Reference

Architecture

Orithos is built on a modern stack: Next.js on Vercel, FastAPI on Railway, ARQ workers with Redis, and PostgreSQL for storage.

System components

Frontend

Next.js 15 (Vercel). Server Components, Tailwind v4, shadcn/ui. Dashboard and marketing site.

API

FastAPI (Railway). Async endpoints, Pydantic validation, RFC 7807 errors, structlog.

Worker

ARQ worker (Redis). Executes probes, runs LLM-as-Judge evaluation, persistence.

Database

PostgreSQL 16. asyncpg driver. Migrations via Alembic. Row-Level Security enabled.

Data flow

The user creates a scan via the dashboard or API. The API enqueues a job in Redis. The ARQ worker picks up the job, executes probes against the agent endpoint, sends responses to the LLM evaluator, persists findings to PostgreSQL, and updates the scan status. The frontend polls the API for real-time progress.

Internal API key

Proxy-to-backend requests are authenticated using an internal API key shared between the Next.js frontend and FastAPI backend. This key is set via the INTERNAL_API_KEY environment variable and validated on every proxied request. User API keys are never exposed to the frontend.

curl -X POST https://api.orithos.dev/v1/scans   -H "X-Internal-Key: {internal_api_key}"   -H "Content-Type: application/json"   -d '{
  "agent_id": "agent_abc123",
  "probe_set": "prompt-injection"
}'