Deployment topologies
Choose the topology that matches your setup. The key difference between them is how you point the frontend at the backend API.- Local (default ports)
- Split-domain
- Same-domain reverse proxy
The simplest option. Frontend and backend run on the same machine with their default ports. Use this for local testing, single-machine setups, or internal network deployments.Default addresses after
docker compose up -d --build:Environment variables
These are the variables you configure in your.env file. The compose.yaml passes them into the containers automatically.
Required
Frontend
API key (optional)
Auth__BootstrapSuperAdmin__* only runs once — when the database has no SuperAdmin user. Subsequent restarts do not re-create or overwrite the account. Additional users are managed from the admin console /users page.JWT tuning (optional)
Verifying your deployment
After starting the containers, run these checks to confirm everything is working: Backend health:accessToken and a refreshToken.
Fixing the “host not allowed” error
If you access NekoHub via a custom domain and see an error like:Host header.
Fix it by setting FRONTEND_VITE_ALLOWED_HOSTS in your .env:
Production checklist
Before going live, verify each of these.
- Replace all placeholder values in
.envwith strong, randomly generated secrets - Use a persistent PostgreSQL instance (not an ephemeral container for production data)
- Enable HTTPS for the frontend, API, and
/contentURLs - If using split-domain, update both
FRONTEND_VITE_API_BASE_URLandStorage__PublicBaseUrlto your HTTPS URLs - Set
FRONTEND_VITE_ALLOWED_HOSTSto your actual domain - If you need MCP or script access, configure
Auth__ApiKey__EnabledandAuth__ApiKey__Keys__0 - If you want uploads to trigger workflows automatically, configure
/workflowsfirst; workflows that includeai-captionalso require an active AI provider