title: Deployment Guide description: Self-host phorvec server with Docker, configure for production, and manage licensing.

Deployment Guide

phorvec server is distributed as a Docker container. This guide covers everything needed to go from a first local run to a production-hardened deployment.

Getting Started

Docker Quick Start

The fastest way to run phorvec server is a single docker run command:

docker run -p 8000:8000 -v phorvec_data:/data phorvec-server:latest

This starts the REST API on port 8000 and stores all data in the phorvec_data Docker volume. No configuration is required. The server starts in development mode with Community Edition limits (3 agents maximum).

Verify the server is running:

curl http://localhost:8000/health

A healthy server returns:

{ "status": "ok", "version": "x.y.z", "edition": "community" }

Docker Compose

For a more complete local or production setup, use Docker Compose. The following example includes an optional Redis instance for distributed rate limiting:

version: "3.9"

services:
  phorvec:
    image: phorvec-server:latest
    ports:
      - "8000:8000"
    volumes:
      - phorvec_data:/data
    environment:
      PHORVEC_ENVIRONMENT: production
      JWT_SECRET_KEY: ${JWT_SECRET_KEY}
      PHORVEC_LICENSE_KEY: ${PHORVEC_LICENSE_KEY}
      CORS_ORIGINS: ${CORS_ORIGINS}
      REDIS_URL: redis://redis:6379
    depends_on:
      - redis
    restart: unless-stopped

  redis:
    image: redis:7-alpine
    volumes:
      - redis_data:/data
    restart: unless-stopped

volumes:
  phorvec_data:
  redis_data:

The dashboard is a separate static deployment (see Ports below). Deploy it independently on port 3000 and point it at the API on port 8000.

Environment Variables

Variable	Default	Description
`PHORVEC_LICENSE_KEY`	(empty)	License key. Empty value runs Community Edition (3 agents max).
`JWT_SECRET_KEY`	(none)	Secret used to sign internal JWT tokens. Required in production; must be 32 or more characters.
`PHORVEC_STORAGE_PATH`	`/data`	Directory inside the container where agent databases and audit logs are written. Mount a persistent volume here.
`PHORVEC_ENVIRONMENT`	`development`	Runtime environment. Accepted values: `production`, `staging`, `development`. Controls security strictness.
`CORS_ORIGINS`	`*` (dev only)	Comma-separated list of allowed CORS origins. Required in production; wildcard is rejected in production mode.
`FORCE_HTTPS`	`false`	When `true`, redirect all HTTP requests to HTTPS. Enable when deployed behind a TLS-terminating proxy.
`MAX_REQUEST_SIZE_MB`	`10`	Maximum request body size in megabytes. Requests exceeding this limit are rejected.
`REDIS_URL`	(empty)	Redis connection URL (e.g., `redis://localhost:6379`). When set, rate limiting state is stored in Redis for distributed deployments. Without Redis, rate limiting is in-memory and per-instance only.
`AUDIT_RETENTION_DAYS`	`365`	Number of days to retain audit log records. Enterprise only; Community Edition retains the last 100 entries regardless of this setting.

Ports

Port	Service	Notes
`8000`	REST API	Primary API port. All `/api/v1/` endpoints and `/health`.
`3000`	Dashboard	Memory CMS web UI. Deployed as a separate static application.
`6379`	Redis	Optional. Used for distributed rate limiting when `REDIS_URL` is set.

Minimum Requirements

Resource	Minimum	Recommended
CPU	2 cores	4+ cores
RAM	2 GB	4+ GB
Disk	10 GB	Sized to your expected memory volume
Persistent storage	Required	Mount a named volume or bind mount at `/data`

Disk usage grows with the number of agents and the total volume of stored vectors. Each 768-dimension float32 vector occupies approximately 3 KB of index space before quantization.

Production Security Checklist

Work through this checklist before exposing phorvec to any network traffic outside localhost.

Set PHORVEC_ENVIRONMENT=production — enforces strong secret requirements and strict CORS validation at startup.
Generate a strong JWT_SECRET_KEY — use a cryptographically random value of at least 32 characters:
```
openssl rand -hex 32
```
Configure CORS_ORIGINS — specify the exact origins your dashboard and any API clients will use. Do not use * in production.
Enable HTTPS via reverse proxy — deploy phorvec behind nginx, Traefik, or a cloud load balancer that terminates TLS. Set FORCE_HTTPS=true in phorvec so plain HTTP is redirected.
Set up Redis for distributed rate limiting — if running more than one phorvec instance, configure REDIS_URL so that per-key rate limits are enforced consistently across all instances.
Restrict the data volume — the directory mounted at PHORVEC_STORAGE_PATH should be owned by the container user and not accessible to other processes on the host.
Rotate API keys regularly — revoke unused or old keys via DELETE /api/v1/keys/{key_id}. There is no cost to creating new keys.
Review audit logs — query GET /api/v1/audit or use the dashboard to review recent activity. Enterprise deployments should schedule regular exports.

Licensing

Community Edition

Community Edition is the default when no PHORVEC_LICENSE_KEY is set.

Free, no registration required
Maximum 3 agents
Audit log limited to the last 100 entries
All core MCP tools available
REST API and dashboard available

Enterprise Edition

Enterprise Edition is activated by setting the PHORVEC_LICENSE_KEY environment variable.

Unlimited agents
Full audit log history with CSV/JSON export
Cryptographic hash chain for tamper-evident audit records
Configurable audit retention (AUDIT_RETENTION_DAYS)
Priority support

Contact the phorvec team for an Enterprise license.

License Format and Validation

phorvec licenses are JWT tokens signed with RS256 (asymmetric RSA). The public key is bundled with the server binary.

Offline validation — no network request is made at startup or during operation. Air-gapped deployments are fully supported.
No phone-home — phorvec never contacts an external service to verify license status.
Graceful fallback — an absent, invalid, or expired license key causes phorvec to fall back to Community Edition limits. The server continues running; only Enterprise-gated features become unavailable.

API Quick Reference

All endpoints require Authorization: Bearer <api_key> except /health.

Method	Path	Description
`POST`	`/api/v1/agents`	Create agent
`GET`	`/api/v1/agents`	List agents
`POST`	`/api/v1/agents/{id}/vectors`	Insert vector
`POST`	`/api/v1/agents/{id}/vectors/batch`	Batch insert vectors
`POST`	`/api/v1/agents/{id}/search`	Similarity search
`POST`	`/api/v1/agents/{id}/sync/push`	Push changes to remote instance
`POST`	`/api/v1/agents/{id}/sync/pull`	Pull changes from remote instance
`POST`	`/api/v1/agents/{id}/sync/resolve`	Submit conflict resolution
`GET`	`/api/v1/audit`	Query audit log
`GET`	`/api/v1/audit/export`	Export audit log as CSV or JSON (Enterprise)
`GET`	`/api/v1/audit/verify`	Verify audit hash chain (Enterprise)
`POST`	`/api/v1/keys`	Create API key
`GET`	`/api/v1/keys`	List API keys
`DELETE`	`/api/v1/keys/{key_id}`	Revoke API key
`GET`	`/api/v1/usage`	Usage metrics
`GET`	`/health`	Health check

For full request and response schemas, start the server and open http://localhost:8000/docs for the interactive OpenAPI documentation.