> **Building with AI coding agents?** If you're using an AI coding agent, install the official Scalekit plugin. It gives your agent full awareness of the Scalekit API — reducing hallucinations and enabling faster, more accurate code generation. > > - **Claude Code**: `/plugin marketplace add scalekit-inc/claude-code-authstack` then `/plugin install @scalekit-auth-stack` > - **GitHub Copilot CLI**: `copilot plugin marketplace add scalekit-inc/github-copilot-authstack` then `copilot plugin install @scalekit-auth-stack` > - **Codex**: run the bash installer, restart, then open Plugin Directory and enable `` > - **Skills CLI** (Windsurf, Cline, 40+ agents): `npx skills add scalekit-inc/skills --list` then `--skill ` > > `` / ``: `agentkit`, `full-stack-auth`, `mcp-auth`, `modular-sso`, `modular-scim` — [Full setup guide](https://docs.scalekit.com/dev-kit/build-with-ai/) --- # Quick start Get Scalekit running on Kubernetes quickly through the Scalekit distribution portal. This guide uses bundled PostgreSQL and Redis and auto-creates Kubernetes secrets from your `values.yaml` — no external databases or `kubectl secret` commands needed. **Not for production:** The bundled databases have no backups, no replication, and no persistent storage guarantees. For a production deployment with external services and full secret management, follow the [installation guide](/self-hosted/installation/). ## Before you start | Requirement | Notes | |-------------|-------| | `kubectl` 1.27+ | Configured against your target cluster | | Helm 3.12+ | Run `helm version` to verify | | Domain | Subdomains `app.` and `auth.` must resolve to your cluster | | Gateway class | A GatewayClass must be installed on your cluster | | TLS certificate | Attached via a gateway annotation (GCP cert map, cert-manager, etc.) | | SMTP credentials | Any provider; Postmark and SendGrid have first-class support | | Registry token | From the Scalekit distribution portal — see step 1 | | `openssl` and `python3` | To generate webhook credentials in step 2 | --- 1. ## Get a registry token Log in to the Scalekit distribution portal and create a Personal Access Token. This token authenticates your cluster to pull Scalekit images from {REGISTRY_HOST}. **Token expiry breaks image pulls:** When the token expires, new deployments and upgrades will fail with `ImagePullBackOff`. Set a reminder to renew it before it lapses. Copy the token — it is shown only once. 2. ## Generate webhook credentials Run these commands to produce a JWT secret and a signed API token. Copy both output lines — you will paste them into `values.yaml` in the next step. ```bash frame="terminal" export JWT_SECRET=$(openssl rand -base64 32) echo "jwtSecret: $JWT_SECRET" python3 << 'EOF' import base64, hashlib, hmac as _hmac, json, os, secrets, string, time secret = os.environ['JWT_SECRET'] chars = string.ascii_letters + string.digits sub = 'org_' + ''.join(secrets.choice(chars) for _ in range(22)) now = int(time.time()) exp = now + 315360000 h = base64.urlsafe_b64encode(json.dumps({'alg':'HS256','typ':'JWT'}, separators=(',',':')).encode()).rstrip(b'=').decode() p = base64.urlsafe_b64encode(json.dumps({'iat':now,'exp':exp,'nbf':now,'iss':'svix-server','sub':sub}, separators=(',',':')).encode()).rstrip(b'=').decode() msg = f'{h}.{p}' sig = base64.urlsafe_b64encode(_hmac.new(secret.encode(), msg.encode(), hashlib.sha256).digest()).rstrip(b'=').decode() print(f'apiToken: {msg}.{sig}') EOF ``` The output looks like: ``` jwtSecret: aB3cD4eF5gH6... apiToken: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... ``` 3. ## Create values.yaml Create a `values.yaml` file using the template below. Replace each placeholder with your actual value. ```yaml title="values.yaml" scalekit: config: app: domain: "" # e.g. scalekit.example.com — no scheme or trailing slash seedData: adminUser: firstName: "" lastName: "" email: "" emailServer: settings: fromEmail: "hi@" fromName: "Team " host: "" port: username: "" postgresql: enabled: true redis: enabled: true secrets: create: true svix: jwtSecret: "" apiToken: "" registry: password: "" gateway: enabled: true provider: "" # gcp for GKE; other for all other clusters className: "" # e.g. gke-l7-global-external-managed annotations: : "" # e.g. networking.gke.io/certmap: your-cert-map redirectToHttps: true healthCheckPolicy: enabled: true # GKE only — set false for other providers ``` | Field | Description | |-------|-------------| | `domain` | Base domain. The chart derives `app.` and `auth.` from this. | | `adminUser` | First admin account created on first boot. Use this to log in to the dashboard. | | `emailServer` | SMTP settings for transactional email (invites, magic links, verification codes). The password is provided separately via `secrets.registry.password` — see [full configuration](/self-hosted/configuration/) for details. | | `secrets.create` | When `true`, the chart creates all required Kubernetes secrets from the values below. | | `secrets.svix` | Webhook service credentials generated in step 2. | | `secrets.registry.password` | Registry access token from step 1. | | `gateway.provider` | Set to `gcp` for GKE to enable GKE-specific resources. Leave empty for all other providers. | | `gateway.className` | The GatewayClass installed on your cluster. | | `gateway.annotations` | Attach a TLS certificate via your provider's annotation. | 4. ## Create a deployment in the portal Deployments are managed through the Scalekit distribution portal. Create the namespace on your cluster first: ```bash kubectl create namespace ``` Then, in the portal: - In the left sidebar, click **Deployments**, then **+ New Deployment** - Select **Scalekit Onprem** and click **Continue** - Set a **Deployment Name** (`scalekit` is recommended) and enter the **Kubernetes Namespace** you just created - Leave **Enable cluster-scoped permissions** checked and click **Continue** - Select the **Version** you want to install - Under **Helm values**, paste the full contents of your `values.yaml` - Click **Create Deployment** The portal shows a **Deployment Created Successfully** screen with a `kubectl apply` command. Click **Copy Command** and run it on your cluster: ```bash kubectl apply -n -f "" ``` This connects your cluster to the portal, which then installs the Helm chart and runs database migrations. 5. ## Update DNS Once the gateway is provisioned, get its external IP: ```bash kubectl get gateway -n scalekit ``` Copy the address from the `ADDRESS` column. In your DNS provider, create a wildcard `A` record: ``` *. → ``` DNS propagation can take a few minutes. Verify with: ```bash dig app. ``` 6. ## Verify ```bash kubectl get pods -n scalekit ``` All pods should show `Running`. Open `https://app.` in a browser and sign in with the admin email you set in `values.yaml`. ## Next steps - Ready for production? Switch to external databases and full secret management — follow the [installation guide](/self-hosted/installation/). - Review every configuration field in the [configuration reference](/self-hosted/configuration/). - Learn how to upgrade and maintain your deployment in [upgrades & maintenance](/self-hosted/upgrades/). --- ## More Scalekit documentation | Resource | What it contains | When to use it | |----------|-----------------|----------------| | [/llms.txt](/llms.txt) | Structured index with routing hints per product area | Start here — find which documentation set covers your topic before loading full content | | [/llms-full.txt](/llms-full.txt) | Complete documentation for all Scalekit products in one file | Use when you need exhaustive context across multiple products or when the topic spans several areas | | [sitemap-0.xml](https://docs.scalekit.com/sitemap-0.xml) | Full URL list of every documentation page | Use to discover specific page URLs you can fetch for targeted, page-level answers |