Self-Hosting

Run your own LynxPrompt instance with full control over data, features, and branding. A single Docker Compose file gets you started in minutes.

Quick Start

The fastest way to get LynxPrompt running is with the provided docker-compose.selfhost.yml.

Create an environment file

# .env
NEXTAUTH_SECRET=$(openssl rand -base64 32)
ADMIN_EMAIL=you@example.com
APP_URL=https://lynxprompt.yourcompany.com

Start the services

docker compose -f docker-compose.selfhost.yml up -d

Open the app

Navigate to http://localhost:3000 (or your configured APP_URL). The first user matching ADMIN_EMAIL is automatically promoted to superadmin.

Requirements: Docker Engine 24+ and Docker Compose v2. The default compose file uses a single PostgreSQL instance and exposes port 3000.

Environment Variables

All configuration is done through environment variables. Only NEXTAUTH_SECRET is strictly required.

Core

Variable	Default	Description
`NEXTAUTH_SECRET`	—	Session encryption key. Required. Generate with `openssl rand -base64 32`
`APP_URL`	http://localhost:3000	Public URL of the instance (used for callbacks, emails, and CLI)
`NEXTAUTH_URL`	same as APP_URL	NextAuth callback URL. Usually the same as APP_URL
`SUPERADMIN_EMAIL`	—	Email auto-promoted to superadmin on first sign-in
`NODE_ENV`	production	Set to `production` for self-hosted deployments

Database

Variable	Default	Description
`DATABASE_URL_APP`	—	Main application database (blueprints, marketplace)
`DATABASE_URL_USERS`	—	User accounts, sessions, authentication
`DATABASE_URL_BLOG`	—	Blog content (when ENABLE_BLOG is on)
`DATABASE_URL_SUPPORT`	—	Support forum data (when ENABLE_SUPPORT_FORUM is on)

Authentication

Variable	Default	Description
`ENABLE_EMAIL_AUTH`	true	Magic link email sign-in (requires SMTP)
`ENABLE_PASSKEYS`	true	WebAuthn passkey sign-in
`ENABLE_GITHUB_OAUTH`	false	GitHub OAuth (requires GITHUB_ID + GITHUB_SECRET)
`ENABLE_GOOGLE_OAUTH`	false	Google OAuth (requires GOOGLE_CLIENT_ID + GOOGLE_CLIENT_SECRET)
`ENABLE_SSO`	false	Enterprise SSO (SAML, OIDC, LDAP)
`ENABLE_USER_REGISTRATION`	true	Allow new user registration. Set to false for invite-only
`ENABLE_TURNSTILE`	false	Cloudflare Turnstile CAPTCHA on sign-up

AI Features

Variable	Default	Description
`ENABLE_AI`	false	Enable AI editing & wizard assistant
`ANTHROPIC_API_KEY`	—	Anthropic API key (required when ENABLE_AI is true)
`AI_MODEL`	claude-3-5-haiku-latest	Anthropic model to use for AI features

Marketplace

Variable	Default	Description
`ENABLE_STRIPE`	false	Enable paid blueprint purchases (requires Stripe keys)

Federation

Variable	Default	Description
`ENABLE_FEDERATION`	false	Join the federated network to share and discover blueprints across instances
`FEDERATION_REGISTRY_URL`	—	URL of the federation registry to connect to (provided by the network operator)

Branding & Content

Variable	Default	Description
`APP_NAME`	LynxPrompt	Application name shown in UI, emails, and metadata
`APP_LOGO_URL`	—	URL to a custom logo image
`CONTACT_EMAIL`	—	Displayed as contact email in the UI
`STATUS_PAGE_URL`	—	Link to your status page (e.g., Upptime, Kuma)
`ENABLE_BLOG`	false	Enable the built-in blog
`ENABLE_SUPPORT_FORUM`	false	Enable the support forum
`UMAMI_SCRIPT_URL`	—	Umami analytics script URL (self-hosted analytics)

Authentication Configuration

Out of the box, LynxPrompt supports passkeys and email magic links. Add OAuth providers or lock down registration as needed.

Passkeys (default: on)

WebAuthn passkeys work immediately with no extra configuration. Requires HTTPS in production for browser WebAuthn APIs.

Email Magic Links (default: on)

Requires an SMTP server. Set EMAIL_SERVER and EMAIL_FROM in your environment. Without SMTP, disable with ENABLE_EMAIL_AUTH=false.

GitHub OAuth

Set ENABLE_GITHUB_OAUTH=true, GITHUB_ID, and GITHUB_SECRET. Create an OAuth App at GitHub → Settings → Developer settings → OAuth Apps. Set the callback URL to {APP_URL}/api/auth/callback/github.

Google OAuth

Set ENABLE_GOOGLE_OAUTH=true, GOOGLE_CLIENT_ID, and GOOGLE_CLIENT_SECRET. Configure in Google Cloud Console with redirect URI {APP_URL}/api/auth/callback/google.

Invite-Only Mode

Set ENABLE_USER_REGISTRATION=false to prevent new sign-ups. Existing users can still sign in. Admins can invite users via the admin panel.

AI Features Setup

AI-powered blueprint editing and wizard assistance are opt-in.

Get an Anthropic API Key

Set environment variables

ENABLE_AI=true
ANTHROPIC_API_KEY=sk-ant-...
AI_MODEL=claude-3-5-haiku-latest  # optional

Restart the container

AI buttons will appear automatically in the UI for all users.

Cost note: AI requests are billed by Anthropic to your API key. LynxPrompt does not add any surcharge. Monitor usage at the Anthropic dashboard.

Custom Branding

White-label LynxPrompt for your organization.

APP_NAME=MyCompany Prompts
APP_LOGO_URL=https://cdn.mycompany.com/logo.svg
CONTACT_EMAIL=support@mycompany.com
STATUS_PAGE_URL=https://status.mycompany.com

The app name is used throughout the UI, in page titles, email templates, and OpenGraph metadata. The logo replaces the default LynxPrompt logo in the header and email templates.

Database Architecture

LynxPrompt uses four Prisma clients, each with its own connection string. This allows flexible deployment topologies.

Single Database (recommended)

Point all four DATABASE_URL_* variables to the same PostgreSQL database. This is the default in docker-compose.selfhost.yml and is the simplest setup.

DATABASE_URL_APP=postgresql://...
DATABASE_URL_USERS=postgresql://...   # same
DATABASE_URL_BLOG=postgresql://...    # same
DATABASE_URL_SUPPORT=postgresql://... # same

Multi-Database

For larger deployments, split databases by concern. Each client connects to a separate database or server, allowing independent scaling and backup strategies.

DATABASE_URL_APP=postgresql://app-db/lynx
DATABASE_URL_USERS=postgresql://auth-db/users
DATABASE_URL_BLOG=postgresql://blog-db/blog
DATABASE_URL_SUPPORT=postgresql://sup-db/forum

CLI for Self-Hosted Instances

The LynxPrompt CLI works with self-hosted instances. After installing the CLI, point it to your instance:

lynxp config set-url https://lynxprompt.yourcompany.com
lynxp login

This stores the API URL locally. All subsequent CLI commands (push, pull, sync) will target your self-hosted instance instead of the public service.

Reverse Proxy & WAF

LynxPrompt works behind any reverse proxy (Nginx, Caddy, Traefik). However, if you use Cloudflare as a reverse proxy, there is an important caveat for the API.

Cloudflare WAF & Blueprint Content

Cloudflare's platform-level security layer inspects request bodies and blocks patterns that resemble OS command injection (e.g. ssh user@host, /etc/passwd). Since blueprints often contain infrastructure code, shell commands, and server configurations, these legitimate API calls can trigger HTTP 403 errors.

This protection is applied at Cloudflare's edge before configurable WAF rulesets run, and cannot be disabled via WAF exceptions or skip rules on any plan.

Recommended workaround:

Create a separate DNS record for API traffic that bypasses Cloudflare's proxy (DNS-only / grey cloud):

# Cloudflare DNS records:
#
# lynxprompt.yourcompany.com  →  A  your-ip  (Proxied, orange cloud)
# api.lynxprompt.yourcompany.com  →  A  your-ip  (DNS only, grey cloud)
#
# Then configure your reverse proxy to serve both domains,
# pointing to the same LynxPrompt backend.
#
# The CLI defaults to https://api.lynxprompt.com for the
# public instance. For self-hosted, point the CLI:
lynxp config set-url https://api.lynxprompt.yourcompany.com

The main domain keeps Cloudflare's CDN, DDoS protection, and caching for the web UI. The API subdomain routes directly to your origin, where your reverse proxy handles TLS and rate limiting.

Not using Cloudflare? No action needed. Reverse proxies like Nginx, Caddy, and Traefik do not inspect request bodies by default and work out of the box.

Federation

Federation connects independent LynxPrompt instances into a shared network. Users on any federated instance can discover and download blueprints published on other instances.

Enable federation

ENABLE_FEDERATION=true
FEDERATION_REGISTRY_URL=https://registry.lynxprompt.com

Restart the container

Your instance will register with the federation registry and begin syncing the blueprint index.

Browse federated blueprints

Blueprints from other instances appear alongside local ones in the browse page, tagged with their origin instance.

Note: Federation is optional. Without it, your instance works as a fully standalone platform with its own local blueprint library.

Health Check

LynxPrompt exposes a health endpoint for monitoring and orchestration:

GET /api/health

# Healthy response (200):
{"status":"ok","db":"connected"}

# Unhealthy response (503):
{"status":"error","db":"disconnected"}

Use this endpoint in Docker health checks, Kubernetes liveness probes, or external monitoring tools like Uptime Kuma.

# Docker Compose healthcheck example
healthcheck:
  test: ["CMD", "curl", "-f", "http://localhost:3000/api/health"]
  interval: 30s
  timeout: 5s
  retries: 3

Next Steps

Install the CLI

npm, Homebrew, Chocolatey, or Snap

AI Features

Learn what AI can do

API Reference

Integrate programmatically

Pricing

Marketplace payment details