Docs
Deployment
Self-hosted (docker)

Self-Hosting Instructions

Docker Image (opens in a new tab)

The Langfuse Server (includes API and Web UI) is open source and can be self-hosted using Docker.

Docker

Postgres database

You need to have a permanent Postgres database to persist the state of Langfuse. You can use a managed service on AWS, Azure, or GCP, or you can run it yourself. After setting it up, copy the connection string.

Deploy the container

Deploy the container to your infrastructure. You can use a managed service like AWS ECS, Azure Container Instances, or GCP Cloud Run, or you can run it yourself.

During the startup of the container, all database migrations will be applied automatically.

Environment variables:

  • Set DATABASE_URL to the connection string of your Postgres database.
    • Instead of DATABASE_URL, you can also use DATABASE_HOST, DATABASE_USERNAME, DATABASE_PASSWORD and DATABASE_NAME
  • Set NEXTAUTH_URL to the URL of your deployment, e.g. https://yourdomain.com or http://localhost:3000.
  • Secrets, generate them with at least 512 entropy using openssl rand -base64 32
    • NEXTAUTH_SECRET to secure the session JWTs.
    • SALT is used to salt the API key hashes.

Optionally:

  • PORT sets the port the server listens on (default: 3000).
  • HOSTNAME defaults to localhost. In some environments it needs to be set to 0.0.0.0 to be accessible from outside the container (e.g. Google Cloud Run).
  • Configure authentication:
    • NEXT_PUBLIC_SIGN_UP_DISABLED=true block all new sign ups. Only existing users can sign in.
    • Enable signing into Langfuse using OAuth/SSO providers. For detailed instructions, see NextAuth.js docs (opens in a new tab).
      • Google: AUTH_GOOGLE_CLIENT_ID and AUTH_GOOGLE_CLIENT_SECRET
      • GitHub: AUTH_GITHUB_CLIENT_ID and AUTH_GITHUB_CLIENT_SECRET
    • AUTH_DOMAINS_WITH_SSO_ENFORCEMENT is a comma-separated list of domains that are only allowed to sign in using SSO. Email/password sign in is disabled for these domains. E.g. domain1.com,domain2.com
    • AUTH_DISABLE_USERNAME_PASSWORD=true disables email/password sign for all users. Only OAuth/SSO providers can be used to sign in.
  • Configure default project for new users. When users create an account they will be automatically added to this project.
    • LANGFUSE_DEFAULT_PROJECT_ID is the ID of the project. You need to first create it in the UI.
    • LANGFUSE_DEFAULT_PROJECT_ROLE is the role of the user in the project. Possible values are ADMIN, MEMBER, VIEWER. Defaults to VIEWER. See project roles for details.
docker run --name langfuse \
-e DATABASE_URL=postgresql://<user>:<password>@<host>:<port>/<dbname> \
-e NEXTAUTH_URL=http://localhost:3000 \
-e NEXTAUTH_SECRET=mysecret \
-e SALT=mysalt \
-p 3000:3000 \
-a STDOUT \
ghcr.io/langfuse/langfuse:latest

Update Docker

Pull latest changes

docker pull ghcr.io/langfuse/langfuse:latest

Run container

docker run --name langfuse \
-e DATABASE_URL=postgresql://<user>:<password>@<host>:<port>/<dbname> \
-e NEXTAUTH_URL=http://localhost:3000 \
-e NEXTAUTH_SECRET=mysecret \
-e SALT=mysalt \
-p 3000:3000 \
-a STDOUT \
ghcr.io/langfuse/langfuse:latest

Health Check Endpoint

Langfuse includes a health check endpoint at /api/public/health. This endpoint checks both API functionality and database connectivity.

Access the health check endpoint:

curl http://localhost:3000/api/public/health

The potential responses from the health check endpoint are:

  • 200 OK: Both the API is functioning normally and a successful connection to the database was made.
  • 503 Service Unavailable: Either the API is not functioning or it couldn't establish a connection to the database.

Applications and monitoring services can call this endpoint periodically for health updates.

Troubleshooting

If you encounter issues, please make sure that you've done the following:

  • NEXTAUTH_URL exactly matches the url you're accessing Langfuse with. Pay attention to the protocol (http vs https) and the port (e.g. 3000 if you do not expose Langfuse on port 80).
  • Set HOSTNAME to 0.0.0.0 in case you cannot access Langfuse.
  • SSO: Make sure that the OAuth provider is configured correctly. The return path needs to match the NEXTAUTH_URL and the OAuth client needs to be configured with the correct callback URL.
  • Encode special characters in DATABASE_URL, see this StackOverflow answer (opens in a new tab) for details.

Railway

Deploy on Railway (opens in a new tab)

Support

If you encounter any issue, join us on Discord or contacts the maintainers: support@langfuse.com

For support of production deployments, the Langfuse team offers dedicated enterprise support. Reach out to learn more (enterprise@langfuse.com) or schedule a demo (opens in a new tab).

Alternatively, consider Langfuse Cloud for a fully managed version of Langfuse. You can read more about its security and privacy here.

Local (docker compose)Integrations overview

Was this page useful?

Questions? We're here to help

DiscordEmailTalk to founder