- Alforse Cloud — the hosted product at
*.alforse.com. Tenant access is created through assisted onboarding or a redemption code; see Quickstart. - Enterprise self-hosted — a customer-operated runtime for organizations with a signed enterprise self-hosted license. This page covers the public deployment sequence for that licensed package.
The self-hosted runtime (
EDITION=self_hosted) requires the self_hosted commercial plan
and a signed license file. It is not the internal Alforse engineering runtime. See
Plans & Editions before preparing infrastructure.Prerequisites
- Enterprise self-hosted license file and public verification key from Alforse.
- A customer-controlled deployment host or container platform.
- Docker and Docker Compose, or equivalent orchestration for the API, PostgreSQL, Redis, and S3-compatible object storage.
- PostgreSQL 15+ for system metadata and PostgreSQL 15+ for tenant data. Keep these databases separate.
- Redis for sessions, rate limits, and request nonces.
- S3-compatible object storage for contract originals, invoice evidence, and payment proof.
- TLS-terminated public origins for the API and user-facing applications.
- SMTP or an approved transactional email provider for password reset, invitations, and MFA backup codes.
- A file scanning service if downloadable files must require a clean security scan.
1. Confirm the licensed package
Before deployment, confirm that your package includes:- The API container image or source mirror authorized for your license.
apps/api/docker-compose.self-hosted.ymlor the equivalent orchestration manifest.- A signed license file for the intended tenant, plan, and expiry window.
- The environment variable list reviewed for your infrastructure.
- The onboarding instructions for creating the first tenant administrator.
2. Configure environment variables
Self-hosted deployments use the same variable names documented in Configuration, but the values must point to customer-managed infrastructure. Do not reuse the hosted SaaS values. At minimum, prepare:EDITION=self_hostedNODE_ENV=productionLICENSE_FILELICENSE_PUBLIC_KEYPLATFORM_DATABASE_URLandPLATFORM_APP_DATABASE_URLTENANT_DATABASE_URLandTENANT_APP_DATABASE_URLREDIS_URLOSS_ENDPOINT,OSS_BUCKET,OSS_ACCESS_KEY,OSS_SECRET_KEY,OSS_REGIONJWT_ACCESS_SECRET,JWT_REFRESH_SECRET,MFA_SECRET_KEY,API_HMAC_SECRETAPI_PUBLIC_URL,WEB_PUBLIC_URL,DEALS_PUBLIC_URL,CONSOLE_PUBLIC_URL- Email, Turnstile, file scanning, OCR, and SSO values required by your operating model
3. Prepare infrastructure
If you use the provided Compose file, it starts the API with PostgreSQL, Redis, and S3-compatible object storage. For a managed platform, map the same services into your own orchestrator and keep the database split intact:- System metadata database: tenants, plans, subscriptions, licenses, and integration metadata.
- Tenant data database: contracts, payments, files, dynamic fields, audit events, and workflow state.
- Object storage bucket: original documents, invoice files, and evidence files.
- Redis: sessions, refresh-token revocation, request signatures, and rate limiting.
Running without Docker
Running without Docker
Point these variables at your managed services, then continue with the database setup:
PLATFORM_DATABASE_URL,PLATFORM_APP_DATABASE_URLTENANT_DATABASE_URL,TENANT_APP_DATABASE_URLREDIS_URLOSS_ENDPOINT,OSS_BUCKET,OSS_ACCESS_KEY,OSS_SECRET_KEY,OSS_REGION
FILE_SCAN_MODE=external with FILE_SCAN_ENDPOINT and
FILE_SCAN_API_KEY.4. Set up the databases
Alforse uses two Prisma schemas —prisma/platform and prisma/tenant — that must both be
generated and migrated:
db:seed creates system plans, default roles, the permission matrix, and workflow controls
that the app expects to exist.
5. Start the licensed runtime
PORT and mounts every route under /api/v1. Put it behind your approved
TLS proxy or ingress before inviting tenant users.
6. Create the first tenant administrator
Coordinate first-tenant creation with your Alforse implementation contact or the licensed onboarding flow included with your package. The first tenant administrator should be created after plan, license, MFA, password-reset, and recovery settings are confirmed.7. Verify the deployment
status: "degraded" with platformDb or tenantDb set to "down" means the API can’t reach
one of the two databases. Recheck the database URLs, network access, TLS settings, and
credentials from step 2.
Operational checks
Before going live, verify:- Tenant admins must enroll MFA when required.
- Password reset, invitation, and backup-code emails are delivered.
- File uploads cannot be downloaded until scan policy requirements pass.
- Object storage lifecycle and backup policies meet your retention requirements.
- API request signing is enabled for non-browser integrations.
- Monitoring polls
GET /healthand alerts ondegraded. - Database backups and restore procedures have been tested.