license.tappass.euLicense activation server URL
AGENT_AUTH_CORS_ORIGINS(none)Comma-separated allowed CORS origins
AGENT_AUTH_EU_DATA_RESIDENCYfalseRestrict to EU model providers
OPENAI_API_KEY(none)For LLM judge and model gateway

Production Hardening (TAPPASS_PRODUCTION=1)

Section titled “Production Hardening (TAPPASS_PRODUCTION=1)”

When enabled, the server:

  • Refuses to start without AGENT_AUTH_JWT_SECRET
  • Refuses to start without AGENT_AUTH_ADMIN_API_KEY
  • Hides OpenAPI docs (/docs and /openapi.json)
  • Strips the Server header
  • Enforces HTTPS security headers (HSTS, CSP, etc.)

Step 5: CISO Governance Setup

Section titled “Step 5: CISO Governance Setup”
Terminal window
tappass init --server https://tappass.yourcompany.eu

Interactive wizard:

  1. Connect to server
  2. Sign in (Google SSO or email/password)
  3. Approve which providers agents may access
  4. Set security preset (startup / enterprise / regulated)
  5. Provider credentials guidance

Security Presets

Section titled “Security Presets”
PresetReadsWritesAuditJudge
startupAuto-approveNotifyBasicRules only
enterpriseAuto-approveRequire consentFullRules only
regulatedRequire consentRequire consentFull + hash chainLLM + rules

Step 6: Web UIs

Section titled “Step 6: Web UIs”

After tappass init, open in your browser:

URLPurposeUsers
/appManage agents, policies, audit trail, connect accountsAll users (RBAC)
/signupSign in / create accountNew users

Monitoring

Section titled “Monitoring”

Kubernetes Health Probes

Section titled “Kubernetes Health Probes”

TapPass exposes three health endpoints following the Kubernetes probe contract:

EndpointProbe TypeChecksFailure Action
/health/liveLivenessProcess alivePod restart
/health/readyReadinessDB + OPA + RedisRemove from Service endpoints
/health/startupStartupDB + OPA + Presidio models loadedWait (up to 150s for model load)
Terminal window
# Quick health check
curl https://tappass.yourcompany.eu/health/ready
# {"status": "ready", "checks": {"database": "ok", "opa": "ok", "redis": "ok"}}

OpenTelemetry Distributed Tracing

Section titled “OpenTelemetry Distributed Tracing”

Every pipeline execution creates OTel spans with child spans per step. Set OTEL_EXPORTER_OTLP_ENDPOINT to enable:

Terminal window
OTEL_EXPORTER_OTLP_ENDPOINT=http://otel-collector:4317

Incoming traceparent headers from agents are propagated, giving end-to-end traces:

[Agent] → [TapPass: pipeline 14ms] → [OpenAI: 823ms] → [TapPass: output scan 3ms]

Prometheus Metrics

Section titled “Prometheus Metrics”
Terminal window
curl -H "Authorization: Bearer $ADMIN_KEY" \
  https://tappass.yourcompany.eu/metrics

Key metrics: tappass_requests_total, tappass_request_duration_seconds, tappass_tokens_issued_total, tappass_policy_denials_total.

SDK Resilience

Section titled “SDK Resilience”

Configure agents with fail-open or fail-closed behavior when TapPass is unreachable:

Terminal window
# Environment variable (no code change needed)
export TAPPASS_FAIL_MODE=fail_open_cached
from tappass import Agent
from tappass.resilience import ResiliencePolicy, FailMode


agent = Agent("http://tappass:9620", resilience=ResiliencePolicy(
    mode=FailMode.FAIL_OPEN_CACHED,
    cache_ttl_seconds=300,
    max_offline_requests=100,
))

See the SDK Resilience Guide for details.

CLI Commands

Section titled “CLI Commands”
Terminal window
tappass status    # Quick health check
tappass doctor    # Full diagnostic
tappass logs      # View audit trail

Network & Firewall

Section titled “Network & Firewall”

See the Network Architecture Guide for:

  • Firewall rule templates (Palo Alto, Fortinet CSV import)
  • Proxy configuration (corporate egress, TLS inspection)
  • Air-gapped deployment
  • Kubernetes NetworkPolicy examples

Compliance Artifacts

Section titled “Compliance Artifacts”

The Trust Center provides procurement-ready documents:

DocumentPurpose
DPAGDPR Art. 28 Data Processing Agreement
Sub-processor ListAll third parties processing data
DPIA TemplatePre-filled Data Protection Impact Assessment

Backup and Recovery

Section titled “Backup and Recovery”

PostgreSQL

Section titled “PostgreSQL”
Terminal window
pg_dump $DATABASE_URL > tappass-backup-$(date +%Y%m%d).sql

Memory Mode

Section titled “Memory Mode”

Back up .tappass/state.json and policies/.

Supabase

Section titled “Supabase”

Use the Supabase dashboard or pg_dump via the connection string.