Skip to main content
Change the default password before deploying publicly. The .env.example placeholder values for Auth__Jwt__Secret, Auth__BootstrapSuperAdmin__Password, and Auth__ApiKey__Keys__0 are not safe for production. Replace all of them with strong, randomly generated values.

Deployment topologies

Choose the topology that matches your setup. The key difference between them is how you point the frontend at the backend API.
The simplest option. Frontend and backend run on the same machine with their default ports. Use this for local testing, single-machine setups, or internal network deployments.
Default addresses after docker compose up -d --build:

Environment variables

These are the variables you configure in your .env file. The compose.yaml passes them into the containers automatically.

Required

Frontend

API key (optional)

Auth__BootstrapSuperAdmin__* only runs once — when the database has no SuperAdmin user. Subsequent restarts do not re-create or overwrite the account. Additional users are managed from the admin console /users page.

JWT tuning (optional)

Verifying your deployment

After starting the containers, run these checks to confirm everything is working: Backend health:
Public assets API:
Login endpoint:
A successful login response includes an accessToken and a refreshToken.

Fixing the “host not allowed” error

If you access NekoHub via a custom domain and see an error like:
This is not a backend authentication error. It is the frontend container’s Vite preview server rejecting the Host header. Fix it by setting FRONTEND_VITE_ALLOWED_HOSTS in your .env:
Then rebuild the frontend container:

Production checklist

Before going live, verify each of these.
  • Replace all placeholder values in .env with strong, randomly generated secrets
  • Use a persistent PostgreSQL instance (not an ephemeral container for production data)
  • Enable HTTPS for the frontend, API, and /content URLs
  • If using split-domain, update both FRONTEND_VITE_API_BASE_URL and Storage__PublicBaseUrl to your HTTPS URLs
  • Set FRONTEND_VITE_ALLOWED_HOSTS to your actual domain
  • If you need MCP or script access, configure Auth__ApiKey__Enabled and Auth__ApiKey__Keys__0
  • If you want uploads to trigger workflows automatically, configure /workflows first; workflows that include ai-caption also require an active AI provider