Self-hosting
Run Open Connector in your own environment while preserving the same broker and API model.
Self-hosting is for teams that need to operate the credential broker, database, encryption keys, and OAuth applications in their own environment. It is not required for the SaaS quick start.
What you operate
| Component | Responsibility |
|---|---|
| API server | OAuth callbacks, project-key authentication, credential brokering, and API routes |
| Postgres | Application state and encrypted credential records |
| Encryption key | CONNECTOR_ENCRYPTION_KEY; losing it makes existing encrypted credentials unrecoverable |
| Public HTTPS origin | OAuth callback base and API endpoint for your agents |
| OAuth applications | Provider-specific client credentials when you do not use an available managed configuration |
The optional console is useful for operating organizations, projects, auth configs, connections, and API keys. Agents still call the project-key-protected API; they do not access the database directly.
Choose the right guide
Local development
Run the repository's Postgres, MinIO, and observability dependencies, then start the applications with pnpm.
AWS production deployment
The repository's current production topology: EC2 Docker Compose, Cloudflare, Secrets Manager, and Neon.
Environment variables
Use the validated runtime schema as the source of truth for required and optional configuration.
Database operations
Run migrations, understand local database setup, and plan backups.
Production shape
The supported production deployment uses Cloudflare for public ingress, an EC2 host for the containerized server, marketing, and docs services, S3 + CloudFront for the console SPA, and Neon for Postgres. Deployment reaches the host through AWS SSM; the application host does not expose inbound application ports.
For exact infrastructure, IAM boundaries, secret handling, and day-two operations, follow Deploy to AWS instead of adapting a generic platform tutorial.
Before production
- Generate and back up
BETTER_AUTH_SECRETandCONNECTOR_ENCRYPTION_KEYsecurely. - Set the server's public URL and CORS origin correctly.
- Register each provider OAuth callback against the broker's public origin.
- Run database migrations as part of the deployment process.
- Verify a project API key, a real connection, and one brokered tool call from the public endpoint.
A database backup alone cannot decrypt credentials. Protect and recover the encryption key using a real secrets-management process.