Run the CoreSDK control plane on your own infrastructure for full data sovereignty and enterprise compliance.

Self-Hosted Control Plane

Phase 3. The self-hosted control plane ships Phase 3. Contact sales@coresdk.io for early access.

The CoreSDK control plane is available as a Docker image you can run on-prem or in your own cloud account. Self-hosting gives you complete data sovereignty — no evaluation data, audit logs, or policy definitions leave your network.

Prerequisites

Docker Engine 24+ and Docker Compose v2, or a Kubernetes cluster (1.28+)
A PostgreSQL 15+ database (or use the bundled container)
An enterprise license key — contact sales@coresdk.io

Quick Start with Docker Compose

The fastest way to stand up the control plane locally or on a single VM:

# docker-compose.yml
version: "3.9"

services:
  # PostgreSQL — replace with your managed DB in production
  db:
    image: postgres:16-alpine
    restart: unless-stopped
    environment:
      POSTGRES_DB: coresdk
      POSTGRES_USER: coresdk
      POSTGRES_PASSWORD: ${DB_PASSWORD}
    volumes:
      - db-data:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U coresdk"]
      interval: 5s
      timeout: 5s
      retries: 5

  # CoreSDK control plane
  control-plane:
    image: ghcr.io/coresdk/control-plane:latest
    restart: unless-stopped
    depends_on:
      db:
        condition: service_healthy
    ports:
      - "7800:7800"   # gRPC (SDK connections)
      - "7801:7801"   # HTTP API (CLI + dashboard)
      - "7802:7802"   # Metrics (Prometheus)
    environment:
      CORESDK_LICENSE_KEY: ${CORESDK_LICENSE_KEY}
      CORESDK_DB_URL: postgres://coresdk:${DB_PASSWORD}@db:5432/coresdk
      CORESDK_ADMIN_TOKEN: ${CORESDK_ADMIN_TOKEN}
      CORESDK_JWKS_CACHE_TTL: 300          # seconds
      CORESDK_POLICY_STORE: postgres       # or "s3" / "gcs"
      CORESDK_LOG_LEVEL: info
      CORESDK_AUDIT_RETENTION_DAYS: 90

  # Optional: web dashboard
  dashboard:
    image: ghcr.io/coresdk/dashboard:latest
    restart: unless-stopped
    depends_on:
      - control-plane
    ports:
      - "3000:3000"
    environment:
      CORESDK_API_URL: http://control-plane:7801

volumes:
  db-data:

Create a .env file next to docker-compose.yml:

DB_PASSWORD=change-me-in-production
CORESDK_LICENSE_KEY=csk_ent_xxxxxxxxxxxxxxxx
CORESDK_ADMIN_TOKEN=change-me-in-production

Start the stack:

docker compose up -d

# Verify the control plane is healthy
curl http://localhost:7801/healthz
# {"status":"ok","version":"1.4.2"}

Connecting SDKs to the Self-Hosted Control Plane

Point each SDK instance at your control plane's address instead of the default cloud endpoint.

use coresdk_engine::prelude::*;

let sdk = Engine::from_env()?
    .tenant("acme")
    .control_plane_url("https://coresdk.internal.example.com:7800")
    .api_key(std::env::var("CORESDK_API_KEY").unwrap())
    .build()
    .await?;

import os
from coresdk import CoreSDKClient, SDKConfig

_sdk = CoreSDKClient(SDKConfig(
    sidecar_addr="[::1]:50051",
    tenant_id="acme-corp",
    fail_mode="open",
))
# Point the sidecar at your control plane via env var:
# CORESDK_CONTROL_PLANE_URL=https://coresdk.internal.example.com:7800
# CORESDK_API_KEY=csk_live_xxxxxxxxxxxxxxxx

import (
    sdk "github.com/coresdk-dev/sdk-go"
    "os"
)

s := sdk.New(sdk.Config{
    Tenant:          "acme",
    ControlPlaneURL: "https://coresdk.internal.example.com:7800",
    APIKey:          os.Getenv("CORESDK_API_KEY"),
})

import { CoreSDK } from "@coresdk/node";

const sdk = new CoreSDK({
  tenant: "acme",
  controlPlaneUrl: "https://coresdk.internal.example.com:7800",
  apiKey: process.env.CORESDK_API_KEY,
});

CORESDK_TENANT=acme
CORESDK_CONTROL_PLANE_URL=https://coresdk.internal.example.com:7800
CORESDK_API_KEY=csk_live_xxxxxxxxxxxxxxxx

TLS Configuration

The control plane expects TLS in production. Mount certificates via environment variables or a volume:

# Addition to the control-plane service in docker-compose.yml
environment:
  CORESDK_TLS_CERT_FILE: /certs/tls.crt
  CORESDK_TLS_KEY_FILE: /certs/tls.key
volumes:
  - /etc/coresdk/certs:/certs:ro

For internal PKI, set CORESDK_TLS_CA_FILE on the SDK side so it trusts your CA:

CORESDK_TLS_CA_FILE=/etc/ssl/certs/internal-ca.crt

Enterprise Features

The following features require a valid enterprise license key (CORESDK_LICENSE_KEY):

Feature	Description
RBAC for the control plane	Role-based access to the dashboard and API
SSO / SAML	Integrate with Okta, Azure AD, or any SAML 2.0 provider
Audit log export	Stream to S3, GCS, or an HTTP endpoint
Multi-region replication	Active-active Postgres replication across regions
Policy approval workflows	Require peer review before a policy goes live
Dedicated support SLA	1-hour response, 24/7

Configure SSO via environment variable:

CORESDK_SSO_PROVIDER=okta
CORESDK_SSO_DOMAIN=example.okta.com
CORESDK_SSO_CLIENT_ID=0oa...
CORESDK_SSO_CLIENT_SECRET=<secret>

Upgrading

Pull the latest image and restart — the control plane runs zero-downtime migrations automatically:

docker compose pull control-plane dashboard
docker compose up -d --no-deps control-plane dashboard

# Check migration status
curl http://localhost:7801/admin/migrations \
  -H "Authorization: Bearer ${CORESDK_ADMIN_TOKEN}"

Backup and Recovery

Back up the PostgreSQL database on your normal schedule. The control plane stores all state (policies, tenants, audit logs, API keys) in Postgres — there is no additional persistent state to back up.

# Example: daily pg_dump to S3
pg_dump postgres://coresdk:${DB_PASSWORD}@db:5432/coresdk \
  | gzip \
  | aws s3 cp - s3://my-backups/coresdk/$(date +%Y%m%d).sql.gz

Next Steps

Docker & Kubernetes — deploy the SDK sidecar in your cluster
CoreSDK Cloud — managed alternative with zero infra overhead
Observability — connect Prometheus and OTEL to the control plane

Self-Hosted Control Plane

On this page