Full-stack chatbot builder platform for Tuel University with multi-provider AI support (OpenAI, Gemini, OpenRouter), RAG implementation, and OAuth SSO.
Educational institutions face significant barriers in deploying custom AI assistants for their unique needs. Instructors lack engineering expertise to build chatbots, while commercial solutions are expensive, inflexible, and vendor-locked. Integrating document-specific knowledge (syllabi, research papers, handbooks) requires complex RAG (Retrieval Augmented Generation) implementation, which is beyond most institutions' technical capabilities.
Security and compliance requirements for educational data demand enterprise-grade authentication, workspace isolation, and audit logging. Cost transparency is critical for budget-constrained institutions. The challenge was to create a production-ready platform that democratizes AI chatbot creation while maintaining security, scalability, and cost efficiency through comprehensive Azure cloud architecture.
The Solution
I developed Tuel AI Chatbot Builder, a full-stack platform enabling instructors to create custom AI assistants without coding. Built with FastAPI 0.115 + Next.js 15 in a monorepo architecture, the platform supports multi-provider AI (OpenAI, Google Gemini, OpenRouter) with Bring-Your-Own-Key (BYOK) encryption for vendor independence.
The platform implements RAG via Azure AI Search for vector storage, enabling semantic search across uploaded files (PDF, TXT, DOCX) and scraped URLs (via Firecrawl). Real-time streaming responses use Server-Sent Events (SSE), while OAuth authentication (NextAuth.js v5 + Azure AD) provides enterprise SSO compatibility. A comprehensive Azure PaaS architecture (851 lines of documentation, 282 lines of Bicep IaC) showcases production-grade planning with cost transparency ($222-497/month) and zero-server management approach.
Data Flow: User authenticates via Azure AD → Frontend sends API requests → Container Apps backend validates via NextAuth → Applies workspace isolation → Queries PostgreSQL/Redis/AI Search → Streams response via SSE
Security: All secrets in Key Vault, managed identities eliminate hardcoded credentials, BYOK encryption for user API keys, workspace isolation prevents data leakage
Cost: $222-497/month (scales with usage), 100% PaaS services, zero server management, consumption-based pricing for Container Apps
Key Features
Multi-Provider AI Support
Integrated with OpenAI (GPT-4o, GPT-3.5-turbo), Google Gemini, and OpenRouter for vendor independence. Dynamic provider switching based on cost, performance, and availability. BYOK (Bring-Your-Own-Key) encryption via Fernet protects user API keys stored in Azure Key Vault. Real-time streaming responses using Server-Sent Events (SSE).
RAG (Retrieval Augmented Generation)
File uploads (PDF, TXT, DOCX) with 10MB limit per file. URL scraping via Firecrawl integration for web content ingestion. Vector embeddings using text-embedding-ada-002 stored in Azure AI Search (Basic tier). Semantic search across documents for context-aware responses.
OAuth Authentication & Security
NextAuth.js v5 integration with Azure AD OAuth for enterprise SSO compatibility. Role-based access control (Admin/Instructor/Student). Session management with thread IDs for conversation persistence. Workspace isolation via owner_uid scoping ensures multi-tenant security.
Share Token System
Public chatbot access via unique share tokens. Analytics tracking for usage metrics and popular queries. Rate limiting per token prevents abuse. Customizable expiration for time-limited access. Ideal for course-specific assistants shared with students.
Real-Time Streaming Responses
Server-Sent Events (SSE) for token-by-token response rendering. Progress indicators during AI generation. Conversation threading with thread IDs. Multi-turn dialogue support with context preservation. Responsive UI across mobile, tablet, and desktop.
BYOK Encryption & Key Vault
Fernet encryption for user API keys stored at rest. Azure Key Vault integration for secrets management (SECRET_KEY, ENCRYPTION_KEY, database credentials). Managed identities eliminate hardcoded secrets. Immutable audit logging for compliance (planned feature).
Technical Implementation
Backend Architecture
FastAPI 0.115 with async/await patterns for high-performance API endpoints. SQLAlchemy ORM + Alembic migrations (8 major migrations tracking schema evolution). PostgreSQL 15 Flexible Server (production) / SQLite (local dev). Redis distributed cache (C0 tier, 250MB) for rate limiting and session management. OpenTelemetry instrumentation for Application Insights observability.
Frontend Stack
Next.js 15 App Router with React 19 Server Components for optimal performance. NextAuth.js v5 authentication with Azure AD OAuth integration. TypeScript with strict mode for type safety. Real-time streaming UI using Server-Sent Events (SSE). Responsive design system with mobile-first approach.
Azure Infrastructure (100% PaaS)
Container Apps with auto-scaling (0→10 replicas, consumption-based pricing). Static Web Apps (Standard tier) for Next.js with global CDN. PostgreSQL Flexible Server (B1ms burstable, 20GB storage). Redis Cache (C0 tier) for distributed caching. Azure AI Search (Basic tier, 15GB) for vector storage. Blob Storage (Hot tier) for file uploads. Key Vault for secrets management. Application Insights for monitoring and telemetry.
Security Model
Managed identities (Azure Entra ID) for passwordless access to Azure resources. BYOK encryption (Fernet) for user API keys stored in database. Workspace isolation via owner_uid scoping prevents multi-tenant data leakage. Rate limiting (10MB uploads, request throttling via Redis). OAuth 2.0 authentication with Azure AD for enterprise SSO. CORS configuration restricts cross-origin access.
Azure Infrastructure Cost Breakdown
Cost-transparent architecture with 100% Azure PaaS services. No server management, auto-scaling, and consumption-based pricing. Estimated monthly cost: $222-497 (scales with usage).
Service
Tier
Purpose
Monthly Cost
Static Web Apps
Standard
Next.js hosting + CDN
$9
Container Apps
Consumption
FastAPI auto-scale (0→10)
$50-150
PostgreSQL Flexible Server
B1ms
Primary database
$12-25
Azure OpenAI Service
Pay-per-use
GPT-4o, embeddings
$50-200
Azure AI Search
Basic
Vector store (RAG)
$75
Redis Cache
C0 (250MB)
Rate limiting, sessions
$16
Blob Storage
Hot
File uploads
$5-10
Key Vault
Standard
Secrets management
$0.03
Application Insights
Free tier
Telemetry, monitoring
$0-5
Container Registry
Basic
Docker images
$5
Total Estimated Monthly Cost:
$222-497
Infrastructure as Code: 851 lines of Azure architecture documentation + 282 lines of Bicep IaC with 9 modular deployments
Mission
Democratize AI chatbot creation for educational institutions through a secure, scalable, multi-provider platform that requires zero coding expertise while maintaining enterprise-grade quality.
Vision
Become the industry standard for educational AI assistants with comprehensive RAG, BYOK support, Azure-native architecture, and transparent cost modeling that scales from individual instructors to entire university systems.
Production Readiness Assessment
Current Status: Staging-Ready MVP
The platform is feature-complete and infrastructure-deployed for staging environments. Comprehensive Azure architecture planning demonstrates production-grade expertise.
Enforce strong SECRET_KEY validation (no defaults)
Remove default admin password "changeme"
Add ENCRYPTION_KEY production validation
Implement request body size limits (10MB)
Add SSRF protection for URL ingestion (block internal IPs)
Restrict CORS to specific origins (currently too permissive)
Enforce PostgreSQL in production (no SQLite)
Add per-user file upload quotas
Strengthen AUTH secret generation
Performance & Scale (7 Priority 2 items)
Migrate to distributed Redis cache (from in-memory)
Add message history pagination
Implement circuit breaker for AI providers
Set up background job queue (Celery recommended)
Enhance health check to verify dependencies
Move share tokens to headers (not URL params)
Add connection pooling optimization
Testing & Quality (Coverage Gap)
Current test coverage: ~20% (Target: 70%+)
Need comprehensive unit tests for services layer
Integration tests for AI provider interactions
E2E tests for critical user flows
Estimated Production Timeline: 8-12 weeks of focused work to address all 31 identified issues. This timeline demonstrates professional planning rigor and security-first mindset rather than rushing to production prematurely.
Real-World Use Cases
University Course Assistants
Professors upload syllabi and lecture notes. Students ask questions 24/7 with RAG-powered context-aware answers. Share tokens enable collaborative access for study groups.
Research Lab Support
Lab teams ingest research papers via file upload or URL scraping. Members query methodology and findings. Vector search provides semantic understanding across documents.
Department FAQ Automation
Admissions offices upload student handbooks and policy documents. Automated responses to common questions reduce staff workload. Analytics track popular topics for content improvement.
Student Onboarding
New student orientation materials ingested into chatbot. Campus policy Q&A available 24/7. Multi-provider AI ensures response quality and availability.
Library Reference Desk
Library resources and catalogs ingested for semantic search. Citation assistance and research guidance automation. Reduce reference desk volume during peak periods.
IT Help Desk Triage
Common technical issues database powers self-service troubleshooting. Reduce ticket volume through AI-powered first-line support. Share tokens for department-specific knowledge bases.
Technical Highlights
FastAPI 0.115 + Next.js 15 App Router in monorepo architecture
Multi-provider AI: OpenAI (GPT-4o, GPT-3.5-turbo), Google Gemini, OpenRouter with BYOK encryption
RAG implementation with Azure AI Search (Basic tier) for vector storage and semantic search
Real-time streaming responses via Server-Sent Events (SSE) with token-by-token rendering
OAuth authentication (NextAuth.js v5 + Azure AD) with role-based access control (Admin/Instructor/Student)
Share token system for public chatbot access with analytics and rate limiting
BYOK encryption (Fernet) for user API keys stored in Azure Key Vault
PostgreSQL 15 Flexible Server with SQLAlchemy ORM + Alembic migrations (8 major migrations)
Azure Container Apps with auto-scaling (0→10 replicas) and managed identities
File uploads (10MB limit) + URL scraping via Firecrawl integration
Redis distributed cache (C0 tier) for rate limiting and session management
Application Insights with OpenTelemetry instrumentation for observability
100% Azure PaaS services: Static Web Apps, Container Apps, PostgreSQL, Redis, AI Search, Blob Storage, Key Vault
Docker Compose for local development + GitHub Actions CI/CD pipelines
Pre-commit hooks (ruff + black for Python, lint-staged for TypeScript)
Why This Project Matters
Educational AI Democratization
Lowers barriers for instructors to create custom AI assistants without engineering expertise. Multi-provider support ensures flexibility and vendor independence. RAG enables context-aware responses from course materials.
Enterprise-Grade Security
Managed identities eliminate hardcoded secrets. BYOK encryption protects user API keys. Workspace isolation ensures multi-tenant security. OAuth authentication with Azure AD integration provides enterprise SSO compatibility.
Azure Cloud Architecture Expertise
Comprehensive 851-line architecture document showcasing Azure PaaS mastery. Cost-transparent infrastructure ($222-497/month). 282 lines of Bicep IaC with 9 modular deployments. Production-ready security model with Key Vault and managed identities.
Full-Stack Excellence
Modern Next.js 15 App Router with React 19 Server Components. FastAPI backend with async/await patterns. PostgreSQL with Alembic migrations. Real-time streaming with SSE. TypeScript strict mode across frontend.
Production Readiness Transparency
Honest assessment: staging-ready MVP with 8-12 week production timeline. Detailed TODO.md tracking 31 issues (9 critical). Test coverage roadmap from 20% to 70% target. Demonstrates professional planning rigor and security awareness.
