Skip to main content
The GoRules BRMS is a complete business rules management system that provides a visual editor for creating and managing decision models, version control, release management, and REST API for rule evaluation.

Docker Image

Available on Docker Hub: gorules/brms

License Portal

Obtain your license key

When to use BRMS

Choose BRMS when:
  • Business users need to create and edit rules without code changes
  • You need version control and audit trails for rule changes
  • Multiple environments (dev, staging, prod) require release management
  • You want a web-based UI for rule authoring and testing
Consider alternatives when:
  • You only need to evaluate rules (use Agent or embedded SDK)
  • Rules are managed entirely in code

Architecture

Requirements

ComponentRequirement
DatabasePostgreSQL 12+
RuntimeDocker (Linux x86_64)
LicenseFrom portal.gorules.io
NetworkOutbound HTTPS to portal.gorules.io for license validation

Environment variables

Required

DB_HOST=your-database-host
DB_USER=gorules
DB_PASSWORD=your-password
DB_NAME=gorules
LICENSE_KEY=your-license-key           # From portal.gorules.io

Database

DB_HOST=db.example.com                  # Required
DB_PORT=5432                            # Default: 5432
DB_USER=gorules                         # Required
DB_PASSWORD=your-password               # Required
DB_NAME=gorules                         # Required
DB_CREDENTIALS_PROVIDER=default         # Options: default, aws-iam, azure-iam

Database SSL

DB_SSL_DISABLED=false                   # Default: false
DB_REJECT_UNAUTHORIZED=true             # Default: true
DB_SSL_CA=<base64-ca-certificate>       # CA certificate
DB_SSL_CERT=<base64-client-cert>        # Client certificate
DB_SSL_KEY=<base64-client-key>          # Client private key
DB_SSL_ADVANCED=<json-ssl-options>      # Advanced SSL config

Database options

DB_MIGRATE=true                         # Run migrations on startup (default: true)
DB_SYNCHRONIZE=false                    # Auto-sync schema - dev only! (default: false)
DB_LOGGING=false                        # Log SQL queries (default: false)
Never enable DB_SYNCHRONIZE in production. It can cause data loss.

Application

APP_NAME=GoRules                        # Display name in UI
APP_URL=https://rules.example.com       # Public URL of the application
API_BASE_URL=/api                       # API base path (default: /api)
HOME_URI=/                              # Default landing page (default: /)
LICENSE_KEY=your-license-key            # Required
LICENSE_MODE=online                     # Options: online, offline (default: online)
LOG_LEVEL=info                          # Options: debug, info, warn, error (default: info)

HTTP server

HTTP_HOST=0.0.0.0                       # Default: 0.0.0.0
HTTP_PORT=80                            # Default: 80
HTTP_SSL_KEY=<base64-ssl-key>           # SSL private key
HTTP_SSL_CERT=<base64-ssl-cert>         # SSL certificate

Security

COOKIE_SECRET=your-32-byte-secret       # Session cookie encryption
SESSION_DURATION_MINUTES=1440           # Session timeout (default: 1440 = 24h)
HASH_SECRET=your-hash-secret            # Internal hashing
RELEASE_ZIP_PASSWORD=your-password      # Password-protect release downloads
Generate a secure secret: 
openssl rand -hex 32

CORS

CORS_ALLOW_ORIGIN=https://example.com   # Allowed origins (comma-separated, supports regex)
Example with multiple origins and regex: 
CORS_ALLOW_ORIGIN=https://gorules.io,REGEX:\.gorules\.io$

Email (SMTP)

EMAIL_ENABLED=true                      # Enable email sending (default: true)
EMAIL_HOST=smtp.example.com             # SMTP server hostname
EMAIL_PORT=587                          # SMTP server port
EMAIL_SECURE=false                      # Use TLS/SSL (default: false)
EMAIL_AUTH_USER=your-username           # SMTP username
EMAIL_AUTH_PASS=your-password           # SMTP password
EMAIL_FROM=[email protected]          # Sender address (default: [email protected])

Email TLS options

EMAIL_TLS_REJECT_UNAUTHORIZED=true      # Reject invalid certificates
EMAIL_TLS_SERVER_NAME=smtp.example.com  # TLS server name
EMAIL_TLS_SKIP_SERVER_IDENTITY=false    # Skip server identity verification

OAuth providers

SSO (OIDC)

See SSO configuration for detailed setup. 
SSO_OAUTH2_PROVIDER=oidc                # Options: azure, okta, oidc
SSO_OAUTH2_CLIENT_ID=your-client-id
SSO_OAUTH2_CLIENT_SECRET=your-secret    # Not required for PKCE
SSO_OAUTH2_ISSUER=https://your-idp.com
SSO_OAUTH2_JWKS_URI=https://your-idp.com/.well-known/jwks.json
SSO_OAUTH2_SCOPES=openid email profile  # Default: openid email profile
SSO_OAUTH2_REDIRECT_URI=/_callback      # Default: /_callback
SSO_OAUTH2_AUTH_URL=https://...         # Authorization endpoint (legacy providers)
SSO_OAUTH2_TOKEN_URL=https://...        # Token endpoint (legacy providers)
SSO_OAUTH2_AUTHORITY_URL=https://...    # Authority URL

SSO group mapping

SSO_OAUTH2_GROUPS_MAPPING=group1->admin,group2->member
SSO_OAUTH2_CUSTOM_CLAIM_NAME=groups     # JWT claim containing groups (default: groups)
SSO_OAUTH2_ROLES_MAPPING_ENABLED=false  # Enable fine-grained role mapping (default: false)
SSO_OAUTH2_IDENTITY_TOKEN_SOURCE=access_token  # Options: access_token, id_token

LLM integration

LLM_PROVIDER=chatgpt                    # Options: chatgpt, gemini, claude, ollama
LLM_MODEL=gpt-4                         # Model name
LLM_API_KEY=your-api-key
LLM_TEMPERATURE=0                       # Default: 0
LLM_MAX_TOKENS=10000                    # Default: 10000

Health probes

Path: /api/health Port: 80 Recommended probe configuration:
SettingValue
Initial delay10 seconds
Period10 seconds

API reference

See the API reference for endpoint documentation.