Installation Guide

Get Contexa AI Native Zero Trust Platform running in your Spring project. Choose between automatic CLI setup or manual configuration.

Quick Install (Recommended)

Install the Contexa CLI and set up everything automatically with a single command.

Step 1 - Install CLI

Shell (Linux / macOS) 
curl -fsSL https://install.ctxa.ai | sh

Windows — The install script is a POSIX shell script. On Windows, run it from Git Bash or WSL:

curl -fsSL https://install.ctxa.ai | sh

Alternatively, download the CLI release directly from contexa-security/contexa-cli and place the contexa binary on your PATH.

Step 2 - Initialize your project

Shell 
cd your-spring-project
contexa init

The CLI will guide you through an interactive setup:

  • Project type - New project (FULL) or legacy system (SANDBOX)
  • AI security mode - Monitor only or block threats immediately
  • AI / LLM Model - Ollama (local), OpenAI, or Anthropic
  • Infrastructure - Standard (PostgreSQL + Ollama) or Distributed (+ Redis + Kafka)

The CLI automatically:

  • Adds spring-boot-starter-contexa dependency to your build file
  • Configures application.yml with the correct settings
  • Generates docker-compose.yml for infrastructure
  • Starts Docker containers and pulls AI models

Step 3 - Add annotations

Java 
@EnableAISecurity
@SpringBootApplication
public class MyApplication {
    public static void main(String[] args) {
        SpringApplication.run(MyApplication.class, args);
    }
}

// Protect any endpoint with AI Zero Trust
@Protectable
@GetMapping("/api/customers")
public List<Customer> getCustomers() { ... }

Step 4 - Start your application

Shell 
./gradlew bootRun

That's it. Contexa is now active in your application. Request-time enforcement and asynchronous analysis work together around @Protectable endpoints.

Legacy System Integration (SANDBOX Mode)

If your project already has its own authentication system, use SANDBOX mode. Contexa adds AI security on top of your existing login — without modifying it.

Java 
@EnableAISecurity(
    mode = SecurityMode.SANDBOX,
    authObjectLocation = AuthObjectLocation.SESSION,
    authObjectAttribute = "loginUser"  // your legacy session attribute name
)
@SpringBootApplication
public class LegacyApplication { }

Zero side effects —SANDBOX mode does not interfere with your existing security. Your login pages, session management, and access control remain untouched. Contexa only activates on @Protectable endpoints.

Prerequisites

Required for both CLI and manual installation:

Requirement Version Purpose
Java 21+ Runtime (configured via Gradle toolchain)
Spring Boot 3.x Application framework
Docker Latest Infrastructure services (PostgreSQL, Ollama)

Distributed mode only —If you plan to use Distributed mode, you will also need Redis (for session store and distributed locks) and Kafka (for event streaming).

Manual Installation

If you prefer not to use the CLI, follow these steps manually.

1. Add Dependency

Gradle (Groovy) 
dependencies {
    implementation 'ai.ctxa:spring-boot-starter-contexa:0.1.0'
}
Maven 
<dependency>
    <groupId>ai.ctxa</groupId>
    <artifactId>spring-boot-starter-contexa</artifactId>
    <version>0.1.0</version>
</dependency>

2. Start Infrastructure

Shell 
# Standard mode (PostgreSQL + Ollama)
docker compose up -d

# Distributed mode (+ Redis + Kafka)
docker compose --profile distributed up -d

# Pull AI models
docker exec contexa-ollama ollama pull qwen3.5:9b
docker exec contexa-ollama ollama pull mxbai-embed-large

3. Infrastructure Services

Service Image Port Mode
PostgreSQL pgvector/pgvector:pg16 5432 Standard
Ollama ollama/ollama:latest 11434 Standard
Redis redis:7.2-alpine 6379 Distributed
Kafka cp-kafka:7.4.0 9092 Distributed

Troubleshooting

Problem Solution
PostgreSQL connection refused Check Docker is running: docker ps. Verify port 5432 is not in use.
Ollama connection refused Check container: docker logs contexa-ollama. Verify port 11434.
AI model not found Pull models: docker exec contexa-ollama ollama pull qwen3.5:9b
Port conflicts Default ports: PostgreSQL 5432, Ollama 11434, Redis 6379, Kafka 9092
contexa init —arrow keys not working Windows: use winpty contexa init in Git Bash, or run in Windows Terminal

Need more help? —Check the Configuration Reference or visit GitHub Discussions.