Instance Settings

Instance settings are accessible to all superadmins of your Orvanta instance. This is where you manage settings and features across all workspaces. One instance can have several workspaces.

It is from the Instance settings that you can see which Orvanta version your instance is running.

Admins workspace

The Admins workspace is for superadmins only and contains scripts whose purpose is to manage your Orvanta instance, such as keeping resource types up to date or the New User Setup App.

The resource types created from the Admins workspace are shared across all workspaces.

You can access it from the list of workspaces or from Instance settings.

Global users

Global Users are users of the Orvanta instance. They are not associated with any workspace and can be assigned to any workspace (from the workspace settings).

From there you can manually add a user to the instance, giving an email and a password. Users can be set to User, Devops or Superadmin roles.

When a user’s role is set by an instance group, a “Set by instance group” indicator appears next to the role toggle. You can still upgrade a user to a higher role manually (e.g. from group-assigned devops to superadmin), but demoting to “User” requires removing the user from the instance group.

You can also enable automatic username creation from emails. Usernames will be shared across workspaces. We recommend setting it to avoid duplicated usernames.

A more common way to add users is to use SSO/OAuth.

For each user, you can see Email, Auth (manually-set password or Auth methods), Name, Kind (Developer or Operator, where an operator at the instance level is an operator in all workspaces they are members of), and Role (User or Superadmin).

You can also toggle on ‘Recently active only’ to only show users who have performed at least one action in the last 30 days. Only those users are counted in our pricing. When enabled, the table also displays each user’s Kind (Developer or Operator), reflecting their highest permission level across all workspaces they belong to.

Core

Base url

The base URL is the public base URL of the instance.

If the base URL is not set correctly, some server-side generated URLs like resume URLs will be incorrect. Additionally, OAuth and SSO functionalities will not work properly.

WebSocket base url

Optional override for the base URL used by the frontend to open WebSocket connections to the LSP, debugger, and multiplayer services. When empty, WebSocket connections fall back to the current window.location (same host as the page).

Set this when the browser cannot reach WebSocket services on the same host as the main app — for example, when WebSocket services are exposed under a dedicated subdomain (e.g. wss://ws.example.com). The value is used as a prefix for all frontend WebSocket connections (LSP, debugger, multiplayer).

A “Test connectivity” button runs HTTP health and WebSocket ping checks for the three services in parallel and reports per-service results inline.

Email domain

Domain to display in webhooks for email triggers (should match the MX record).

Request size limit in MB

Maximum size of HTTP requests in MB. Cloud only.

Default timeout

Default timeout for individual jobs, in seconds.

You will find a helper to convert days, hours, minutes, and seconds to seconds.

Note that you can set a custom timeout for flow steps.

Max timeout for sync endpoints

Maximum amount of time (measured in seconds) that a sync endpoint is allowed to run before it is forcibly stopped or timed out.

You will find a helper to convert days, hours, minutes, and seconds to seconds.

Keep job directories for debug

Toggle to keep job directories after execution at /tmp/orvanta/<worker>/<job_id>.

License key

The license key is used to enable Enterprise Edition. You can get one by starting a free trial or by contacting Orvanta support.

To see how to upgrade your instance to Enterprise Edition, see the Upgrade to Enterprise Edition docs. The same key can also be used for non-prod instances. Just make sure to set Non-prod instance to true so that the computation usage is not counted in the billing.

From there you also have two buttons:

• Renew key: to renew the license key (as long as you have a valid subscription). The key is automatically renewed every day as long as your subscription is valid.
• Open customer portal: the recommended way to access the Customer portal where you can manage your subscription.

If your subscription is active, the key is automatically renewed every day. A key is typically valid for 35 days.

Non-prod instance

Whether the reported usage of this instance should be considered non-prod.

Non-prod instances work the same as prod instances in terms of features, but their computation usage is not counted in the billing. Seat counts, however, are across all instances. If all instances using the same key are ‘Non-prod’, the one using the most Compute Units will be counted as Prod.

Alternatively, you can copy a development license key using the dedicated button from the Customer portal. This provides an alternative to manually turning instances to Non-prod mode.

This setting is only available on Enterprise Edition.

Retention period in secs

How long to keep the jobs data (especially the audit logs) in the database (max 30 days on Community Edition).

You will find a helper to convert days, hours, minutes, and seconds to seconds.

This setting is only available on Enterprise Edition.

Audit log retention (days)

How long to keep audit log entries in the database. Default: 365 days (EE), 14 days (CE). Audit logs are internally partitioned by day for performance — expired partitions are dropped automatically rather than deleted row by row.

If you enable Store audit logs in object storage, the bucket holds the durable long-term history, so you can safely lower this value to only what you need for the in-app audit log view. Orvanta never deletes the exported audit logs from object storage.

Instance object storage

Connect your instance to an S3 bucket to store large logs and global cache for Python and Go.

This feature has no overlap with the Workspace object storage.

You can choose to use S3, Azure Blob Storage, AWS OIDC or Google Cloud Storage. For each you will find a button to test settings from a server or from a worker.

S3

Field	Description
Bucket	The name of your S3 bucket
Region	If left empty, will be derived automatically from $AWS_REGION
Access key ID	If left empty, will be derived automatically from $AWS_ACCESS_KEY_ID, pod or ec2 profile
Secret key	If left empty, will be derived automatically from $AWS_SECRET_KEY, pod or ec2 profile
Endpoint	Only needed for non-AWS S3 providers like R2 or MinIO
Allow http	Disable if using https only policy

Azure Blob

Field	Description
Account name	The name of your Azure storage account
Container name	The name of your Azure blob container
Access key	Your Azure storage account access key
Tenant ID	(Optional) Your Azure tenant ID
Client ID	(Optional) Your Azure client ID
Endpoint	(Optional) Only needed for non-Azure Blob providers like Azurite

AWS OIDC

Field	Description
Bucket	The name of your S3 bucket
Region	The AWS region where your bucket is located
Role ARN	The ARN of the IAM role to assume (e.g., arn:aws:iam::123456789012:role/test)

This setting is only available on Enterprise Edition.

Google Cloud Storage

Field	Description
Bucket	The name of your Google Cloud Storage bucket
Service Account Key	The service account key for your Google Cloud Storage bucket in JSON format

Store audit logs in object storage

When enabled and instance object storage is configured, audit logs are also exported as newline-delimited JSON (NDJSON) to a dedicated logs/audit/ folder in the bucket, partitioned by day (logs/audit/dt=YYYY-MM-DD/). The export is incremental and runs in the background off the audit log hot path.

Only audit logs created after the setting is enabled are exported (no historical backfill), and Orvanta never deletes the exported files from object storage. This is the recommended setup to forward audit logs to a SIEM for long-term security analysis.

This setting is only available on Enterprise Edition.

Private Hub base url

Base URL of your Private Hub instance, without trailing slash.

The URL above will be used both when accessing the hub from the instance and from the user browser. If end users cannot access the Private Hub with the URL above, you can enable the toggle just below the field to set a different URL for the Private Hub which is accessible to the users (Private Hub accessible URL).

This setting is only available on Enterprise Edition.

Private hub api secret

Private Hub API secret. Only required if access to your Private Hub is restricted.

This setting is only available on Enterprise Edition.

Disable hub

When enabled, Orvanta stops making any request to the Orvanta Hub (or your Private Hub) and hides the hub pickers in the flow, app, and script editors. This is intended for closed/air-gapped deployments where outbound access to the hub is unavailable.

When the hub is reachable but returns errors, the hub pickers display a persistent warning alert with a direct link back to this setting (instead of a transient error toast), guiding superadmins to toggle “Disable hub” and remove the warning.

Auth/OAuth

Orvanta supports SSO/OAuth for user authentication. You can enable it from the Instance settings.

Single Sign On (SSO)

When at least one of the SSO options is set, users will be able to log in to Orvanta via their third-party account.

To test SSO, the recommended workflow is to save the settings and try to log in in an incognito window.

You can add a custom SSO client by providing a client id.

Also, from the instance settings you can enable the toggle ‘Require users to have been added manually to Orvanta to sign in through OAuth’.

Without Enterprise Edition, the number of SSO users is limited to 10.

OAuth

When one of the OAuth options is set, you will be able to create a specific resource containing a ‘token’ automatically generated by the third-party provider. To test it after setting an OAuth client, go to the Resources menu and create a new one of the type of your OAuth client (i.e. a ‘github’ resource if you set GitHub OAuth).

SCIM/SAML

Orvanta supports SCIM and SAML for user provisioning and authentication.

You can test settings with the button ‘Test content/url’.

These settings are only available on Enterprise Edition.

SCIM token

Token used to authenticate requests from the IdP.

SAML metadata

XML metadata URL OR content for the SAML IdP.

Registries

Add private registries for UV, Bun, npm, Nuget, PowerShell, Maven/Java, and Cargo/Rust.

These settings are only available on Enterprise Edition.

UV index url

Add a private registry for Python.

UV extra index url

Add an extra private registry for Python.

Npm config registry

Add a private NPM registry.

Bunfig install scopes

Add private scoped registries for Bun. See: https://bun.sh/docs/install/registries.

.npmrc

Provide the full content of a standard .npmrc file. This works natively with Bun (since 1.1.18), Deno (2.x), and the Orvanta npm proxy (which parses the default registry and auth token from the .npmrc). When configured, the legacy Npm config registry and Bunfig install scopes fields are hidden for new setups.

Maven settings.xml

Provide the full content of a Maven settings.xml file. Orvanta writes it to {JAVA_HOME}/.m2/settings.xml so Coursier can use your configured servers, mirrors, and repository URLs when resolving Java dependencies. Clearing the setting removes the file.

Cargo registries

Provide the content of a Cargo config.toml file for configuring private Rust crate registries. Written to {job_dir}/.cargo/config.toml during job execution.

Nuget config

Write a nuget.config file to set custom/private package sources and credentials.

Workspace-specific registry overrides

Superadmins can configure per-workspace overrides for package registry settings. This allows different workspaces to use different private registries (e.g. workspace A uses registry-a.example.com while workspace B uses registry-b.example.com). All registry settings except the Python version and uv index strategy can be overridden per workspace. Configure these under the “Workspace Registries” section.

Docker registries

Credentials used by crane when pulling private container images for sandbox snapshot builds. Provide a JSON array of {registry, username, password} objects, for example:

[
  { "registry": "ghcr.io", "username": "my-user", "password": "ghp_xxx" },
  { "registry": "registry.example.com", "username": "ci", "password": "..." }
]

Orvanta writes the corresponding Docker config.json to /tmp/orvanta/docker and sets DOCKER_CONFIG when invoking crane export, so private base images can be resolved without exposing credentials in the snapshot build script. This setting is fully redacted in logs.

Alerts

Critical alert channels

Channels to send critical alerts to. SMTP must be configured for the email channel. A Slack workspace must be connected to the instance for the Slack channel. Microsoft Teams must be set up to configure critical alerts to be sent to a Microsoft Teams channel.

You can add multiple channels between Email, Slack, and Microsoft Teams.

Furthermore, you can choose to mute critical alerts in the UI using the “Mute critical alerts in UI” toggle.

This setting is only available on Enterprise Edition.

Mute critical alerts in UI

Enable to mute critical alerts in the UI.

Alert on token expiry

Enable to send critical alerts when API tokens are about to expire (within 7 days) or have expired. This setting is off by default.

Email notifications to token owners are always sent regardless of this setting, as long as SMTP is configured.

Slack

Connecting your instance to a Slack workspace enables critical alerts to be sent to a Slack channel.

Just click on the ‘Connect to Slack’ button and follow the instructions from Slack.

This setting is only available on Enterprise Edition.

SMTP

Setting SMTP unlocks sending emails upon adding new users to the workspace or the instance, and sending critical alerts.

You need to provide the following details:

Name	Type	Description
Host	String	SMTP server host
Port	Number	SMTP server port
Username	String	SMTP server user
Password	String	SMTP server password
From Address	String	Email address to send emails from
Implicit TLS	Boolean	Use implicit TLS (default: false)

You have another field to test the SMTP settings.

Set up SMTP from the .env file (deprecated)

The relevant environment variables are:

[email protected]
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
[email protected]
SMTP_PASSWORD=app_password

If you used the Setup Orvanta on localhost method, open the .env file in any text editor. You can use nano, vim, or any other editor you’re comfortable with.

nano .env

Append the following to the end of your .env file:

[email protected]
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
[email protected]
SMTP_PASSWORD=your_app_password

Make sure to replace your email address with your actual Gmail email address and your_app_password with the app password you’ve generated from Gmail.

Save and close the file:

• If using nano, press CTRL + O to save and then CTRL + X to exit.
• If using vim, press Esc, then type :wq and press Enter.

Restart your Orvanta application:

• Since you’ve made changes to the .env file, you’ll need to restart your Orvanta application for the changes to take effect.

docker compose down
docker compose up -d

Now, your Orvanta instance should use the SMTP settings you’ve provided to send invites and email to manually added users. Make sure the SMTP details you’ve provided are correct and that the Gmail account you’re using has allowed less secure apps or generated an App Password.

Set up auto-invites

When creating a workspace, you have the option to invite automatically everyone on the same domain. That’s how you make sure that anyone added to the instance is also added to the workspace.

Webhooks

Instance events webhook

URL to receive POST requests for instance events such as user added, OAuth signup, user invited to workspace, or user joined workspace.

Configure it from Instance settings > Monitoring > Webhooks.

For workspace-level events (script, flow, app, resource lifecycle) see the workspace webhook. For incoming webhooks that trigger scripts and flows, see webhooks.

AI

Configure Orvanta AI providers, models, and prompts once at the instance level so every workspace inherits them. Navigate to Instance settings > AI.

Resolution order used by AI chat, code generation, and code completion:

1. Workspace AI settings when the workspace has any provider configured.
2. Instance AI settings as the fallback when the workspace has no providers configured.

The fallback references resources from the admins workspace, so any resources used by instance AI settings must exist there. A workspace using the instance fallback shows a read-only summary of the active instance AI config and an Override for this workspace button; clearing the workspace override instantly reverts to instance defaults.

AI_HTTP_HEADERS

Set the AI_HTTP_HEADERS env var on the server and workers to attach custom headers to every outgoing AI request (OpenAI, Anthropic, Azure, Bedrock, Vertex, etc.). Headers are comma-separated:

AI_HTTP_HEADERS="X-Org: acme, X-Env: prod" ./orvanta

Use this when AI traffic must flow through a corporate proxy or gateway that expects fixed auth/routing headers. Per-resource headers on the customai resource type are applied after this env var and take precedence on conflicting keys.

Open Telemetry & Prometheus

OpenTelemetry (OTEL)

Enable to collect telemetry data and send it to an OpenTelemetry collector such as Jaeger or Tempo for tracing. OpenTelemetry data sent to the collector consists of traces, logs, and metrics. You can independently toggle each signal (Tracing, Logs, Metrics) in the instance settings.

The transport protocol can also be selected from a dropdown: grpc (default, port 4317) or http/protobuf (port 4318, sets OTEL_EXPORTER_OTLP_PROTOCOL=http/protobuf). Use http/protobuf when your collector or network environment does not support gRPC.

HTTP tracing

HTTP tracing captures HTTP/HTTPS requests made by job scripts as observability spans within the job details UI. Traces are stored and correlated with the job, displaying method, URL, status code, and timing information.

If the OpenTelemetry external collector is enabled, traces are also sent to that collector and seamlessly integrate with existing spans.

The feature works in two modes:

• Auto-instrumentation for Native TypeScript: uses built-in OpenTelemetry instrumentation to automatically capture fetch() requests.
• MITM proxy for other languages (Python, Bun, Deno, Go, Bash, Rust, C#, Nu, Ruby): outgoing HTTP traffic is routed through a tracing proxy that intercepts and records requests.

You can select which language runtimes should have tracing enabled. Toggling this setting restarts workers.

This setting is only available on Enterprise Edition.

Prometheus

Expose Prometheus metrics for workers and servers on port 8001 at /metrics.

Indexer

Max index time window

Maximum time window (in days) that the indexer looks back when indexing jobs and service logs. Defaults to 7 days. This caps both the initial population of the index and periodic cleanup — documents older than the window are not indexed and are evicted on the next refresh cycle. Orvanta internally uses min(max_index_time_window_secs, retention_period_secs) so the window never exceeds the configured retention period. Setting the value to 0 disables the time window and falls back to the retention period alone.

This setting can also be controlled via the TANTIVY_MAX_INDEX_TIME_WINDOW__S env var.

Index writer memory budget

The allocated memory arena for the indexer. A bigger value means less writing to disk and potentially higher indexing throughput.

Commit max batch size

The max amount of documents (here jobs) per commit. To optimize indexing throughput, it is best to keep this as high as possible. However, especially when reindexing the whole instance, it can be useful to have a limit on how many jobs can be written without being committed. A commit will make the jobs available for search, constitute a “checkpoint” state in the indexing, and will be logged.

Refresh index period

The index will query new jobs periodically and write them on the index. This setting sets that period in seconds.

Max indexed job log size

Job logs are included when indexing, but to avoid the index size growing artificially, the logs will be truncated after that size (in KB) has been reached.

Commit max batch size (service logs)

The max amount of documents per commit. In this case 1 document is one log file representing all logs during 1 minute for a specific host. To optimize indexing throughput, it is best to keep this as high as possible. However, especially when reindexing the whole instance, it can be useful to have a limit on how many logs can be written without being committed. A commit will make the logs available for search, appear as a log line, and be a “checkpoint” of the indexing progress.

Refresh index period (service logs)

The index will query new service logs periodically and write them on the index. This setting sets that period in seconds.

Telemetry

Anonymous usage data is collected to help improve Orvanta. Telemetry data is sent as an HTTPS request once a day.

The data collected differs between Community Edition and Enterprise Edition.

Community Edition

The following information is collected:

• version of your instance
• instance base URL
• job usage (language, total duration, count)
• login type usage (login type, count)
• worker usage (worker, worker instance, vCPUs, memory)
• user usage (author count, operator count)
• development instance status

Telemetry can be fully disabled from the instance settings using the “Disable telemetry” toggle.

Enterprise Edition

On Enterprise Edition, telemetry is required for license compliance and cannot be fully disabled. You can toggle “Minimal telemetry” to reduce the data sent to only what is needed for license compliance. If you have fully air-gapped requirements, contact Orvanta to arrange an alternative.

When minimal telemetry is enabled, the following is sent:

• version of your instance
• instance base URL
• login type usage (login type, count)
• worker usage (worker, worker instance, vCPUs, memory)
• user usage (author count, operator count)
• superadmin email addresses
• development instance status

When minimal telemetry is disabled, the following is also collected:

• job usage (language, total duration, count)

You can “Send usage” to manually send usage data to Orvanta and monitor it from the Customer portal. You can also “Download usage” to get a signed copy of the telemetry data as a JSON file named orvanta-telemetry-{date}-{signature}.json. This is useful for air-gapped instances that cannot send telemetry directly: the file can be inspected before being sent manually to Orvanta, and the signature lets Orvanta verify it has not been tampered with.

GitHub Enterprise App

Configure a self-managed GitHub App for GitHub.com or GitHub Enterprise Server to enable Git sync without relying on the Orvanta-managed GitHub App.

This setting is found under Advanced > GitHub Enterprise App in Instance Settings and is only available on Enterprise Edition.

Field	Description
Base URL	The base URL of your GitHub instance (e.g. https://github.com or your GHES URL)
App ID	The ID of your registered GitHub App
App Slug	The slug of your GitHub App
Client ID	The client ID of your GitHub App
Private Key (PEM)	The private key generated for your GitHub App

For setup instructions, see Self-managed GitHub App.

DB Health

The DB Health diagnostic dashboard provides on-demand insights into your Orvanta database. It is available under Monitoring > DB Health in Instance Settings and is accessible to superadmins only.

Click Run Diagnostics to execute a set of lightweight, read-only queries against your database. Results are displayed in collapsible sections with green/yellow/red status indicators.

Diagnostics

Section	What it shows
Database Size	Total database size and top 15 tables by size
Job Retention	Oldest completed job age vs configured retention_period_secs, total completed job count. Green if cleanup is keeping up, yellow/red if jobs are accumulating beyond the retention window
Large Job Results	Top 10 largest result payloads (by pg_column_size) among recently scanned jobs, plus average result size. Only results > 1 KB are listed
Connection Pool	SQLx pool size, idle connections, max connections, and active PostgreSQL connections from pg_stat_activity. Green below 80% utilization, yellow below 95%, red at 95%+
Table Maintenance	Top 15 tables by dead tuples with dead/live ratio, last autovacuum and autoanalyze timestamps. Red when dead tuple ratio exceeds 30%
Slow Queries	Top 10 queries by mean execution time from pg_stat_statements. If the extension is not installed, a message suggests enabling it
Datatables	Instance-stored datatables with per-table size and estimated row count from pg_class

Scan limit

Use the Scan last N jobs dropdown to control how many recent completed jobs are scanned for the large results analysis. The default is 10,000. Higher values give more complete results but take longer on large databases. The allowed range is 1,000 to 1,000,000.