Deploy Avnology ID to Render, Railway, or Dokploy with a single click. Intended for trial / staging; see the full self-hosting guide for production.

One-click deploy

Three platforms can spin up Avnology ID from a single button click, using the templates in deploy/one-click/. Each wraps the core services (gateway, docs, Postgres, Redis/Valkey, Kratos, Hydra, Keto) with sensible defaults.

Trial-grade, not production-grade

These templates are for kicking the tires. They skip the full observability stack, don't configure custom domains, assume platform-managed secrets, and reference placeholder container images. For production, follow the full self-hosting guide.

Deploy buttons

Deploy to Render

Reads deploy/one-click/render.yaml.
Provisions a managed Postgres + Redis.
Generates secrets (Hydra system secret, Kratos cookie + cipher secrets, Valkey password) via Render's generateValue.
Public URLs: *.onrender.com for the gateway and docs; Ory services stay private.
You supply: ADMIN_PASSWORD, SMTP_CONNECTION_URI, SMTP_FROM_ADDRESS, and the three public-hostname env vars if you bring your own domain.

Deploy to Railway

Reads deploy/one-click/railway.json.
Provisions the same service shape as Render, using Railway's secret(32) generator and prompt() for operator-supplied values.
Public URLs: *.up.railway.app.
Ory images run as private services on Railway's shared network.

Deploy to Dokploy

Reads deploy/one-click/dokploy.yaml which wraps docker-compose.traefik.yml.
Unlike Render/Railway, Dokploy deploys the full stack (Polis SSO, SAML IdP, webhook + audit + risk workers) because Dokploy is compose-native and doesn't bill per service.
Requires DOMAIN_* A records to resolve to the Dokploy host before first deploy so Traefik can complete the ACME HTTPS challenge.

What these templates do NOT cover

Custom domains beyond defaults. Render gives you *.onrender.com, Railway *.up.railway.app. Bring-your-own-domain means adding a CNAME + updating DOMAIN_API / DOMAIN_WEB / DOMAIN_DOCS after the first deploy. Dokploy wants these upfront because it brokers the ACME challenge itself.
Email provider wiring. You must supply a working SMTP_CONNECTION_URI (SES, SendGrid, Resend, Mailgun, Postmark — all work). MailSlurper (the dev default) is not bundled. Kratos refuses to start without a reachable SMTP endpoint.
Secret rotation. HYDRA_SYSTEM_SECRET is generated once. Rotating it invalidates every issued access + refresh token. Follow the upgrade guide for the proper key-rotation procedure before you rotate anything in production.
Observability stack. No Prometheus / Grafana / Jaeger. Use the platform's native logs + metrics, or follow the full self-hosting guide to stand up the OTEL pipeline.
Managed backups. Use the platform's snapshot feature. The compose-level pg_dump schedule isn't wired.
Polis + SAML IdP + auxiliary workers. Included in the Dokploy template (compose-based), omitted in Render + Railway to keep per-service billing manageable. If you need SSO/SAML on Render or Railway, follow the full self-hosting path.

After you deploy

Open https://<your-gateway-url>/healthz and confirm 200 OK.
Open https://<your-gateway-url> and sign in with [email protected] + the ADMIN_PASSWORD you supplied.
Change the admin password immediately.
Create your first OAuth client + your first end user. See getting started.
When you're ready to go to production, graduate to the full self-hosting guide for backups, observability, and custom domains.

Going to production

The full self-hosting guide walks through:

Docker Compose deployment with Traefik + ACME
Environment variable reference
DNS + TLS setup
Backups + migrations
Upgrade procedure + secret rotation

One-click deploy

On this page