Self-Hosting

Run Blocklog in Your Own Infrastructure

Deploy the backend and dashboard inside your own environment. Your logs never leave your infrastructure — Blocklog has no access to your data.

Data guarantee

When self-hosted, all agent logs, trace data, and decision records stay entirely within your infrastructure. Blocklog only validates your license key against licenses.blocklog.dev — no log content is ever transmitted externally.

Licensing

Free Trial, Then Paid

After signing up, you will receive an email containing:

  • blocklog-backend.tar — the backend Docker image
  • blocklog-dashboard.tar — the dashboard Docker image
  • Your BLOCKLOG_LICENSE_KEY — valid for 30 days free, then a paid plan

Note

The backend and dashboard repos are private. You interact with Blocklog exclusively through the Docker images provided via email. Updates are delivered as new image files.

Prerequisites

What You Need Before Starting

Container runtime

Docker & Docker Compose (single-node) or Kubernetes (scaled)

Database

PostgreSQL 14+

Task queue

Redis 6+

License key

Provided in your onboarding email

Architecture

What Gets Deployed

ImageDescriptionSource
blocklog-backend.tarCore API, Celery workers, PostgreSQL adapter, Redis adapterDelivered via email
blocklog-dashboard.tarEngineer dashboard + compliance consoleDelivered via email

The backend exposes a FastAPI application on port 8000. The dashboard is a Next.js app on port 3000. Both are fronted by an nginx reverse proxy that handles TLS and traffic forwarding.

Docker Compose Quickstart

Deploy in 5 Steps

Step 1

Load the backend image

Load the Docker image from the file you received via email, then copy the example environment file.

# You will receive the Docker image via email after license activation.
# Load the image, then set up your environment:
docker load -i blocklog-backend.tar
cp .env.example .env

Step 2

Configure the backend environment

Edit .env and fill in the required values. The license key, JWT secret, database URL, and Redis URL are mandatory.

# License (provided via email — 30-day free trial, then paid)
BLOCKLOG_LICENSE_KEY=bl_live_your_key_here

# Security — generate long random strings for each
JWT_SECRET_KEY=generate_a_long_random_string
API_KEY_SALT=generate_another_random_string

# Database
DATABASE_URL=postgresql://user:password@db_host:5432/blocklog

# Redis
REDIS_URL=redis://redis_host:6379/0

# CORS — add your dashboard domain here
CORS_ORIGINS=http://localhost:3000,https://your-dashboard-domain.com

Security

Never store wallet private keys in a .env file in production. Use AWS Secrets Manager, HashiCorp Vault, or your cloud provider's secrets service instead.

Step 3

Start the backend stack

Run migrations and bring up all services. This starts the API, Celery workers, Celery scheduler, and the nginx proxy.

# Run database migrations
make migrate

# Start the full stack
make prod-up
apiCore FastAPI application on port 8000
workerCelery workers for hash chaining and log sealing
beatCelery scheduler for periodic batch sealing
nginxReverse proxy handling TLS and traffic forwarding

Step 4

Load and start the dashboard

Load the dashboard image and point it at your backend URL.

# Load the dashboard image received via email:
docker load -i blocklog-dashboard.tar

# Configure backend URL
NEXT_PUBLIC_BLOCKLOG_API_BASE_URL=https://your-backend-url/api/v1
docker-compose up -d
# Dashboard available at http://localhost:3000

Step 5

Verify the deployment

Check that all services are healthy, test the API, and open the dashboard.

# Check service health
docker compose ps
docker compose logs -f api

# Test the API
curl http://localhost:8000/health

# Open the dashboard
open http://localhost:3000

Updates

Upgrading to a New Version

When a new version is available, you will receive updated image files via email. Load and restart each service in place:

# Backend
docker load -i blocklog-backend-vX.Y.Z.tar
docker compose up -d

# Dashboard
docker load -i blocklog-dashboard-vX.Y.Z.tar
docker-compose up -d

Secrets Management

Keep Credentials Out of .env in Production

Storing credentials in .env is fine for evaluation. For production, move them to a dedicated secrets manager. Example using AWS Secrets Manager:

aws secretsmanager create-secret \
  --name blocklog/jwt-secret \
  --secret-string "your_jwt_secret"

Reference secrets in your ECS task definition or inject them via your deployment pipeline. Never commit .env files containing real credentials to version control.

Network

Deploying Inside a VPC

Recommended topology: place all Blocklog services in a private subnet behind an internal load balancer that accepts HTTPS only. Outbound access is required only for:

License validation

licenses.blocklog.dev — no log data sent, only a valid/invalid response

All customer log data stays within your subnet.

CORS

Allowing the Dashboard to Reach the Backend

Add your dashboard domain to CORS_ORIGINS in the backend .env. If you change the dashboard domain later, update this value and restart the backend.

CORS_ORIGINS=http://localhost:3000,https://your-dashboard-domain.com

Data Access

What Blocklog Can and Cannot See

Blocklog (Cloud)Your Self-Hosted Instance
Your agent logs✗ Never✓ Yes
Your trace data✗ Never✓ Yes
Log content✗ Never✓ Yes
Instance version✓ Telemetry only
License status✓ Valid / invalid

Infrastructure

Hardware Requirements

Evaluation

  • 2 vCPU
  • 4 GB RAM
  • 50 GB SSD

Production

  • 4 vCPU
  • 8 GB RAM
  • 100+ GB SSD

High-Volume

  • 8+ vCPU
  • 16+ GB RAM
  • Managed PostgreSQL (RDS or equivalent)

Backup

Recommended Backup Policy

Daily PostgreSQL backups
Database replication for production
Immutable ledger exports to WORM storage
30+ day retention policy

Troubleshooting

Common Issues

Services won't start

Check for missing environment variables or database connection errors.

docker compose logs api
# Check for missing env variables or DB connection errors

Database migration fails

docker compose logs db
make migrate

License validation fails

Ensure outbound access to licenses.blocklog.dev is not blocked by your firewall or VPC security groups.

# Ensure outbound access to licenses.blocklog.dev is not blocked
docker compose logs api | grep license

Dashboard can't reach backend (CORS error)

Add the dashboard URL to CORS_ORIGINS in the backend .env, then restart.

# Add your dashboard URL to CORS_ORIGINS in backend .env, then restart
docker compose restart api

Charts not rendering in the dashboard

The dashboard container may be hitting its memory limit.

# Add to docker-compose.yml under the dashboard service:
mem_limit: 512m

Support

For deployment help, email founder@blocklogsecurity.com or open an issue at github.com/soumyasurana/blocklog-dashboard.