Skip to main content
KaireonAI supports three deployment paths depending on your needs:

Local Development

Run on your machine with PostgreSQL and optional Redis. Best for development and evaluation.

Cloud (App Runner)

Deploy to AWS App Runner with Supabase (PostgreSQL) and Upstash (Redis). Fully managed, no servers to maintain.

Kubernetes (Helm)

Self-hosted on any Kubernetes cluster using the provided Helm chart. Full control over infrastructure.

Comparison

LocalCloud (App Runner)Kubernetes (Helm)
Best forDevelopment, evaluationSmall-to-medium productionEnterprise production
DatabaseLocal PostgreSQLSupabaseSelf-managed / RDS
CacheLocal Redis (optional)UpstashSelf-managed Redis
ScalingSingle instanceAuto-scaling (App Runner)HPA + custom policies
MonitoringDev toolsCloudWatchPrometheus + Grafana
TLSNot requiredAuto (App Runner)Ingress controller
Setup time5 minutes30 minutes1–2 hours

Docker Images

KaireonAI builds two Docker images:
ImagePurpose
kaireon-apiMain Next.js application (UI + API routes)
kaireon-workerBackground job processing (pipelines, model retraining)
You push images to Amazon ECR and tag them with the git SHA plus latest: 
docker build -t kaireon-api .
docker tag kaireon-api:latest <YOUR_ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com/kaireon-api:$(git rev-parse --short HEAD)
docker push <YOUR_ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com/kaireon-api:$(git rev-parse --short HEAD)

Environment Variables

All deployment methods use the same core environment variables. The platform validates these at startup and will fail fast if required values are missing in production.

Core (Required)

VariableRequiredDescription
DATABASE_URLYesPostgreSQL connection string (postgresql://...)
NEXTAUTH_SECRETYes (prod)Random secret for signing JWT sessions (min 32 chars in production)
NEXTAUTH_URLYes (prod)Public URL of the application (e.g., https://your-domain.com)

Security (Required in Production)

VariableRequiredDescription
JWT_SIGNING_SECRETYes (prod)Secret for signing API and OAuth tokens
CONNECTOR_ENCRYPTION_KEYYes (prod)AES-256 key for encrypting connector credentials at rest
CONNECTOR_ENCRYPTION_KEY_VERSIONNoCurrent key version (default: 1)
CONNECTOR_ENCRYPTION_KEY_PREVIOUSNoPrevious key for rotation
WEBHOOK_SIGNING_SECRETYes (prod)HMAC secret for signing outbound webhooks
API_KEY_PEPPERYes (prod)HMAC pepper for hashing API keys

Authentication

VariableRequiredDescription
GOOGLE_CLIENT_IDNoGoogle OAuth client ID (for SSO)
GOOGLE_CLIENT_SECRETNoGoogle OAuth client secret
SES_FROM_EMAILNoSender address for transactional emails (default: support@kaireonai.com)
AWS_REGIONNoAWS region for SES (default: us-east-1)

Infrastructure

VariableRequiredDescription
REDIS_URLNoRedis connection string for enrichment cache, rate limiting, circuit breakers, and event publishing
ML_WORKER_URLNoURL of the ML Worker for AI features (e.g., http://localhost:8000)
PG_POOL_MAXNoMax PostgreSQL pool connections (default: 50)
PORTNoHTTP port the platform process binds to (default: 3000)

Observability

VariableRequiredDescription
LOG_LEVELNoLogging level: debug, info, warn, error (default: info)
OTEL_EXPORTER_OTLP_ENDPOINTNoOpenTelemetry endpoint URL (enables distributed tracing when set)
SLOW_API_THRESHOLD_MSNoLog slow API calls exceeding this threshold (default: 150)

Security Headers

VariableRequiredDescription
CORS_ALLOWED_ORIGINSYes (prod)Comma-separated allowed origins (must not be * in production)
CSP_POLICYNoCustom Content Security Policy header
CSP_DISABLEDNoSet true to disable CSP (not recommended in production)

Decisioning Tuning

VariableRequiredDescription
RETRAIN_EVERY_NNoAuto-retrain models every N outcomes (default: 100)
ATTRIBUTION_TIMEOUT_MSNoTimeout for attribution lookups (default: 5000)
RATE_LIMIT_TIERNoRate limiting tier override
The following decisioning defaults are currently compiled-in constants rather than environment variables. To change one, edit the corresponding constant in the circuit-breaker module or the decision-flow engine module and redeploy:
DefaultValue
Max offers loaded per recommendation5,000
Fallback score when model scoring fails0.5
Daily limit on mandatory offer slots per customer5

Tenant Configuration

VariableRequiredDescription
SINGLE_TENANT_MODENoSet true to bypass tenant resolution (for single-tenant deploys)
PLATFORM_OWNER_TENANT_IDNoTenant ID for platform-level settings (default: default)
INTERNAL_SERVICE_SECRETNoShared secret for inter-service auth (falls back to NEXTAUTH_SECRET)

Worker

VariableRequiredDescription
WORKER_CONCURRENCYNoBullMQ worker concurrency (default: 5)
WORKER_METRICS_PORTNoPrometheus metrics port for worker (default: 9091)

Next Steps

Local Development

Get started with a local PostgreSQL and Redis setup.

Cloud Deployment

Deploy to AWS App Runner with Supabase and Upstash.