Requirements
-
A provisioned Redis or Valkey instance that your LangSmith instance will have network access to. We recommend using a managed service like:
- Amazon ElastiCache (Redis or Valkey)
- Google Cloud Memorystore (Redis or Valkey)
- Azure Cache for Redis
- Supported versions: Redis >= 5, or Valkey 8. Valkey is treated as a drop-in replacement for Redis throughout this guide.
- We support both Standalone and Redis Cluster (including Valkey Cluster). See the appropriate sections for deployment instructions.
- We support no authentication, password, and IAM/Workload Identity authentication.
- By default, we recommend an instance with at least 2 vCPUs and 8GB of memory. However, the actual requirements will depend on your tracing workload. We recommend monitoring your Redis instance and scaling up as needed.
Standalone Redis
Connection string
You will need to assemble the connection string for your Redis instance. This connection string should include the following information:- Host
- Database
- Port
- URL params
- Use
rediss://when TLS is enabled on your Redis server. - Provide the password in the connection string.
Configuration
With your connection string in hand, you can configure your LangSmith instance to use an external Redis instance. You can do this by modifying thevalues file for your LangSmith Helm Chart installation.
Helm
Redis cluster
As of LangSmith helm version 0.12.25, we officially support Redis Cluster.Host names
When using Redis Cluster, provide a list of node hostnames and ports. Each node URI must be in the form:rediss here. For Redis Cluster:
- Provide the password separately via
redis.external.cluster.passwordor through a Secret usingpasswordSecretKey. - TLS is enabled by default for Redis Cluster (
redis.external.cluster.tlsEnabled: true). SettlsEnabled: falseif your cluster does not use TLS.
Configuration
When connecting to an external Redis Cluster, configure the Helm values underredis.external.cluster. You can either:
- Provide node URIs and (optionally) a password directly in
values.yaml. - Or reference an existing Kubernetes
Secretcontaining node URIs and password.
Azure managed Redis
Azure Managed Redis supports two clustering policies that affect how LangSmith connects to it. Choose the configuration below based on the clustering policy of your instance.OSS Cluster
LangSmith connects to OSS clustering policy instances using Redis Cluster mode. As of LangSmith helm chart version 0.13.33,ssl_check_hostname=false is supported as a node URI parameter. In our testing, the OSS clustering policy requires disabling SSL hostname verification. Azure’s proxy resolves connections to internal node IPs that are not present in the certificate’s SAN, causing hostname verification to fail.
EnterpriseCluster
As of LangSmith helm chart version 0.13.33, LangSmith supports Azure Managed Redis with the EnterpriseCluster policy. This policy exposes a single endpoint that handles sharding internally. LangSmith must connect to it as a standalone (single-instance) client, but it does not support cluster unsafe operations such as MULTI/EXEC. Setredis.external.clusterSafeMode: true to disable unsafe cluster operations.
clusterSafeMode: true in your Helm values.
TLS with Redis
Use this section to configure TLS for Redis connections. For mounting internal/public CAs so LangSmith trusts your Redis server certificate, see Configure custom TLS certificates.Server TLS (one-way)
To validate the Redis server certificate:- Provide a CA bundle using
config.customCa.secretNameandconfig.customCa.secretKey. - For Standalone Redis, use
rediss://in the connection URL. - For Redis Cluster,
redis.external.cluster.tlsEnableddefaults totrue. Ensure it is not set tofalse.
Mutual TLS with client auth (mTLS)
As of LangSmith helm chart version 0.12.29, we support mTLS for Redis clients. For server-side authentication in mTLS, use the Server TLS steps (custom CA) in addition to the following client certificate configuration. If your Redis server requires client certificate authentication:- Provide a Secret with your client certificate and key.
- Reference it via
redis.external.clientCert.secretNameand specify the keys withcertSecretKeyandkeySecretKey. - For Standalone Redis, keep using
rediss://in the connection URL. - For Redis Cluster,
redis.external.cluster.tlsEnableddefaults totrue. Ensure it is not set tofalse.
Pod security context for certificate volumes
The certificate volumes mounted for mTLS are protected by file access restrictions. To ensure all LangSmith pods can read the certificate files, you must setfsGroup: 1000 in the pod security context.
You can configure this in one of two ways:
Option 1: Use commonPodSecurityContext
Set the fsGroup at the top level to apply it to all pods:
fsGroup to each pod’s security context individually. See the mtls configuration example for a complete reference.
IAM authentication
As of LangSmith helm chart version 0.12.34, we support IAM authentication for Redis. This allows you to use cloud provider workload identity instead of static passwords.IAM authentication is supported for both standalone Redis and Redis Cluster configurations. However, not all cloud providers support IAM authentication for all Redis offerings. Check your cloud provider’s documentation to verify IAM support for your specific Redis setup (e.g., GCP only supports IAM for Memorystore Cluster, not standalone Memorystore).
- AWS
- GCP
- Azure
ElastiCache for Redis IAM authentication
ElastiCache for Redis supports IAM authentication, which allows you to authenticate using AWS IAM credentials instead of Redis AUTH passwords.Prerequisites
- Configure workload identity in your Kubernetes cluster using AWS IRSA or EKS Pod Identity
- Enable IAM authentication on your ElastiCache instance and grant access to your workload identity
Configuration
Standalone Redis:Required annotations
You must apply the ServiceAccount annotations required by AWS IRSA to all LangSmith components that connect to Redis:Deployments:backend, queue, platformBackend, hostBackend, ingestQueueExample configuration:Connect these docs to Claude, VSCode, and more via MCP for real-time answers.

