1. Quick Start (Dev)
Verify it’s running:
2. Generating a Production RSA Key
Grantex signs grant tokens with RSA-256. Generate a 2048-bit private key:RSA_PRIVATE_KEY.
Keep
private.pem out of source control. The JWKS endpoint exposes only the public key.3. Production Docker Compose
Prerequisites
- Docker 24+ with Compose v2
- A domain name with DNS pointing to your server
- TLS certificate (Let’s Encrypt for production)
Step 1 — Fill in the env file
.env.prod and replace every change-me-* placeholder. Set RSA_PRIVATE_KEY to the collapsed PEM and JWT_ISSUER to your public base URL.
Step 2 — Provide TLS certificates
Step 3 — Start the stack
4. Kubernetes / Helm
Prerequisites
- Kubernetes 1.26+, Helm 3.x
- Managed PostgreSQL and Redis
- An RSA private key (Section 2)
Install
Enable Ingress
Use an existing Secret
5. Environment Variable Reference
This table is a quick-start subset, not an exhaustive schema. Consultapps/auth-service/src/config.ts and .env.example from the exact release you deploy for all feature-specific settings and validation rules.
6. Database Migrations
Migrations run automatically on every startup. The auth service reads all*.sql files from the migrations/ directory and executes each one using idempotent DDL (CREATE TABLE IF NOT EXISTS, etc.).
The repository currently contains ordered migrations through 063, covering core authorization, webhooks, policy, enterprise identity, credentials, budgets, offline operation, trust registry, DPDP, commerce, and MCP certification-state integrity. Inspect the migration directory in the exact release you deploy rather than relying on a copied file count.
To upgrade, just restart the service — new migration files are applied automatically.
7. Key Rotation
- Generate a new RSA key pair (Section 2)
- Update
RSA_PRIVATE_KEYin your env file or Kubernetes secret - Restart the auth service
8. Health Checks & Monitoring
9. Backup & Recovery
PostgreSQL
Redis
Redis holds ephemeral token metadata and rate-limiting state. If Redis data is lost, in-flight auth requests will fail temporarily, but no permanent data is lost. PostgreSQL is the source of truth.10. Production Readiness Checklist
-
RSA_PRIVATE_KEYis a real 2048-bit RSA key -
POSTGRES_PASSWORDandREDIS_PASSWORDare strong random values -
SEED_API_KEYandSEED_SANDBOX_KEYare not set - TLS is enabled end-to-end
- Database and Redis ports are not exposed publicly
-
JWT_ISSUERmatches your public base URL exactly - Automated database backups are configured
- Health checks are wired into your load balancer
- CPU and memory limits are set
- Log forwarding is configured