Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs-chat.die-coaching-akademie.de/llms.txt

Use this file to discover all available pages before exploring further.

Secrets

Never commit .env. If a real OpenAI key or admin token is exposed, rotate it immediately.
Tracked files should contain only placeholders: 
OPENAI_API_KEY=sk-your-openai-api-key
ADMIN_TOKEN=change-me

Admin protection

Admin routes use a token loaded from .env: 
provided_token = request.headers.get("x-admin-token") or request.query_params.get("token", "")
if not secrets.compare_digest(provided_token, expected_token):
    raise HTTPException(status_code=401, detail="Unauthorized")
If ADMIN_TOKEN is missing or still a placeholder, the route returns 404 so the dashboard is not accidentally discoverable.

Data minimization

The server does not store full chat sessions in a database. The client sends short recent context for better follow-up questions.
Analytics writes local JSONL events with scrubbed/truncated questions and no IP address or User-Agent.
The app avoids logging chat contents. Rate-limit warnings log the detected client IP for operational protection.

Production hardening

Current production notes:
  • Nginx terminates HTTPS.
  • Certbot manages Let’s Encrypt certificates.
  • UFW allows SSH, HTTP, and HTTPS.
  • Fail2Ban is active for SSH.
  • The app binds to 127.0.0.1:8000, not a public interface.

Safer admin access

For scripts, prefer: 
curl -H "X-Admin-Token: <token>" \
  https://chat.die-coaching-akademie.de/admin/health
Use query tokens only for browser convenience.