Deployment
Run kRouter on a VPS, in Docker, behind PM2, or as a cloud worker. Production-ready configurations and environment variables.
kRouter ships with three deployment paths. Pick the one that matches your infrastructure.
VPS deployment
The cheapest production setup: a $5/month VPS with Node 20+.
# Pull and install
git clone https://github.com/sifxprime/krouter.git
cd krouter
npm install
npm run build:deploy
# Set production env vars
export JWT_SECRET="generate-a-long-random-string"
export INITIAL_PASSWORD="your-first-login-password"
export DATA_DIR="/var/lib/krouter"
export PORT="20128"
export HOSTNAME="0.0.0.0"
export NODE_ENV="production"
export AUTH_COOKIE_SECURE="true" # required behind HTTPS
# Start
npm run startFor long-running operation use PM2:
npm install -g pm2
pm2 start npm --name krouter -- start
pm2 save
pm2 startup # auto-restart on rebootDocker
The official image is published to Docker Hub and GitHub Container Registry, multi-arch (linux/amd64 + linux/arm64).
docker run -d \
--name krouter \
-p 20128:20128 \
-v "$HOME/.krouter:/app/data" \
-e DATA_DIR=/app/data \
-e JWT_SECRET="..." \
-e INITIAL_PASSWORD="..." \
sifxprime/krouter:latestThe bind mount keeps your SQLite database and OAuth refresh tokens on the host so container restarts don't lose state.
Cloudflare Workers
For global edge deployment with no servers to manage. kRouter compiles to a Worker bundle, with state stored in D1 (Cloudflare's SQLite).
This is an advanced path — see the Cloudflare deployment guide on GitHub for the wrangler config and D1 migration steps.
Environment variables
| Variable | Default | Purpose |
|---|---|---|
JWT_SECRET | auto-generated at ~/.krouter/jwt-secret | Signs the dashboard auth cookie |
INITIAL_PASSWORD | 123456 | First-login password when no hash exists |
DATA_DIR | ~/.krouter | SQLite + cert + runtime state location |
PORT | framework default | HTTP port (use 20128 for consistency) |
HOSTNAME | framework default | Bind host (0.0.0.0 for Docker) |
NODE_ENV | runtime default | Set production for deploy |
AUTH_COOKIE_SECURE | false | Set true behind HTTPS reverse proxy |
REQUIRE_API_KEY | false | Force Bearer auth on /v1/* (recommended for public endpoints) |
API_KEY_SECRET | endpoint-proxy-api-key-secret | HMAC secret for generated API keys |
BASE_URL | http://localhost:20128 | Server-side internal base URL (cloud sync) |
HTTP_PROXY / HTTPS_PROXY | empty | Optional outbound proxy for upstream calls |
ENABLE_REQUEST_LOGS | false | Enable logs/ directory for request traces |
Reverse proxy (HTTPS, custom domain)
Most users put kRouter behind Cloudflare Tunnel or Nginx for HTTPS:
server {
listen 443 ssl;
server_name router.example.com;
ssl_certificate /etc/letsencrypt/live/router.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/router.example.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:20128;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_buffering off; # critical for SSE streaming
proxy_read_timeout 600s;
}
}Set AUTH_COOKIE_SECURE=true and REQUIRE_API_KEY=true when exposing publicly.
Data persistence
Everything kRouter persists lives under ${DATA_DIR}/:
${DATA_DIR}/
├── db/
│ ├── data.sqlite # main DB — providers, combos, settings, history
│ └── backups/ # automated backups
├── certs/ # MITM root CA (only if MITM mode enabled)
└── logs/ # request logs if ENABLE_REQUEST_LOGS=trueBack up db/data.sqlite for full disaster recovery. Delete ${DATA_DIR} for a clean reset.
Updating in production
# Git clone install
cd krouter
git pull
npm install
npm run build:deploy
pm2 restart krouter
# Docker
docker pull sifxprime/krouter:latest
docker rm -f krouter
docker run -d ... sifxprime/krouter:latestkRouter auto-migrates the SQLite schema on first launch of a new version. No manual migration steps.
Where to go next
- Security — JWT, SSRF guards, MITM cert handling
- Architecture — how the routing engine works
- Core Concepts — combos, RTK, quota tracking