Skip to content
Klutch.sh Docs

Deploying a Logto App

Introduction

Logto is an open-source identity and access management platform built on Node.js. Deploying Logto with a Dockerfile on Klutch.sh provides reproducible builds, managed secrets, and persistent storage for user data and configuration—all managed from klutch.sh/app. This guide covers installation, repository prep, a production-ready Dockerfile, deployment steps, Nixpacks overrides, sample API usage, and production tips.

Prerequisites

  • A Klutch.sh account (create one)
  • A GitHub repository containing your Logto code/config (GitHub is the only supported git source)
  • Docker familiarity and Node.js 18+ knowledge
  • PostgreSQL credentials
  • Storage for logs and optional uploads

For onboarding, see the Quick Start.

Architecture and ports

  • Logto serves HTTP on port 3001; set the internal container port to 3001.
  • PostgreSQL should run as a separate Klutch.sh TCP app, exposed on port 8000 and connected internally on 5432.
  • Persistent storage is optional but recommended for logs/config if you update them at runtime.

Repository layout

logto/
├── Dockerfile              # Must be at repo root for auto-detection
├── package.json
├── pnpm-lock.yaml          # or yarn.lock / package-lock.json
├── .env.example            # Template only; no secrets
├── config/                 # Optional runtime configs
├── uploads/                # Optional uploads/logs (mount as volume)
└── README.md

Keep secrets out of Git; store them in Klutch.sh environment variables.

Installation (local) and starter commands

Install dependencies and run locally before pushing to GitHub:

Terminal window
pnpm install
pnpm build
pnpm start -- --port 3001

Optional helper start.sh for portability and Nixpacks fallback:

#!/usr/bin/env bash
set -euo pipefail
pnpm prisma migrate deploy || true
exec pnpm start -- --port 3001

Make it executable with chmod +x start.sh.

Dockerfile for Logto (production-ready)

Place this Dockerfile at the repo root; Klutch.sh auto-detects it (no Docker selection in the UI):

FROM node:18-alpine AS build
WORKDIR /app


COPY package.json pnpm-lock.yaml* yarn.lock* package-lock.json* ./
RUN corepack enable
RUN pnpm install --frozen-lockfile


COPY . .
RUN pnpm build


FROM node:18-alpine
WORKDIR /app
ENV NODE_ENV=production PORT=3001


COPY --from=build /app /app
RUN corepack enable && pnpm install --prod --frozen-lockfile


EXPOSE 3001
CMD ["pnpm", "start", "--", "--port", "3001"]

Notes:

  • Add build tools (apk add --no-cache python3 make g++) in the build stage if native modules are required.
  • Keep uploads/ writable and mount it as a volume if you store logs or assets there.

Environment variables (Klutch.sh)

Set these in the Klutch.sh app settings (Secrets tab) before deploying:

  • NODE_ENV=production
  • PORT=3001
  • DATABASE_URL=postgres://<user>:<password>@<host>:<port>/<db>
  • LOGTO_ADMIN_ENDPOINT=https://example-app.klutch.sh
  • LOGTO_SIGNING_KEY=<secure-signing-key>
  • NEXTAUTH_SECRET=<secure-nextauth-secret> (if applicable)
  • OAuth/Social provider keys as needed (e.g., GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET)

If you deploy without the Dockerfile and need Nixpacks overrides:

  • NIXPACKS_BUILD_CMD=pnpm install --frozen-lockfile && pnpm build
  • NIXPACKS_START_CMD=pnpm start -- --port 3001
  • NIXPACKS_NODE_VERSION=18

These keep Logto compatible with Nixpacks defaults when a Dockerfile is absent.

Attach persistent volumes

In Klutch.sh storage settings, add mount paths and sizes (no names required):

  • /app/uploads — optional if you store logs/assets locally.

Ensure this path is writable inside the container.

Deploy Logto on Klutch.sh (Dockerfile workflow)

  1. Push your repository (with the Dockerfile at the root) to GitHub.
  2. Open klutch.sh/app, create a project, and add an app.
  1. Connect the GitHub repository; Klutch.sh automatically detects the Dockerfile.
  2. Choose HTTP traffic for Logto.
  3. Set the internal port to 3001.
  4. Add the environment variables above (database URL, signing key, admin endpoint, provider keys, and any NIXPACKS_* overrides if you temporarily deploy without the Dockerfile).
  5. Attach a persistent volume for /app/uploads if you store logs/assets, choosing a size that fits your retention needs.
  6. Deploy. Your Logto instance will be reachable at https://example-app.klutch.sh; attach a custom domain if desired.

Sample API usage

Fetch system info (replace with your endpoint and token):

Terminal window
curl -X GET "https://example-app.klutch.sh/api/system/info" \
  -H "Authorization: Bearer <admin-token>"

Health checks and production tips

  • Add a reverse proxy probe to / or a lightweight status route.
  • Enforce HTTPS at the edge; forward HTTP to port 3001 internally.
  • Keep lockfiles committed and Node version pinned; test upgrades before applying.
  • Monitor PostgreSQL performance and set connection pools to match your deployment size.
  • Rotate signing keys and OAuth credentials regularly; store them only in Klutch.sh secrets.
  • Monitor disk usage on any attached volumes and resize before they fill.

Logto on Klutch.sh combines reproducible Docker builds with managed secrets, optional persistent storage, and flexible HTTP/TCP routing. With the Dockerfile at the repo root and port 3001 configured, you can deliver a secure identity platform without extra YAML or workflow overhead.