How do I choose between SACTL's four deployment methods?

Self-Hosted Docker Compose: single Linux server, PoC / internal testing / single-tenant private, ~30 minutes. Managed Cloud: SACTL hosts everything; small / medium teams that don't want to operate infrastructure, ~10 minutes. Kubernetes Helm: medium / large customers, multi-AZ HA, HPA auto-scaling, ~1 hour. Cloudflare Workers Edge: overseas projects, 200+ countries, global acceleration, ~45 minutes.

What components does Self-Hosted require?

Nine services: gateway-sidecar (Go data plane), admin-api (Go management plane), console (React admin UI), Portkey OSS (upstream routing), PostgreSQL 16, Redis (rate limiting + billing cache), Vault (secrets management), MinIO (Files API storage), Nginx (TLS termination). One docker compose up -d brings the whole thing up.

Can the Kubernetes deployment use existing RDS / ElastiCache / S3?

Yes. In values.yaml set postgres.external=true with dsn, redis.external=true with addr, minio.external=true with endpoint, vault.external=true with addr. SACTL is not bound to a specific cloud — AWS, GCP, Alibaba Cloud, and Tencent Cloud all work.

How do upgrades and backups work?

Upgrade: Self-Hosted runs docker compose pull && up -d; Kubernetes runs helm upgrade. SACTL's database schema is fully managed by goose; upgrades auto-migrate. Backup: monthly Postgres pg_dump + Vault operator snapshot, uploaded to S3 / MinIO. Billing history is strongly consistent — no data loss tolerated.

How does the Cloudflare Workers edge proxy work with the self-hosted gateway?

The edge proxy only handles auth, light rate limiting (CF Rate Limiting Rules + Worker KV doing lightweight GCRA), and upstream routing. Heavy logic (billing, pre-debit, Vault decrypt, audit, Schema validation) still runs in the self-hosted gateway-sidecar. Workers forward requests to the self-hosted sidecar — you get edge acceleration plus the strong consistency of the self-hosted side.

SACTL Deployment — Self-Hosted / Helm / Edge

The four deployment paths, side by side

Pick by team size, ops capacity, and compliance posture. One-liner: solo / small teams go Managed; medium / large teams go K8s Helm; teams with hard isolation requirements go Self-Hosted; overseas projects go Edge.

Dimension	Self-Hosted (Compose)	Managed Cloud	Kubernetes (Helm)	Cloudflare Edge
Typical scenario	PoC / internal test / single-tenant private	Small/medium team avoiding ops	Medium/large production, multi-AZ HA	Overseas projects, 200+ country acceleration
Time to live	30 minutes	10 minutes	~1 hour	45 minutes
Ops burden	You run the full stack	SACTL runs everything	K8s ops + external middleware	Cloudflare platform + your backend
SLA	Self-defined	99.5% (Managed standard)	Self-defined (cluster-dependent)	Cloudflare SLA
Data compliance	Fully sovereign	SACTL compliance stack	Fully sovereign	Edge proxy + your backend
Horizontal scaling	Manual (single host)	Transparent	HPA auto (3 → 30)	Auto (Workers global)
Cost structure	1 server + upstream tokens	Per-token + monthly fee	K8s + RDS/ES/Vault + upstream	Workers billing + backend
Upgrade flow	docker compose pull && up -d	SACTL auto-rolling	helm upgrade	wrangler deploy

Self-Hosted (Docker Compose)

Fits: PoC, internal testing, single-tenant private deployment, development environments. One Linux server (4 vCPU / 8GB RAM minimum) runs the full stack.

One-shot bring-up

git clone https://github.com/sactl/sactl-api.git
cd sactl-api

# Copy the env template, fill upstream key + OAuth + SMTP
cp .env.example .env
vim .env

docker compose up -d

Components

gateway-sidecar (Go) — hot-path data plane: auth + rate limit + billing + forwarding
admin-api (Go) — management plane: tenant / VK / billing queries
console (React) — admin UI
Portkey OSS — upstream routing + Key Pool
PostgreSQL 16 — primary store
Redis — GCRA rate limiting + billing cache
Vault — secrets (Provider key encryption)
MinIO — Files API binary storage
Nginx — TLS termination + reverse proxy

First-time initialisation

make init  # does four things:
  # 1. vault operator init + unseal (5 keys, threshold 3)
  # 2. run goose migrate
  # 3. create default tenant + admin user
  # 4. generate the first Virtual Key, printed once (sk-xa-prod-***)

VK shown once The Virtual Key plaintext is shown exactly once at creation. Lose it and the only path is rotation. The same applies to Vault unseal keys: 5 keys with threshold 3, lost = unrecoverable. Recommend splitting unseal keys across 5 different people.

Upgrade and backup

Upgrade: docker compose pull && docker compose up -d. Goose schema migrations run automatically.
Backup: monthly pg_dump full + Vault operator snapshot, uploaded to S3 / MinIO.
Rolling restart: docker compose restart gateway-sidecar (transparent to the hot path because Nginx fronts it).

Managed Cloud

Fits: small / medium teams, those who don't want to operate infrastructure, and customers who prefer monthly billing. SACTL hosts the full stack (PostgreSQL, Redis, Vault, MinIO, monitoring, alerting); you only integrate with the API.

Onboarding flow

Message Telegram support with tenant name, contact, and monthly budget cap.
Support provisions the tenant within 5 minutes and sends the admin portal URL plus the initial sk-xa-* Virtual Key.
Log in to the portal; create more VKs, set monthly budget caps, IP allowlists, allowed_models lists.
Point your client base_url at https://api.sactl.ai. Done.

What's different vs. Self-Hosted

You don't need to run Vault / Postgres / Redis / MinIO yourself — SACTL handles those.
Billing is per-token (Claude × 0.30, GPT as low as 1/30 of official) with no monthly service fee on top.
SLA: Managed standard 99.5%; large customers can negotiate annual frame deals at 99.9%.
Compliance: runs on the SACTL compliance stack (log allowlist, no PII at rest, HMAC VKs). If you have hard data-residency requirements, choose Self-Hosted or K8s.

Discuss specific arrangements via Telegram; pricing is volume-based.

Kubernetes (Helm)

Fits: medium / large customers, multi-AZ high-availability requirements, teams that want to reuse existing RDS / ElastiCache / Vault middleware, and HPA auto-scaling.

values.prod.yaml snippet

gatewaySidecar:
  replicas: 6
  resources:
    requests: {cpu: "500m", memory: "512Mi"}
    limits: {cpu: "2", memory: "2Gi"}
  hpa:
    enabled: true
    minReplicas: 3
    maxReplicas: 30
    targetCPUUtilizationPercentage: 60

postgres:
  external: true
  dsn: "postgres://sactl:***@rds.internal:5432/sactl?sslmode=require"

redis:
  external: true
  addr: "elasticache.internal:6379"

minio:
  external: true
  endpoint: "s3.amazonaws.com"  # or use AWS S3 directly

vault:
  external: true
  addr: "https://vault.internal:8200"
  approle: {role_id: "...", secret_id: "..."}

Install / upgrade

# Add repo
helm repo add sactl https://charts.sactl.ai
helm repo update

# First install
helm install sactl sactl/sactl-gateway \
  -f values.prod.yaml \
  -n sactl --create-namespace

# Upgrade to a specific version
helm upgrade sactl sactl/sactl-gateway \
  -f values.prod.yaml --version=N

# Rollback
helm rollback sactl PREVIOUS

External managed components

RDS Postgres 16: db.r6g.large minimum recommended; enable PITR.
ElastiCache Redis: cluster mode disabled; m6g.large is enough.
Vault: self-hosted or HashiCorp Cloud. Use AppRole; inject role_id / secret_id via ExternalSecret.
S3 / MinIO: any S3-compatible storage. Files have a 30-day lifecycle auto-purge.

HPA tuning gateway-sidecar is the hot path with a p99 SLO of 2ms; CPU is the bottleneck. targetCPU 60% works well for most loads. If your traffic is bursty (e.g. clients suddenly push 100x QPS), raise minReplicas to 6 to reduce cold-start latency.

Cloudflare Workers Edge Proxy

Fits: overseas projects, users distributed across 200+ countries, or teams sensitive to international acceleration. Push auth, rate limiting, and upstream routing onto Cloudflare's edge to cut cross-region latency.

Where it lives

Repository subdirectory deploy/edge-proxy/cloudflare-workers/. Contains the Worker code, a wrangler.toml template, KV namespace definitions, and CF Rate Limiting Rules config.

Capabilities

Rate limiting: CF Rate Limiting Rules + Worker KV for lightweight GCRA
Authentication: validate the sk-xa-* prefix and forward to the self-hosted backend for HMAC verification
Routing: edge nodes pick the nearest SACTL self-hosted origin (Tokyo / Frankfurt / Virginia)
Caching: prompt / response bodies are not cached (consistent with the pass-through service rule); only metadata like /v1/models is cached

Deploy

cd deploy/edge-proxy/cloudflare-workers
wrangler login

# Edit wrangler.toml: account_id / kv_namespaces.id / routes
vim wrangler.toml

# Set secrets
wrangler secret put SACTL_UPSTREAM_URL
wrangler secret put SACTL_VAULT_TOKEN

# Deploy
wrangler deploy

# Canary: cut 5% first, observe for 24h
# CF Dashboard → Workers Routes → set traffic percentage

How it works with the self-hosted backend The edge handles only the light logic (sk-xa-* prefix validation, rate limit, nearest-origin routing). The heavy logic (Vault decrypt, HMAC VK validation, billing pre-debit, schema validation, audit) still runs in the self-hosted gateway-sidecar. Workers act as a "pre-filter layer", not a replacement — you get edge acceleration plus self-hosted strong consistency.

Picked a path? Let Telegram help you walk through it

Not sure between Self-Hosted and Managed? Message Telegram support — we'll give you a 30-minute assessment and a recommendation. Free.

Contact on Telegram Read the integration docs

SACTL Deployment Guide

The four deployment paths, side by side

Self-Hosted (Docker Compose)

One-shot bring-up

Components

First-time initialisation

Upgrade and backup

Managed Cloud

Onboarding flow

What's different vs. Self-Hosted

Kubernetes (Helm)

values.prod.yaml snippet

Install / upgrade

External managed components

Cloudflare Workers Edge Proxy

Where it lives

Capabilities

Deploy

Picked a path? Let Telegram help you walk through it