# Self-Hosted Deployment

```json
{"@context":"https://schema.org","@type":"TechArticle","name":"Self-Hosted Gateway \u2014 Mnemom","description":"Run the Mnemom gateway inside your own perimeter. Docker Compose for quickstart, Helm for production. Your data never leaves; only heartbeat and telemetry flow out.","url":"https://www.mnemom.ai/docs/self-hosted","inLanguage":"en-US","dateModified":"2026-05-28","publisher":{"@type":"Organization","@id":"https://www.mnemom.ai#organization","name":"Mnemom","url":"https://www.mnemom.ai"}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.mnemom.ai/"},{"@type":"ListItem","position":2,"name":"Self-Hosted Gateway \u2014 Mnemom","item":"https://www.mnemom.ai/docs/self-hosted"}]}
```

Self-hosted

# Self-hosted gateway.

Deploy the Mnemom gateway on your own infrastructure. Your data, prompts, and tool arguments never leave your network. Only heartbeat, telemetry, and signed verdict metadata flow to the Mnemom control plane.

## Architecture

The self-hosted gateway runs in your network. It proxies LLM calls, runs integrity checks locally, and streams telemetry back to the Mnemom control plane. Nothing sensitive leaves your perimeter.

  Your Infrastructure                          Mnemom Cloud
 +---------------------------+                +------------------+
 |                           |                |                  |
 |  +--------+   +--------+ |  heartbeat     |  Control Plane   |
 |  |  App   |-->|Gateway |--+--------------->|  (api.mnemom.ai) |
 |  +--------+   +--------+ |  telemetry     |                  |
 |               |   |       |                |  Dashboard       |
 |               v   v       |                |  Alerts          |
 |          +------+ +-----+ |                |  Fleet Mgmt      |
 |          | AIP  | | LLM | |                +------------------+
 |          |Check | |Proxy | |
 |          +------+ +-----+ |
 |                   |       |
 +---------------------------+
                     |
                     v
              LLM Providers
          (OpenAI, Anthropic, etc.)

#### Stays inside your network

-   \- Prompts, tool arguments, and LLM responses.
-   \- Customer data, PII, and regulated payloads.
-   \- Alignment Cards, card hashes, and proof chains.
-   \- LLM provider credentials (OpenAI, Anthropic, etc.).

#### Sent to the control plane

-   \- Heartbeat and version metadata (every 30s).
-   \- Signed verdict summaries — labels, not content.
-   \- Telemetry counters and anomaly statistics.
-   \- Trust Rating calibration data (scores, not traces).

## Quickstart — Docker Compose

The fastest way to try the gateway. Spin it up, point your agent at it, and verify a signed integrity check in under five minutes.

#### 1\. Create your .env file

Drop the license JWT and org ID we sent you into a `.env` file alongside the compose file. Everything else is optional.

#### 2\. Create docker-compose.yml

version: "3.8"

services:
  gateway:
    image: ghcr.io/mnemom/gateway:latest
    container\_name: mnemom-gateway
    restart: unless-stopped
    ports:
      - "${GATEWAY\_PORT:-8080}:8080"
    env\_file:
      - .env
    healthcheck:
      test: \["CMD", "curl", "-f", "http://localhost:8080/health"\]
      interval: 30s
      timeout: 10s
      retries: 3
      start\_period: 10s
    volumes:
      - gateway-data:/data

volumes:
  gateway-data:

#### 3\. Start the gateway

docker compose up -d
docker compose logs -f gateway

#### 4\. Verify it's healthy

curl http://localhost:8080/health
# Expected: {"status":"ok","version":"1.x.x"}

## Production — Helm

For Kubernetes production deployments, the Helm chart is the supported path. TLS, ingress, autoscaling, and resource limits are first-class.

#### 1\. Add the Helm repo

helm repo add mnemom https://charts.mnemom.ai
helm repo update

#### 2\. Author your values.yaml

\# values.yaml
replicaCount: 2

gateway:
  licenseJwt: "<YOUR\_LICENSE\_JWT>"
  orgId: "<YOUR\_ORG\_ID>"
  region: "us-east-1"

resources:
  requests:
    memory: "512Mi"
    cpu: "250m"
  limits:
    memory: "2Gi"
    cpu: "1000m"

ingress:
  enabled: true
  className: nginx
  hosts:
    - host: gateway.internal.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: gateway-tls
      hosts:
        - gateway.internal.example.com

autoscaling:
  enabled: true
  minReplicas: 2
  maxReplicas: 10
  targetCPUUtilizationPercentage: 70

#### 3\. Install the chart

helm install mnemom-gateway mnemom/gateway \\
  -f values.yaml \\
  -n mnemom --create-namespace

#### 4\. Verify the rollout

kubectl get pods -n mnemom
kubectl logs -f deployment/mnemom-gateway -n mnemom

## Configuration reference

Everything the gateway reads from the environment. Only license and org are required; the rest have sensible defaults.

Variable

Required

Description

MNEMOM\_LICENSE\_JWT

Required

Signed JWT that authorizes this gateway to call the Mnemom control plane.

MNEMOM\_ORG\_ID

Required

Your Mnemom organization UUID. Binds this gateway to your tenant.

GATEWAY\_PORT

Optional

Port the gateway listens on. Defaults to 8080.

GATEWAY\_HOST

Optional

Bind address for the gateway. Defaults to 0.0.0.0.

MNEMOM\_API\_URL

Optional

Mnemom control-plane URL. Only change for air-gapped mirrors.

OPENAI\_API\_KEY

Optional

Optional OpenAI key if the gateway proxies OpenAI calls.

ANTHROPIC\_API\_KEY

Optional

Optional Anthropic key if the gateway proxies Claude calls.

MNEMOM\_REGION

Optional

Region label used in verdicts and telemetry (e.g. us-east-1).

LOG\_LEVEL

Optional

debug | info | warn | error. Defaults to info.

TLS\_CERT\_PATH

Optional

Absolute path to TLS cert if the gateway terminates TLS locally.

TLS\_KEY\_PATH

Optional

Absolute path to TLS key matching TLS\_CERT\_PATH.

HEARTBEAT\_INTERVAL\_S

Optional

Heartbeat interval in seconds. Defaults to 30.

MAX\_CONCURRENT\_CHECKS

Optional

Upper bound on concurrent integrity checks. Defaults to 256.

## Managed vs self-hosted

Feature

Managed

Self-hosted

Infrastructure

Hosted by Mnemom on Cloudflare Workers.

Docker or Kubernetes inside your perimeter.

LLM routing

Through Mnemom's egress (observable, auditable).

Direct from your network to the LLM provider.

Time to install

Under 5 minutes.

About 30 minutes for Docker; 1–2 hours for Helm.

Scaling

Automatic.

You control the autoscaler; Helm chart ships sane defaults.

Dashboard

app.mnemom.ai.

app.mnemom.ai (reads from your gateway's telemetry).

Integrity checks

Included.

Included, run locally.

Drift detection

Included.

Included, run locally.

Data residency

US, EU regions.

Wherever you deploy — fully in your control.

Air-gapped / offline

Not supported.

Supported on Enterprise.

Self-managed model routing

Limited.

Full — any LLM provider or on-prem model.

SLA

99.9% standard; custom on Enterprise.

You own the SLA; we support the gateway.

Plan required

All plans.

Enterprise only.

## FAQ

### Does the gateway need outbound internet access?

### Can I run multiple gateways for different regions or environments?

### What data actually leaves my network?

### How do I update the gateway?

### What happens if the control plane is unreachable?

## Ready to deploy?

Self-hosted is an Enterprise tier feature. Tell us about your environment and we'll ship you the license and the Helm values to match.

View plansContact sales

---
_Source: /docs/self-hosted/index.html · Generated by build-markdown-mirrors.mjs · For agent-readability commitment #4 see https://www.mnemom.ai/for-agents_