> **Building with AI coding agents?** Install the authstack plugin with one command. This equips your agent with accurate Scalekit implementation patterns. > > **Recommended**: > ```bash > npx @scalekit-inc/cli setup > ``` > > Global: > ```bash > npm install -g @scalekit-inc/cli > scalekit setup > ``` > > Supports Claude Code, Cursor, GitHub Copilot, Codex + skills for 40+ agents. > Features: full-stack-auth, agent-auth, mcp-auth, modular-sso, modular-scim. > [Full setup guide](https://docs.scalekit.com/dev-kit/build-with-ai/) --- # Install Scalekit Deploy Scalekit on a Kubernetes cluster using Helm and the Gateway API. export const kubectlConnectCmd = `kubectl apply -n \${NAMESPACE} -f ""` You will deploy Scalekit on any Kubernetes cluster using the Helm chart from the distribution portal and the Kubernetes Gateway API for ingress. This helps you complete a production installation with external PostgreSQL, Redis, and properly managed secrets. 1. ### Create a personal access token Log in to the Scalekit distribution portal. This token authenticates your cluster to pull both the Helm chart and container images from the Scalekit container registry. > Image: Scalekit distribution portal login After signing in you will see the portal home page. > Image: Scalekit distribution portal home Click the **profile icon** in the top-right corner. > Image: Profile icon in the top-right corner In the dropdown, select **Personal Access Tokens**. > Image: Profile dropdown menu with Personal Access Tokens option You will see the Personal Access Tokens page. Click **+ Create token**. > Image: Personal Access Tokens page A form slides in. Enter a **Label** and set an **Expires At** date, then click **+ Create**. > Image: Create a Personal Access Token form Your token is displayed once — **copy it immediately.** It cannot be retrieved after you leave this page. Note the expiry date and rotate before it lapses; a lapsed token causes `ImagePullBackOff` on new deployments and upgrades. > Image: Token displayed after creation: copy it now 2. ### Run the setup script The [setup script](/self-hosted/setup-script/) collects your configuration interactively and generates two files: a secrets script and a `values.yaml`. Copy the script from that page, then run it: ```bash chmod +x setup-secrets.sh bash setup-secrets.sh ``` When prompted for environment, select the option that matches your target: - **1. Minikube** (local, uses nginx ingress) - **2. GCP / GKE** (configures GKE Gateway and NEG annotations) - **3. Other Kubernetes cluster** (generic config, add your own ingress) - **4. Evaluation** (bundled PostgreSQL and Redis; minimal setup) The script walks you through namespace, PostgreSQL, Redis, SMTP, registry token, domain, and admin user settings. GKE-specific Gateway settings are only collected for option `2`. When the script finishes, it prints the paths to two generated files. Before proceeding, open each file and verify the values are correct. **`values-gke-.yaml`**: confirm: - `app.domain` matches your intended domain - `database.host`, `database.name`, and `database.user` point to the right PostgreSQL instance - `redis.host` points to the right Redis instance - `seedData.adminUser.email` is the address you want for the initial admin login - `gateway.className` and `gateway.annotations` match your cluster's gateway configuration **`scalekit-secrets-gke-.sh`**: confirm: - The namespace at the top matches your intended namespace - Database and Redis connection strings in `db-migrations` and `authentication-secret` are correct - The registry token in `artifact-registry-secret` is the one you just created 3. ### Apply the Kubernetes secrets Run the secrets script the setup script generated: ```bash bash scalekit-secrets-gke-.sh ``` Set the namespace (defaults to the value used in the setup script): ```bash # Set once for your deployment NAMESPACE=${NAMESPACE:-scalekit} ``` Verify all secrets were created: ```bash kubectl get secrets -n ${NAMESPACE} ``` Expected secrets: `authentication-service-token`, `db-migrations`, `authentication-secret`, `svix-secrets`, `artifact-registry-secret`. If you ran the script with `--enable-openfga`, `openfga-secrets` will also be present. 4. ### Create a deployment Deployments are created through the Scalekit distribution portal. #### Open Deployments In the left sidebar, click **Deployments**, then click **+ New Deployment** in the top-right corner. > Image: Deployments page #### Select the application In the **Create New Deployment** dialog, select **Scalekit Onprem** and click **Continue**. > Image: Create New Deployment: select Scalekit Onprem #### Configure the deployment > Image: Deployment Configuration form - **Deployment Name**: any name you choose; `scalekit` is recommended - **Kubernetes Namespace**: must match the namespace you used in step 3 - Leave **Enable cluster-scoped permissions** checked - Leave **Set custom resource requirements for the Distr agent** unchecked Click **Continue**. #### Select a version and add values > Image: Application Configuration form - **Version**: select the latest available version from the dropdown - **Helm release name**: leave as `scalekit` or set your own - **Helm values**: paste the full contents of `values-gke-.yaml` generated by the setup script Click **Create Deployment**. The portal moves to the **Deploy** step and shows a `kubectl apply` command. #### Connect your cluster The portal shows a **Deployment Created Successfully** screen with a `kubectl apply` command. > Image: Deployment created successfully: copy the kubectl command Click **Copy Command** and run it on your cluster: > caution: Databases must exist before connecting > > The deployment triggers database migrations on connect. If any of the three PostgreSQL databases (`scalekit`, `webhooks`, `openfga`) do not exist, the migration will fail. The setup script prints the exact `CREATE DATABASE` commands to run if needed. 5. ### Update DNS Once the Gateway is up, get its external IP: ```bash kubectl get gateway -n ${NAMESPACE} ``` Copy the external IP from the `ADDRESS` column. In your DNS provider, create a wildcard `A` record pointing to it: ``` *. ``` DNS propagation can take a few minutes. You can verify with: ```bash dig app. ``` 6. ### Verify the deployment ```bash kubectl get pods -n ${NAMESPACE} ``` All pods should show `Running` status. Open the admin dashboard at `https://app.` and sign in with the admin credentials you provided during setup. Next, Upgrades and maintenance will help you update to new versions through the portal and handle routine tasks like certificate renewal. --- ## More Scalekit documentation | Resource | What it contains | When to use it | |----------|-----------------|----------------| | [/llms.txt](/llms.txt) | Structured index with routing hints per product area | Start here — find which documentation set covers your topic before loading full content | | [/llms-full.txt](/llms-full.txt) | Complete documentation for all Scalekit products in one file | Use when you need exhaustive context across multiple products or when the topic spans several areas | | [sitemap-0.xml](https://docs.scalekit.com/sitemap-0.xml) | Full URL list of every documentation page | Use to discover specific page URLs you can fetch for targeted, page-level answers |