Node + Docker (no Cloudflare)
docker compose up. Single Node process, SQLite or Postgres, local sandbox. Run on a VPS, your laptop, fly.io, your k8s cluster — anywhere with Linux/macOS. No Cloudflare account.
Self-host Overview
You can run all of openma — the API, the Console, the integrations gateway, and the agent runtime — yourself. The same code that powers openma.dev is the code in the public repo; nothing is held back.
Two paths
Section titled “Two paths”Pick the one that matches your hosting story:
Cloudflare Workers
wrangler deploy. Three Workers + DO + Containers + D1 + R2 + KV. Edge-distributed, no host management. Requires a Cloudflare Workers Paid plan.
Same harness, business logic, event log, and crash-recovery semantics
on both — they share packages/* (every store sits behind a port +
adapter). Switch between them by changing env vars, not code.
| Node + Docker | Cloudflare | |
|---|---|---|
| Where it runs | Your VPS / Mac / k8s / fly.io | Cloudflare Workers + DO + Containers |
| Storage | SQLite or Postgres + local FS | D1 + KV + R2 |
| Sandbox | LocalSubprocess / LiteBox / Daytona / E2B / BoxRun | Cloudflare Sandbox (Containers) |
| Time to running | ~2 min | ~10 min once configured |
| Best for | OSS / on-prem / no CF account / data-resident | Edge scale / no host mgmt / already on CF |
| Cost floor | Hetzner €5–50/mo, or your own hardware | Workers Paid plan ($5/mo) + usage |
Architecture (Cloudflare deploy)
Section titled “Architecture (Cloudflare deploy)”For the Node + Docker deploy, see Node + Docker.
The Cloudflare deploy is four Workers plus a set of bindings:
| Worker | Purpose |
|---|---|
apps/main | REST API + Console static assets. The front door. |
apps/agent | Session Durable Objects + sandbox Containers. Where agents actually run. |
apps/integrations | OAuth callback + webhook gateway for Linear / GitHub / Slack. |
apps/docs | This site. (Optional — only if you want your own docs.) |
They talk to each other via service bindings (Worker-to-Worker calls, no public hop). State lives in:
- D1 — auth (users, tenants, sessions), agent configs, skill metadata, integration installs.
- KV — fast-path caches: agent/environment/credential lookups.
- R2 — file storage: skill files, session files, workspace.
- Durable Objects —
SESSION_DO(per-session event log SQLite),SANDBOX(per-session container). - Vectorize — semantic memory index.
- Workers AI — embedding generation.
- Cloudflare Containers — sandbox runtime (the per-session container the
bashtool runs in). - Email Service — transactional email for auth.
- Analytics Engine — observability for silent catches and structured logs.
Requirements
Section titled “Requirements”Cloudflare Workers Paid plan
Required for Durable Objects and Containers. The free plan won’t work.
A domain
You’ll point routes at it. openma.dev in our deployment; whatever you own in yours.
An LLM provider
Anthropic, OpenAI, MiniMax, or any OpenAI-compatible endpoint. You pay them directly.
OAuth apps
You’ll register your own GitHub App, Linear OAuth, and Slack app. Walked through in OAuth Apps.
What you don’t need
Section titled “What you don’t need”- A separate database server — D1 is managed.
- A queue or task runner — Durable Object alarms cover scheduling.
- A vector database service — Vectorize is managed.
- Container infrastructure — CF Containers handle it.
- Manual scaling — Workers + DOs scale on demand.
Cost shape
Section titled “Cost shape”In rough order of cost (highest first):
- LLM API calls — your Anthropic/OpenAI/MiniMax bill. The biggest variable.
- Containers — per-session runtime. Pay for active container time.
- Workers — requests + CPU time. Cheap.
- Storage — D1 / R2 / KV / Vectorize. Generally negligible until you have lots of long-lived sessions.
There are no openma platform fees because there is no openma platform — it’s all your Cloudflare account.
Multi-tenancy
Section titled “Multi-tenancy”A single self-hosted deployment supports multiple tenants out of the box (the same code path the hosted product uses). On first sign-up, the databaseHooks.user.create.after hook creates a tenant row idempotently. You don’t need to seed anything.
If you want stricter isolation (per-tenant D1 databases), set PER_TENANT_DB_ENABLED=true and configure STORE_BACKENDS. See Operations.
Where to go next
Section titled “Where to go next” Node + Docker `docker compose up`. SQLite or Postgres. Sandbox modes. Login. Vault sidecar. Operator gotchas.
Deploy on Cloudflare Step-by-step: clone, set bindings, set secrets, wrangler deploy.
OAuth Apps Register your own GitHub App, Linear OAuth app, Slack app.
Operations Custom domains, observability, multi-tenant config, troubleshooting.