Deployment Guide
This guide describes the alpha and preview deployment paths for the open-source T3X repository. It does not describe the managed SaaS deployment.
Alpha And Preview Paths
| Path | Command | Intended use |
|---|---|---|
| Source development | pnpm dev:api and pnpm dev:webui | Contributor and implementation work; no restricted npm access required |
| Local alpha package | npx -p @t3x-dev/local t3x-local start | Packaged local evaluation; restricted alpha npm access required |
| Docker Compose preview | docker compose up -d --build | Preview self-hosted WebUI + API + Postgres evaluation |
Docker Self-Hosting Preview
Docker Compose is a preview evaluation path. It is not the primary promised entry point for users.
Docker Compose starts:
- Postgres on port
5432 - API on port
8000 - WebUI on port
3000
Basic flow:
cp .env.example .env
docker compose up -d --build
Optional services:
docker compose --profile runner up -d --build
docker compose --profile n8n up -d --build
docker compose --profile agent-demo up -d --build
Auth is on by default for Docker and self-hosted runs. The first WebUI visit
uses the built-in username/password login at /login.
Auth Defaults
Docker and self-hosted runs keep auth enabled by default. Source development
opens directly into the app in local developer mode unless AUTH_DISABLED=false
is set before starting both dev processes.
Do not expose AUTH_DISABLED=true to an untrusted network. Treat that setting
as a local development shortcut only.
Source Development
Use source development when changing the repository itself:
pnpm install
pnpm dev:api
pnpm dev:webui
Source development defaults to opening directly into the app in local developer
mode. To exercise the login flow locally, set AUTH_DISABLED=false before
starting both dev processes.
Environment
At least one provider key is required for structured extraction or chat:
ANTHROPIC_API_KEYOPENAI_API_KEYGOOGLE_AI_STUDIO_KEY
Common deployment variables:
DATABASE_URLfor Postgres-backed API and WebUI storage.NEXT_PUBLIC_API_URLfor the browser-facing API URL.AUTH_DISABLED=falseto keep auth enabled explicitly.WEBUI_PORTandPOSTGRES_PORTto override Docker Compose host ports.
Do not commit provider keys, database passwords, or generated local config.
Self-Hosting Checklist
Before exposing T3X beyond your local machine, review:
- Keep auth enabled for both API and WebUI.
- Use strong database credentials and store them outside source control.
- Define a Postgres backup and restore procedure before real data enters the system.
- Put TLS and a reverse proxy in front of browser-accessible deployments.
- Restrict host firewall rules to the ports you intentionally expose.
- Store provider keys in environment or secret management, not in committed files.
- Rotate provider keys if they may have appeared in logs, screenshots, support reports, or shared terminals.
- Review logs and screenshot artifacts for sensitive source text, generated output, API keys, database URLs, and user content.
- Document an upgrade and rollback procedure for the running deployment.
Production Caveats
This alpha does not claim managed production readiness. Before exposing T3X to an untrusted network, review:
- Auth settings for API and WebUI.
- Database credentials, backups, restore tests, and retention.
- TLS, reverse proxy, and host firewall configuration.
- Provider key storage and rotation.
- Logs and screenshots for possible sensitive content.
- Upgrade and rollback procedure.
The open-source repository supports self-hosted evaluation. Managed cloud deployment, OAuth provider wiring, billing, teams, and tenant operations are cloud-specific and live outside the open-source repository.