Deploy the backend and dashboard inside your own environment. Your logs never leave your infrastructure — Blocklog has no access to your data.
Data guarantee
When self-hosted, all agent logs, trace data, and decision records stay entirely within your infrastructure. Blocklog only validates your license key against licenses.blocklog.dev — no log content is ever transmitted externally.
Licensing
Free Trial, Then Paid
After signing up, you will receive an email containing:
blocklog-backend.tar — the backend Docker image
blocklog-dashboard.tar — the dashboard Docker image
Your BLOCKLOG_LICENSE_KEY — valid for 30 days free, then a paid plan
Note
The backend and dashboard repos are private. You interact with Blocklog exclusively through the Docker images provided via email. Updates are delivered as new image files.
Prerequisites
What You Need Before Starting
Container runtime
Docker & Docker Compose (single-node) or Kubernetes (scaled)
The backend exposes a FastAPI application on port 8000. The dashboard is a Next.js app on port 3000. Both are fronted by an nginx reverse proxy that handles TLS and traffic forwarding.
Docker Compose Quickstart
Deploy in 5 Steps
Step 1
Load the backend image
Load the Docker image from the file you received via email, then copy the example environment file.
# You will receive the Docker image via email after license activation.
# Load the image, then set up your environment:
docker load -i blocklog-backend.tar
cp .env.example .env
Step 2
Configure the backend environment
Edit .env and fill in the required values. The license key, JWT secret, database URL, and Redis URL are mandatory.
# License (provided via email — 30-day free trial, then paid)
BLOCKLOG_LICENSE_KEY=bl_live_your_key_here
# Security — generate long random strings for each
JWT_SECRET_KEY=generate_a_long_random_string
API_KEY_SALT=generate_another_random_string
# Database
DATABASE_URL=postgresql://user:password@db_host:5432/blocklog
# Redis
REDIS_URL=redis://redis_host:6379/0
# CORS — add your dashboard domain here
CORS_ORIGINS=http://localhost:3000,https://your-dashboard-domain.com
Security
Never store wallet private keys in a .env file in production. Use AWS Secrets Manager, HashiCorp Vault, or your cloud provider's secrets service instead.
Step 3
Start the backend stack
Run migrations and bring up all services. This starts the API, Celery workers, Celery scheduler, and the nginx proxy.
# Run database migrations
make migrate
# Start the full stack
make prod-up
apiCore FastAPI application on port 8000
workerCelery workers for hash chaining and log sealing
beatCelery scheduler for periodic batch sealing
nginxReverse proxy handling TLS and traffic forwarding
Step 4
Load and start the dashboard
Load the dashboard image and point it at your backend URL.
# Load the dashboard image received via email:
docker load -i blocklog-dashboard.tar
# Configure backend URL
NEXT_PUBLIC_BLOCKLOG_API_BASE_URL=https://your-backend-url/api/v1
docker-compose up -d
# Dashboard available at http://localhost:3000
Step 5
Verify the deployment
Check that all services are healthy, test the API, and open the dashboard.
# Check service health
docker compose ps
docker compose logs -f api
# Test the API
curl http://localhost:8000/health
# Open the dashboard
open http://localhost:3000
Updates
Upgrading to a New Version
When a new version is available, you will receive updated image files via email. Load and restart each service in place:
# Backend
docker load -i blocklog-backend-vX.Y.Z.tar
docker compose up -d
# Dashboard
docker load -i blocklog-dashboard-vX.Y.Z.tar
docker-compose up -d
Secrets Management
Keep Credentials Out of .env in Production
Storing credentials in .env is fine for evaluation. For production, move them to a dedicated secrets manager. Example using AWS Secrets Manager:
Reference secrets in your ECS task definition or inject them via your deployment pipeline. Never commit .env files containing real credentials to version control.
Network
Deploying Inside a VPC
Recommended topology: place all Blocklog services in a private subnet behind an internal load balancer that accepts HTTPS only. Outbound access is required only for:
License validation
licenses.blocklog.dev — no log data sent, only a valid/invalid response
All customer log data stays within your subnet.
CORS
Allowing the Dashboard to Reach the Backend
Add your dashboard domain to CORS_ORIGINS in the backend .env. If you change the dashboard domain later, update this value and restart the backend.