Operate overview

TL;DR — One Go binary, three deployment shapes. Standalone binary for a single Linux host. Docker Compose for single-host with Postgres and a reverse proxy. Kubernetes (Helm) for HA, multi-replica, production. Same binary in every mode; the only real choice is your infrastructure. This page is the picker.

The deployment matrix

ModeBest forStorageSigning keysHA-readyEffort
Single binary (docker run)Local dev, demos, evaluating AuthPlaneSQLite (on-disk)Auto-generated keyfileNoOne command
Standalone binary + systemdSmall VPS, on-prem single host, air-gappedSQLite or PostgresKeyfile or Vault TransitIf Postgres~15 min
Docker ComposeSingle host with Postgres, dev/staging, on-premSQLite or PostgresKeyfileIf Postgres~10 min
Kubernetes (Helm)Production, multi-replica HA, regulated environmentsPostgres (subchart or external)Vault Transit recommendedChart + values

Every mode uses the same authplane/authserver:latest container image (or the equivalent binary — the Docker image is a distroless wrapper around the Go binary). Config precedence is identical: defaults → YAML file → env vars.

The 30-second picker

  • Just trying it outdocker run authplane/authserver:latest serve — SQLite + auto keys, zero config. Not this page’s territory; go to Quickstart.
  • One Linux server, no KubernetesStandalone binary with systemd + reverse proxy.
  • One Linux server, prefer containersDocker Compose — SQLite or Postgres, optional Caddy for TLS.
  • Kubernetes cluster, need HAKubernetes (Helm) with the OCI-published chart.
  • Any of the above but with HSM-grade signing → add HashiCorp Vault Transit — works across all three.

Common requirements across all modes

Regardless of shape, these apply:

  • Session secret and admin API key — generate with openssl rand -hex 32. Boot fails when server.issuer is not localhost and these are missing.
  • Public issuer URL over HTTPS — reverse proxy or ingress terminating TLS in front of :9000.
  • Admin port :9001 not exposed publicly — internal network only, or behind IP allowlist.
  • PostgreSQL for multi-instance — SQLite doesn’t support concurrent writers across replicas.
  • Vault Transit for multi-replica signing — keyfile requires a shared PVC (ReadWriteMany); Vault avoids the problem entirely by keeping keys server-side.
  • Scheduled authserver purge — expired tokens, DPoP nonces, and assertion JTIs aren’t cleaned by serve. Schedule externally (systemd timer, k8s CronJob, or docker sidecar). See Backup, upgrade, purge.

Storage: SQLite vs Postgres

SQLitePostgreSQL
SetupZero — auto-created on first bootRequires external DB + authserver migrate on first start
Concurrent readers✓ (WAL mode)
Concurrent writers across instances
Cross-instance config propagation30 s polling (in-memory cache tick)Milliseconds via LISTEN/NOTIFY
BackupFile copy while stopped, or .backup while runningpg_dump
Recommended forSingle instance, dev, evaluatingProduction, HA, multi-instance

The 30-second SQLite propagation window matters mostly during initial bring-up (creating resources, rotating keys) — steady-state it’s invisible.

Signing keys: keyfile vs Vault Transit

KeyfilePostgres key storeVault Transit
SetupAuto-generated on boot; PEM files in signing.key_pathKeys stored in the Postgres DB with encryption at restExternal Vault + Transit engine + auth (token or AppRole)
Multi-instance safeRequires shared PVC (ReadWriteMany)✓ (propagates via LISTEN/NOTIFY)✓ (Vault is the shared store)
Private keys on disk✓ (PEM under key_path)Encrypted in DB (not plaintext on disk)✗ — signing happens in Vault
Rotationauthserver admin key rotateSameSame, via Vault
ComplianceFine for mostGood for regulated storageBest for HSM-grade / FIPS

Details in Security: Key management and Operate: Vault Transit.

What every mode ships

Regardless of how you deploy:

  • Public OAuth endpoints on :9000/oauth/authorize, /oauth/token, /oauth/register, /oauth/revoke, /oauth/introspect
  • Discovery on :9000/.well-known/oauth-authorization-server, /.well-known/openid-configuration, /.well-known/jwks.json
  • Health on :9000/health and :9000/ready
  • Admin API + Admin UI on :9001 — clients, users, resources, providers, grants, issuances, signing keys, audit
  • Structured logs (slog), Prometheus metrics on :9001/metrics (admin port), optional OpenTelemetry traces + metrics OTLP
  • Signing-key rotation via SIGHUP (kill -HUP <pid> / docker kill -s HUP / POST /admin/keys/rotate)

Choose your mode