Docs/Self-Hosted Setup

Self-Hosted Setup Guide

Run Tiker on your own infrastructure for maximum security and control. We actually recommend this for the tightest security.

Why self-host?

Self-hosting gives you:

Complete data control - Your data never leaves your network
No third-party trust - You verify the code, you run the infrastructure
Custom security policies - Integrate with your existing security stack
Air-gapped deployments - Run completely offline if needed

The tradeoff: you're responsible for uptime, updates, and security patches. If that sounds good to you, read on.

Prerequisites

Required

Node.js 20+ - We recommend using nvm for version management
PostgreSQL 14+ - For data persistence
OpenClaw - The agent runtime (npm install -g openclaw)

Why Tailscale?

Security recommendation

Never expose your OpenClaw gateway directly to the internet. Use Tailscale or a similar VPN to create a private network.

Tailscale creates a secure mesh network between your devices without opening ports to the public internet. This means:

No exposed ports - Your gateway isn't reachable from the internet
End-to-end encryption - Traffic is encrypted between nodes
Zero-config networking - Devices find each other automatically
Access control - Define who can reach what

Free tier is generous for personal use. Set it up at tailscale.com

Gateway tokens

Your OpenClaw gateway should always require authentication tokens. This prevents unauthorized access even on your private network.

# Generate a secure token
openssl rand -base64 32

# Set in your environment
export OPENCLAW_GATEWAY_TOKEN="your-generated-token"

# Or in your openclaw.yaml
gateway:
  token: "your-generated-token"
  host: "0.0.0.0"  # Bind to all interfaces (safe behind Tailscale)
  port: 18789

Why this matters: Even on a private network, defense in depth is critical. If someone gains access to your network, the token prevents them from controlling your agents.

Quick start

1. Clone and install

git clone https://github.com/chitownjk/tiker.git
cd tiker
npm install

2. Configure environment

cp .env.example .env.local

# Edit .env.local with your values:
DATABASE_URL="postgresql://user:pass@localhost:5432/tiker"
NEXTAUTH_SECRET="your-secret-here"
NEXTAUTH_URL="http://localhost:3000"

# AI provider keys (at least one)
ANTHROPIC_API_KEY="sk-ant-..."
OPENAI_API_KEY="sk-..."
GOOGLE_API_KEY="..."

3. Set up database

# Create database
createdb tiker

# Run migrations
npm run db:migrate

4. Start services

# Start the web app
npm run build
npm start

# In another terminal, start OpenClaw gateway
openclaw gateway start

Docker deployment

For production, we recommend Docker Compose:

# docker-compose.yml
version: '3.8'

services:
  web:
    build: .
    ports:
      - "3000:3000"
    environment:
      - DATABASE_URL=postgresql://tiker:password@db:5432/tiker
      - NEXTAUTH_URL=http://localhost:3000
    depends_on:
      - db
    restart: unless-stopped

  db:
    image: postgres:15-alpine
    volumes:
      - postgres_data:/var/lib/postgresql/data
    environment:
      - POSTGRES_USER=tiker
      - POSTGRES_PASSWORD=password
      - POSTGRES_DB=tiker
    restart: unless-stopped

  gateway:
    image: ghcr.io/openclaw/openclaw:latest
    environment:
      - OPENCLAW_GATEWAY_TOKEN=${GATEWAY_TOKEN}
    volumes:
      - ./workspace:/workspace
    restart: unless-stopped

volumes:
  postgres_data:

# Start everything
docker-compose up -d

Security checklist

Private network only
Gateway not exposed to public internet (use Tailscale/VPN)Gateway token configured
Strong random token set for OPENCLAW_GATEWAY_TOKENHTTPS enabled
TLS termination via reverse proxy (nginx/Caddy)Database secured
Strong password, not exposed to network, regular backupsSecrets management
API keys stored securely, not in gitUpdate schedule
Plan for regular security updates (git pull + rebuild)

Getting help

GitHub Issues

Bug reports and feature requests

Discord Community

Chat with other self-hosters

← Back to Security Overview