Skip to main content

Prerequisites

Before you begin, make sure you have the following installed and available:
  • Docker 24.0 or later
  • Docker Compose v2.20 or later
  • A domain or hostname where Pwnbook will be accessible (required when using WorkOS authentication)
The Docker Compose setup includes PostgreSQL and Redis containers. You do not need to provision those separately unless you want to use external managed instances.

Choosing an authentication provider

Pwnbook supports two authentication modes, configured via the AUTH_PROVIDER environment variable:
ModeAUTH_PROVIDER valueDescription
Local authlocalBuilt-in email/password authentication. No external dependencies. Best for self-hosted or internal deployments.
WorkOSworkosDelegates authentication to WorkOS. Enables SSO, MFA, SAML, SCIM, and directory sync. Requires a WorkOS account.
For most self-hosted deployments, local auth is recommended. It requires no external accounts and works immediately.

Environment variables

Create a .env file in your deployment directory. The following variables are required or commonly configured:

Required (all modes)

VariableDescription
AUTH_PROVIDERAuthentication mode. Set to local or workos.
DATABASE_URLPostgreSQL connection string. Example: postgresql://user:password@db:5432/pwnbook
SESSION_SECRETA random 32+ character secret for signing session tokens.
REDIS_URLRedis connection string. Example: redis://redis:6379
PORTPort the backend API listens on (default: 3001)
FRONTEND_URLThe public URL of your Pwnbook frontend. Example: https://pwnbook.example.com

Local auth variables

Required when AUTH_PROVIDER=local:
VariableDescription
ADMIN_EMAILEmail address for the auto-seeded admin account (default: admin@local.net)
ADMIN_PASSWORDPassword for the auto-seeded admin account (default: @dminUser)
Change ADMIN_EMAIL and ADMIN_PASSWORD from their defaults before deploying to any non-local environment.

WorkOS variables

Required when AUTH_PROVIDER=workos:
VariableDescription
WORKOS_API_KEYYour WorkOS API key
WORKOS_CLIENT_IDYour WorkOS application client ID
WORKOS_REDIRECT_URIThe OAuth callback URL. Example: https://pwnbook.example.com/auth/callback

Optional

VariableDescription
STRIPE_SECRET_KEYEnables billing features. Obtain from your Stripe dashboard.
ANTHROPIC_API_KEYEnables the AI assistant using Anthropic’s Claude models.
OPENAI_API_KEYEnables the AI assistant using OpenAI’s GPT models.
ELECTRON_FRONTEND_URLURL used by the Electron desktop app to connect to this instance.
Never commit your .env file to version control. Store secrets in a secrets manager or use Docker secrets in production.

Setup

1

Clone the deployment repository

git clone https://github.com/pwnbook/pwnbook-deploy.git
cd pwnbook-deploy
2

Configure your environment

Copy the example environment file and fill in your values:
cp .env.example .env
Edit .env with your editor. At minimum, set AUTH_PROVIDER, SESSION_SECRET, and the database/Redis URLs.
3

Configure authentication

4

Start the services

docker compose up -d
This starts the following containers:
  • frontend — React web application
  • backend — Fastify API server
  • recon-worker — Python recon scanning service
  • ai-worker — Python AI assistant service
  • db — PostgreSQL database
  • redis — Redis for the job queue
Database migrations run automatically on startup.
5

Verify the deployment

Check that all services are healthy:
docker compose ps
All services should show a status of running or healthy. You can also check individual service logs:
docker compose logs backend
docker compose logs recon-worker
Navigate to your configured FRONTEND_URL in a browser to confirm the application is accessible.

Optional services

Enabling billing with Stripe

To enable subscription billing:
  1. Create a Stripe account and obtain your secret key from the Stripe dashboard.
  2. Add STRIPE_SECRET_KEY to your .env file.
  3. Configure your Stripe webhook endpoint to point to https://your-domain.com/api/billing/webhook.
  4. Restart the backend service: docker compose restart backend.
See Billing Administration for full details on configuring plans and webhooks.

Enabling AI features

AI features require at least one of the following:
  • ANTHROPIC_API_KEY — Uses Claude models (recommended)
  • OPENAI_API_KEY — Uses GPT models
Add the key(s) to your .env file and restart the ai-worker: 
docker compose restart ai-worker
Once running, server admins can configure the default AI provider through the admin panel. See AI Providers for more.

Reverse proxy configuration

In production, place Pwnbook behind a reverse proxy (e.g., nginx or Caddy) that handles TLS termination. Example nginx configuration: 
server {
    listen 443 ssl;
    server_name pwnbook.example.com;

    ssl_certificate /etc/ssl/certs/pwnbook.crt;
    ssl_certificate_key /etc/ssl/private/pwnbook.key;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /api/ {
        proxy_pass http://127.0.0.1:3001;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Database backup and restore

Manual backup

docker compose exec db pg_dump -U <db-user> <db-name> > backup.sql

Export / import

Pwnbook includes built-in scripts for exporting and importing the database, useful for migrating between hosts or creating portable snapshots: 
# Export database (creates a timestamped archive in ./exports/)
docker compose exec backend npm run db:export

# Import a previously exported archive
docker compose exec backend npm run db:import
Always back up your database before upgrading.

Upgrading

To upgrade to a new Pwnbook version: 
docker compose pull
docker compose up -d
Database migrations run automatically on startup. If you need to run them manually: 
docker compose exec backend npm run db:migrate

Health checks

The backend exposes a health check endpoint at GET /api/health. You can use this with your monitoring system or load balancer: 
curl https://pwnbook.example.com/api/health
# {"status":"ok","timestamp":"2025-01-01T00:00:00.000Z"}