Avnology ID
Self-Hosting

Self-Hosting

Deploy the full Avnology ID stack on your own infrastructure.

Self-Hosting Avnology ID

Avnology ID ships as a production-ready Docker Compose stack you can deploy against your own Postgres, Valkey, and MinIO. Every component -- gateway, Ory stack (Kratos, Hydra, Keto, Oathkeeper), Polis, audit / risk / webhook / SAML services, web dashboard, docs -- is built from this repo, and every release is tagged alongside api-gateway, hydra, kratos, etc. container images on GitHub Container Registry.

Where to start

  1. Overview -- managed vs self-hosted decision guide and licensing.
  2. Docker Compose deploy -- run docker compose -f docker-compose.traefik.yml up -d against deploy/docker/* config.
  3. Environment variables -- every .env variable documented.
  4. DNS setup -- 8 records to point at your host.
  5. TLS via Traefik ACME -- Let's Encrypt or DNS-01 for wildcard.
  6. Backup & migrations -- pg_dump, make db-migrate, restore paths.
  7. Upgrading -- Ory rollover, zero-downtime patterns.
  8. Kubernetes -- Helm chart is post-v1.0; Compose is the sole supported platform today.

System requirements

ResourceMinimumRecommended for 10k MAU
CPU4 vCPU8 vCPU
Memory8 GiB16 GiB
Disk40 GiB SSD200 GiB NVMe
Network100 Mbit1 Gbit

Postgres and MinIO dominate disk usage. Plan for ~10 GiB per 100k identities over 12 months of audit retention.

What gets deployed

19 services, all in one compose file:

postgres (17-alpine)
pgbouncer
valkey (8.1)
nats (jetstream)
minio
kratos + courier
hydra
keto
oathkeeper
gateway
audit
risk
webhook
saml (idp)
polis (scim)
web
docs

CLI Commands Reference

Complete reference for all avnology CLI commands.

Overview

When to self-host Avnology ID, comparison with managed, and licensing.

On this page

Self-Hosting Avnology IDWhere to startSystem requirementsWhat gets deployed