AuthenSeeDocs
Guides

Self-Hosting

Deploy your own AuthenSee auth server or use the Rebellion-managed instance.

Hosting Options

AuthenSee offers two deployment paths for the authentication server:

Option 1: Rebellion-Managed (default)

Use the hosted instance at api.authensee.com — the same authnc-auth-server codebase, deployed and managed by Rebellion Systems.

await sdk.init({
  sessionToken: "sess_...",
  serverUrl: "https://api.authensee.com", // Rebellion-managed
});

What you get:

  • Zero infrastructure management
  • Automatic updates and security patches
  • SLA-backed uptime
  • Managed PostgreSQL (Neon) with automatic backups
  • Global CDN for circuit artifacts
  • Monitoring and alerting

Best for: Most providers who want to focus on their product, not infrastructure.

Option 2: Self-Hosted

Deploy your own instance of authnc-auth-server. Same codebase, same API, same SDK compatibility.

await sdk.init({
  sessionToken: "sess_...",
  serverUrl: "https://auth.yourcompany.com", // Your deployment
});

What you need:

  • PostgreSQL 15+ database
  • Node.js 22+ runtime
  • Circuit verification keys (from authnc-circuits)
  • Docker (recommended) or direct Node.js deployment

Best for: Organizations with strict data residency requirements, compliance needs, or custom infrastructure.

Self-Hosting Quick Start

# Clone the auth server
git clone https://github.com/rebellion-systems/authnc-auth-server.git
cd authnc-auth-server
 
# Configure
cp .env.example .env
# Edit .env: set DATABASE_URL, JWT_SECRET, CIRCUITS_DIR
 
# Run with Docker Compose
docker compose up -d postgres auth-server
 
# Or run directly
pnpm install
pnpm build
pnpm start

Required Environment Variables

VariableDescription
DATABASE_URLPostgreSQL connection string
JWT_SECRETSecret for signing JWTs (min 32 chars)
CIRCUITS_DIRPath to compiled circuit VK artifacts
VK_HASH_MEMORY_AUTHSHA-256 hash of memory_auth verification key
VK_HASH_MEMORY_AUTH_PASSKEYSHA-256 hash of memory_auth_passkey verification key
ALLOWED_ORIGINSCORS allowed origins (your app domains)
PORTServer port (default: 3000)

Circuit Artifacts

The auth server requires compiled circuit verification keys. Get them from the authnc-circuits repository:

git clone https://github.com/rebellion-systems/authnc-circuits.git
cd authnc-circuits
nargo compile --program-dir circuits/noir/memory_auth
nargo compile --program-dir circuits/noir/memory_auth_passkey

Point CIRCUITS_DIR to the compiled output directory.

SDK Compatibility

Both deployment options use the same API. The SDK doesn't know (or care) whether it's talking to the Rebellion-managed instance or your self-hosted one. The only difference is the serverUrl in the configuration.

Provider secret keys (sk_) and session tokens (sess_) work identically on both.

Migrating Between Options

Migrating from hosted to self-hosted (or vice versa):

  1. Export your provider configuration (API keys, policies)
  2. Point serverUrl to the new deployment
  3. Users do NOT need to re-enroll — their Merkle roots are portable

Important: Enrolled Merkle roots must be migrated to the new database. Contact Rebellion support for hosted → self-hosted migration assistance.

Previous

Hosted Pages

Next

React Native

On this page