Operate overview
TL;DR — One Go binary, three deployment shapes. Standalone binary for a single Linux host. Docker Compose for single-host with Postgres and a reverse proxy. Kubernetes (Helm) for HA, multi-replica, production. Same binary in every mode; the only real choice is your infrastructure. This page is the picker.
The deployment matrix
Every mode uses the same authplane/authserver:latest container image (or the equivalent binary — the Docker image is a distroless wrapper around the Go binary). Config precedence is identical: defaults → YAML file → env vars.
The 30-second picker
- Just trying it out →
docker run authplane/authserver:latest serve— SQLite + auto keys, zero config. Not this page’s territory; go to Quickstart. - One Linux server, no Kubernetes → Standalone binary with systemd + reverse proxy.
- One Linux server, prefer containers → Docker Compose — SQLite or Postgres, optional Caddy for TLS.
- Kubernetes cluster, need HA → Kubernetes (Helm) with the OCI-published chart.
- Any of the above but with HSM-grade signing → add HashiCorp Vault Transit — works across all three.
Common requirements across all modes
Regardless of shape, these apply:
- Session secret and admin API key — generate with
openssl rand -hex 32. Boot fails whenserver.issueris not localhost and these are missing. - Public issuer URL over HTTPS — reverse proxy or ingress terminating TLS in front of
:9000. - Admin port
:9001not exposed publicly — internal network only, or behind IP allowlist. - PostgreSQL for multi-instance — SQLite doesn’t support concurrent writers across replicas.
- Vault Transit for multi-replica signing — keyfile requires a shared PVC (
ReadWriteMany); Vault avoids the problem entirely by keeping keys server-side. - Scheduled
authserver purge— expired tokens, DPoP nonces, and assertion JTIs aren’t cleaned byserve. Schedule externally (systemd timer, k8s CronJob, or docker sidecar). See Backup, upgrade, purge.
Storage: SQLite vs Postgres
The 30-second SQLite propagation window matters mostly during initial bring-up (creating resources, rotating keys) — steady-state it’s invisible.
Signing keys: keyfile vs Vault Transit
Details in Security: Key management and Operate: Vault Transit.
What every mode ships
Regardless of how you deploy:
- Public OAuth endpoints on
:9000—/oauth/authorize,/oauth/token,/oauth/register,/oauth/revoke,/oauth/introspect - Discovery on
:9000—/.well-known/oauth-authorization-server,/.well-known/openid-configuration,/.well-known/jwks.json - Health on
:9000/healthand:9000/ready - Admin API + Admin UI on
:9001— clients, users, resources, providers, grants, issuances, signing keys, audit - Structured logs (slog), Prometheus metrics on
:9001/metrics(admin port), optional OpenTelemetry traces + metrics OTLP - Signing-key rotation via
SIGHUP(kill -HUP <pid>/docker kill -s HUP/POST /admin/keys/rotate)
Choose your mode
- Standalone binary — systemd unit, dedicated user, PEM keyfile, reverse proxy notes
- Docker Compose — SQLite and Postgres compose files, Caddy TLS example, backup + upgrade
- Kubernetes (Helm) — chart install, values files, ingress split (public + admin), OIDC in values, Vault Transit, observability wiring, Kind for local testing
- HashiCorp Vault Transit — HSM-grade signing across any of the above
- Backup, upgrade, purge — data lifecycle across all modes
Related
- Configuration reference — every knob for every section
- Security: Threat model — trust boundaries and 16 named threats
- Guides: Monitoring — Prometheus + OTEL wiring end to end