Skip to main content

Dependencies

Before setting up the Organization Manager, ensure you have the following dependencies in place:
  • PostgreSQL database for storing organization and tenant data
  • Kafka for event-driven communication with other FlowX.AI services
  • Redis for caching
  • Keycloak (or compatible OAuth2 provider) for authentication and authorization
  • SpiceDB for fine-grained authorization

Infrastructure prerequisites


Configuration

Authorization configuration


PostgreSQL configuration

The Organization Manager uses its own dedicated PostgreSQL database.
PostgreSQL and Redis credentials: plain env vars still work. Organization Manager is a standard Spring Boot service β€” it reads the SPRING_DATASOURCE_* and SPRING_DATA_REDIS_* environment variables shown here. The postgresql.servers/credentials and redis.servers/credentials blocks in the FlowX Helm chart’s values.yaml are the chart’s own secret-to-env-var mapping; they exist to template the same plain env vars from your secrets. You can keep injecting credentials through plain environment variables exactly as before.
Ensure the database is created before deploying the service. The Organization Manager will manage its own schema migrations via Liquibase.

Redis configuration

Organization Manager uses Redis for caching. Configure Redis connection using the standard Redis environment variables. Quick reference:
Both SPRING_DATA_REDIS_* and SPRING_REDIS_* variable prefixes are supported. The SPRING_DATA_REDIS_* prefix is the modern Spring Boot standard and is recommended for new deployments.
For advanced Redis deployment modes (Sentinel, Cluster) and SSL/TLS setup, see the Redis Configuration guide. Note that Sentinel and Cluster modes are only supported by the Events Gateway service.

Kafka configuration

Core Kafka settings

Topic naming configuration

Kafka topics

The Organization Manager publishes organization lifecycle events:
Do not use the default encryption key in production. Generate a unique key and keep it consistent across restarts β€” changing the key after providers are configured will make existing encrypted API keys unreadable.

CAS lib configuration (SpiceDB)


Organization ID configuration

The Organization ID is provided by FlowX during the organization registration process. Before starting a deployment or upgrade, this ID must be configured as an environment variable on all FlowX services that run Liquibase migrations.
On self-hosted upgrades (from 5.1 or later), services will not start correctly without the Organization ID. Migration scripts require it to populate the organization ID across all database records.This is not needed for clean installations where no existing data is present in the database.
Set the ORGANIZATION_ID Liquibase parameter on the 9 services that backfill organization_id columns: application-manager, authorization-system, cms-core, document-plugin, integration-designer, notification-plugin, organization-manager, process-engine, scheduler-core.
In self-hosted (non-SaaS) deployments, each of these 9 services fails to start if ORGANIZATION_ID is missing or not a valid UUID. Set it on all 9 before booting 5.9.x.
For the migrate-vs-fresh-install behavior across the three upgrade scenarios, see the 5.1 β†’ 5.9 organization & deployment configuration guide.

Self-hosted URL configuration

Set the Designer and Runtime home URIs to the public URLs clients use to reach each web app. The Organization Manager uses these values to compose Keycloak redirect URIs and email links sent from the platform.
In most deployments, setting FLOWX_DEFAULT_DESIGNER_HOMEURI (and FLOWX_DEFAULT_RUNTIME_HOMEURI when the generic container app is deployed) is enough β€” leave FLOWX_DEFAULT_SECURITY_REALM_ALLOWEDREDIRECTURIS empty and the Organization Manager will populate it for you.

Designer web app β€” organization code fallback

Self-hosted deployments must also set the organization code on the Designer web app pod. The Designer uses it as a fallback during Keycloak authentication when no organizationCode URL query parameter or subdomain is present.
Leaving DEFAULT_ORGANIZATION_NAME unset on the Designer pod prevents authentication when users access the app at the root URL (no organization in path or subdomain).

License service required. Self-hosted deployments must also configure the License service, which connects to FlowX SaaS for license validation and usage reporting. The Organization Manager publishes organization lifecycle events via Kafka that the License service consumes.

Self-hosted initialization

When a self-hosted deployment starts for the first time, the Organization Manager provides endpoints for environment setup and organization registration.

Environment status endpoint

GET /org/api/env (unauthenticated) Returns the current installation type and status:

Organization registration endpoint

POST /org/api/org/single (not available on SaaS) Creates the self-hosted organization using a token provided by FlowX. This endpoint is called from the Designer setup screen and:
  • Validates the token against the FlowX SaaS license server
  • Creates the organization with the org ID and org code from the token claims
  • Creates two Keycloak realms (one for users, one for service accounts)
  • Creates the initial org admin user with the credentials provided in the setup screen
For upgrades from 5.1, the org admin user already exists and the setup screen is not displayed. The Organization Manager will update the existing Keycloak realm with the new organization ID.

Logging configuration


Multipart upload configuration


Secrets management

The Organization Manager requires several secrets to be configured. These should be stored securely and referenced via Kubernetes secrets or a secrets management solution.

Deployment

Helm values example

Below is an example Helm values configuration for deploying the Organization Manager:

Network policies

The Organization Manager requires network access to the following services:

Monitoring

The Organization Manager exposes Prometheus metrics for monitoring. Turn on scraping by setting the pod label:

Health endpoints


Verify your setup

The Organization Manager pod is running and healthy: kubectl get pods -l app=organization-manager
The health endpoint returns HTTP 200: curl http://organization-manager:8080/actuator/health
Database migrations completed successfully β€” check pod logs for Liquibase: Update has been successful
SpiceDB connection is established β€” check pod logs for successful CAS client initialization
Kafka topic ai.flowx.organization.events.v1 exists and the service can publish to it

Ingress and CORS

The Organization Manager service is exposed on both the admin and public hosts. Routing is configured through the FlowX Helm chart, which renders either a Kubernetes Ingress (default) or a Gateway API HTTPRoute per service. CORS handling lives in the service code; only the allowed-origins list is deployment-specific.

Service routes

Paths are set through services.organization-manager.ingress.admin.path / services.organization-manager.ingress.public.path (or the corresponding gateway.<key>.paths) in the chart values.

CORS configuration

Allowed methods, allowed headers (including Authorization, Content-Type, Fx-Workspace-Id), and credential handling are baked into the service’s application.yaml with safe defaults. Override these only if you have a non-standard requirement. For the complete route reference, Gateway API HTTPRoute configuration, and route customization, see the ingress configuration guide.

Troubleshooting

Symptoms: Service fails to start with database connection errors.Solutions:
  1. Verify the organization_manager database exists in PostgreSQL
  2. Check that the database user has appropriate permissions
  3. Ensure network connectivity between the pod and PostgreSQL service
  4. Verify the JDBC URL format is correct
Symptoms: Authorization errors or service fails to initialize CAS client.Solutions:
  1. Verify SpiceDB is running and reachable at the configured host and port
  2. Check that the SpiceDB token is correct
  3. Ensure network policies allow gRPC traffic to SpiceDB on port 50051
  4. Review pod logs for specific CAS client error messages
Symptoms: Organization events not reaching downstream services.Solutions:
  1. Verify Kafka bootstrap servers are reachable
  2. Check that the ai.flowx.organization.events.v1 topic exists
  3. Ensure the service has producer permissions on the topic
  4. Review KAFKA_MESSAGE_MAX_BYTES if large messages fail
Symptoms: 401/403 errors when communicating with other FlowX services.Solutions:
  1. Verify the Keycloak service account is properly configured
  2. Check that client secrets match between configuration and Keycloak
  3. Ensure the service account has required roles assigned
  4. Verify SECURITY_TYPE is set to jwt-public-key

Redis Configuration

Complete Redis setup including Sentinel and Cluster modes

Access Management

Configure roles and access rights

SpiceDB Configuration

Fine-grained authorization setup

IAM Configuration

Identity and access management setup
Last modified on July 2, 2026