Frontend service

Rafiki’s frontend service provides an optional internal admin interface, called the Rafiki Admin application, for you to manage your Rafiki instance through a Remix web app. The Rafiki Admin application is the primary way for operators to manage tenants and their resources. This service communicates with the Backend Admin API to facilitate administrative tasks within Rafiki.

Requirements

The following are required when using the frontend service:

• A Rafiki backend service up and running to access the Backend Admin API.
• An identity provider for authentication and user management. Out of the box, the Rafiki Admin application uses Ory Kratos, a secure and fully open-source identity management solution.

Disabling authentication

Rafiki Admin provides access to sensitive data like peering relationships and wallet addresses. Authentication is enabled by default to restrict access to authorized users only.

In the Local Playground, authentication is disabled by default to simplify local development and testing. To disable it in other environments, set the environment variable AUTH_ENABLED to false. This should be done with extreme caution and only in specific scenarios:

• Secure, non-production environments like the Local Playground for local development and testing.
• Internal systems where Rafiki Admin is not exposed externally and other access controls (firewalls, local-only access) ensure that the system is secured.

You must also set the environment variables for the frontend service.

Rafiki Admin settings

While the frontend service is not required to run a Rafiki instance, it’s highly recommended. A number of administrative tasks could be performed programmatically via the Backend Admin API, but the frontend service makes these functions available through a user-friendly interface. The Rafiki Admin application allows operators to manage tenants and their resources, and to configure tenant-specific settings such as the wallet address prefix. The frontend service HMAC-signs requests (HMAC SHA-256) to the Backend Admin API and includes a tenant-id header. The tenant-id header identifies the tenant on whose behalf the request is made.

Environment variables

Required

Variable	Helm value name	Default	Description
GRAPHQL_URL	config.frontend.serviceUrls.GRAPHQL_URL	undefined	URL for Rafiki’s GraphQL Backend Admin API.
OPEN_PAYMENTS_URL	config.frontend.serviceUrls.OPEN_PAYMENTS_URL	undefined	Your Open Payments API endpoint.

Conditionally required

The following variables are required only when AUTH_ENABLED is set to true.

Variable	Helm value name	Default	Description
KRATOS_ADMIN_URL	undefined	undefined	The admin endpoint/container address for Kratos.
KRATOS_BROWSER_PUBLIC_URL	undefined	undefined	The URL to access the Kratos Docker container from a browser outside the Docker network. This is used for calls from a browser (what you see in the Rafiki Admin UI) to the Kratos server on the backend.
KRATOS_CONTAINER_PUBLIC_URL	undefined	undefined	The URL to access the Kratos Docker container from in the Docker network. This is used for backend calls to Kratos.

Optional

Variable	Helm value name	Default	Description
AUTH_ENABLED	config.frontend.kratos.enabled	true	When true, only authenticated users can be granted access to Rafiki Admin by an administrator.
ENABLE_INSECURE_MESSAGE_COOKIE	undefined	undefined	When set to true, t, or 1, cookie will be transmitted over insecure HTTP connection. Insecure message cookies are required for flash messages to work over HTTP.
LOG_LEVEL	config.frontend.logLevel	info	Pino log level.
NODE_ENV	config.frontend.nodeEnv	undefined	The type of node environment: development, test, or production.
PORT	config.frontend.port	3010	Port from which to host the Rafiki Remix app.
SIGNATURE_VERSION	undefined	undefined	The signature version number used when HMAC-signing requests to the Backend Admin API (HMAC SHA-256).