Skip to main content
The on-prem suite runs as a set of self-hosted services. This is the operator reference for every service’s default port and HTTP interface. All ports are overridable (an environment variable, or a Docker -p host:container mapping), and no two defaults collide.

Port map

PortServiceLicenceRole
8094substrate2 control planenoneweb control panel, policy bridge, issuer-trust hub
8200Compliance Command CenterOEMevidence console / hub
8000Records VaultOEMwrite-once document vault
8077Recovery VaultOEMShamir key and secret recovery
8083Doc ArchiveOEMwrite-once archive engine
8086Compliance GateOEMpolicy-bound decision engine
8087Audit LogOEMwrite-once hash-chained audit events
8088Sanctions MonitorOEMsanctions and screening evidence
libraryTravel RuleOEMembedded library, no standalone service
Ports 8092, 8093, and 8095 are reserved for the substrate-2 services the control plane can bridge (federation validator, ZK receipt, ATB credential verifier) when you run them.

HTTP interfaces

substrate2 control plane (8094)

Bind with S2CP_BIND; admin writes need Authorization: Bearer <S2CP_ADMIN_TOKEN>. Reads are open.
  • GET / web control panel: live posture, issuer trust set, policy bridge, audit depth
  • GET /health · GET /docs (OpenAPI)
  • GET /v1/posture poll every bridged service and the policy bridge
  • GET /v1/issuers · POST /v1/issuers · DELETE /v1/issuers/{did} (admin)
  • GET /v1/issuer-pks · GET /.well-known/atb-keys.json · GET /issuers/{did}/atb-keys.json
  • GET /v1/services · POST /v1/services (addon self-register)
  • Policy bridge: GET /v1/policy · POST /v1/policy (set the active policy, returns its content-addressed policy_ref) · POST /v1/policy/bind (subject_ref to policy_bound_ref)
  • GET /v1/audit (admin, HMAC-chained)

Compliance Command Center (8200)

Console login plus a service token for self-registration.
  • GET / dashboard · GET /health · GET /login · POST /login · GET /logout
  • GET /v1/services · POST /v1/services · DELETE /v1/services/{name}
  • GET /api/services · GET /api/posture · GET /export (consolidated auditor pack) · GET /validation/pack · GET /audit

Records Vault (8000) and Doc Archive (8083)

Records Vault serves the Doc Archive API over the vault’s archive. Bearer token (RV_ARCHIVE_TOKEN).
  • POST /v1/archive/notarize · POST /v1/archive/verify · GET /v1/archive/verify-chain
  • GET /v1/archive/retrieve/{doc_hash} · GET /v1/archive/entry/{seq}
  • GET /archive/verify (offline verify portal) · GET /.well-known/pqc-keys.json · GET /health

Sanctions Monitor (8088)

MONITOR_PORT, Bearer token MONITOR_API_TOKEN.
  • POST /v1/watch · DELETE /v1/watch/{subject_ref} · POST /v1/sweep (re-screen, signed deltas)
  • GET /v1/watchlist · GET /v1/deltas · GET /v1/pubkey · GET /healthz

Compliance Gate (8086)

  • POST /v1/compliance/screen (screen, certify a no-PII verdict) · POST /v1/compliance/verify · GET /compliance/verify (portal)
  • GET /.well-known/pqc-keys.json · GET /health

Audit Log (8087)

  • POST /v1/audit-log/append · POST /v1/audit-log/verify · GET /v1/audit-log/verify-chain
  • GET /v1/audit-log/entry/{seq} · GET /audit-log/verify (portal) · GET /.well-known/pqc-keys.json · GET /health

Recovery Vault (8077)

  • Keys: POST /v1/keys · POST /v1/keys/{name}/split · POST /v1/keys/{name}/recover · GET /v1/keys/{name}/secret
  • Archives: POST /v1/archives · POST /v1/archives/{name}/split · POST /v1/archives/{name}/recover · POST /v1/archives/{name}/resplit · GET /v1/archives/{name}/envelope · GET /v1/archives/{name}/secret
  • POST /v1/access · GET /v1/status · GET /healthz

Travel Rule

Embedded library, no standalone service: TravelRule(...).certify(...) produces a signed, no-PII receipt; seal_ivms101 and open_ivms101 handle the post-quantum IVMS101 exchange; verify_travel_rule_receipt(...) verifies offline.

Live health into the Command Center

Point any app at the Command Center on 8200 so it self-registers and appears in the console and the control panel posture: 
CCC_HUB_URL=http://command-center:8200
CCC_HUB_TOKEN=<service token>
CCC_HUB_NAME=<app name>
CCC_HUB_SELF_URL=http://<app host>:<app port>

Licence

One OEM bundle licence both decrypts the bundle and runs every app (each app also accepts a per-package OEM licence). Provide it via ALGOVOI_LICENSE_KEY or ALGOVOI_LICENSE_FILE. Without a licence the evidence apps fail closed; the control plane does not.