Skip to Content
EnterpriseConfigurationDeployment Context

Deployment Context

The deployment-config.json file is a cryptographically signed static configuration file deployed alongside the portal frontend. It tells the React SPA:

  • What deployment mode the installation is in (SaaS, EnterpriseHybrid, etc.)
  • Whether the initial setup wizard has been completed
  • The base URL of the Customer Portal API

This file is the authoritative source of truth when the API is unreachable. If the API is offline (e.g. during an infrastructure outage), the portal relies on the signed file to determine whether to show the setup wizard. If the file is absent or its signature is invalid, the portal fails closed (shows an error rather than a setup wizard).

Never ship deployment-config.json with isSetupComplete: false to a production environment that has already been configured. This would allow anyone who can reach the portal to initiate re-setup and create a rogue admin account.

File Structure

{
  "deploymentMode": "EnterpriseHybrid",
  "isSetupComplete": true,
  "portalApiBaseUrl": "https://api.portal.acme.com",
  "version": "2.1.0",
  "generatedAt": "2025-06-15T10:00:00Z",
  "signature": "sha256=a3f5c9..."
}

Generating the File

Use the veriproof-enterprise CLI tool from the enterprise package:

veriproof-enterprise config generate \
  --mode EnterpriseHybrid \
  --setup-complete false \
  --portal-api-url https://api.portal.acme.com \
  --version 2.1.0 \
  --signing-key $DEPLOYMENT_CONFIG_SIGNING_KEY \
  --output ./dist/deployment-config.json

The signing key is a 256-bit secret you generate and store in your Key Vault:

DEPLOYMENT_CONFIG_SIGNING_KEY=$(openssl rand -hex 32)
az keyvault secret set \
  --vault-name your-kv-name \
  --name "veriproof-deployment-config-signing-key" \
  --value "$DEPLOYMENT_CONFIG_SIGNING_KEY"

The same signing key must be provided to the Customer Portal API as the DEPLOYMENT_CONFIG_SIGNING_KEY application setting so the API can verify the file at startup.

Initial Setup Flow

Generate with isSetupComplete: false

Before the first deployment, generate the file with setup disabled.

Deploy and complete setup

Deploy the frontend with this file. Navigate to the portal — the setup wizard appears because isSetupComplete is false.

Complete the wizard

Create the initial CustomerAdmin account, validate the API key, and confirm setup.

Regenerate with isSetupComplete: true

veriproof-enterprise config generate \
  --mode EnterpriseHybrid \
  --setup-complete true \
  --portal-api-url https://api.portal.acme.com \
  --version 2.1.0 \
  --signing-key $DEPLOYMENT_CONFIG_SIGNING_KEY \
  --output ./dist/deployment-config.json

Redeploy the frontend

Redeploy the static assets with the updated file. The wizard will no longer appear.

Verifying the Signature

The Customer Portal API verifies the file signature at startup and on each call to GET /v1/deployment/context. If the signature is invalid (file tampered with), the API returns 403 Forbidden for the context endpoint, and the portal shows a security error banner.

The HMAC-SHA256 signature covers the JSON body (without the signature field), using the signing key as the HMAC secret.

Last updated on
Environment VariablesSecurity Overview