# Self-hosted AI chat setup

UI Bakery On-Premise can run the AI app builder chat and Docker sandbox inside your installation. Use this setup when you want to run the chat service locally and provide your own Anthropic API key.

### Prerequisites <a href="#id-0620e2a1-5ac1-4f4d-b30b-55f416ded19d" id="id-0620e2a1-5ac1-4f4d-b30b-55f416ded19d"></a>

Before you start, make sure you have:

1. A working UI Bakery On-Premise installation.
2. A UI Bakery license that supports self-hosted chat.
3. Access to the `.env` file and Docker Compose configuration.
4. An Anthropic API key for the default `claude-*` agent models.

### Set environment variables <a href="#id-94680357-aa04-49e1-995d-dc91bf9097a6" id="id-94680357-aa04-49e1-995d-dc91bf9097a6"></a>

Add the following variables to your `.env` file:

```
UI_BAKERY_CHAT_OPERATING_MODE=self_hosted
UI_BAKERY_CHAT_URL=http://chat:7070
UI_BAKERY_CHAT_SERVICE_URL=http://chat:7070
UI_BAKERY_CHAT_API_URL=https://<your-onprem-host>/chat
UI_BAKERY_JWT_CHAT_SECRET=<random-secret>
UI_BAKERY_CHAT_SERVICE_SECRET=<random-secret>
UI_BAKERY_CHAT_DATABASE_URL=postgres://postgres:postgres@chat-db:5432/chat_db
UI_BAKERY_CHAT_UID_SALT=<random-secret>

UI_BAKERY_AGENT_ANTHROPIC_KEY=<anthropic-api-key>

UI_BAKERY_DOCKER_SANDBOX=http://docker-sandbox:7071
UI_BAKERY_DOCKER_SANDBOX_API_KEY=<random-secret>
UI_BAKERY_SANDBOX_DISALLOW_NETWORK=false
UI_BAKERY_SANDBOX_BLOCKED_EGRESS_CIDRS=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
```

Fill in these values before starting the stack:

* `UI_BAKERY_CHAT_API_URL` - the public URL where users' browsers can reach the chat service through the on-premise host.
* `UI_BAKERY_AGENT_ANTHROPIC_KEY` - the Anthropic API key used by the default agent models.
* `UI_BAKERY_JWT_CHAT_SECRET` - a generated stable secret shared by the Bakery backend and the chat service.
* `UI_BAKERY_CHAT_SERVICE_SECRET` - a generated stable secret used for service-to-service chat API calls.
* `UI_BAKERY_CHAT_UID_SALT` - a generated stable salt used by the chat service for user identifiers.
* `UI_BAKERY_DOCKER_SANDBOX_API_KEY` - a generated stable secret shared by the chat service and Docker sandbox service.

Generate the random secret values once and keep them stable for the installation:

```
secret() {
  openssl rand -hex 32
}

cat <<EOF
UI_BAKERY_JWT_CHAT_SECRET=$(secret)
UI_BAKERY_CHAT_SERVICE_SECRET=$(secret)
UI_BAKERY_CHAT_UID_SALT=$(secret)
UI_BAKERY_DOCKER_SANDBOX_API_KEY=$(secret)
EOF
```

Optionally, choose specific Anthropic models instead of the chat service defaults:

```
UI_BAKERY_AGENT_MODEL=claude-sonnet-4-6
UI_BAKERY_AGENT_FAST_MODEL=claude-haiku-4-5
```

`UI_BAKERY_AGENT_MODEL` is used for high-power agent work. `UI_BAKERY_AGENT_FAST_MODEL` is used for faster changes and helper tasks. Keep `UI_BAKERY_AGENT_ANTHROPIC_KEY` set when using Anthropic `claude-*` models.

### Add Docker Compose services <a href="#cbd4e447-a0e8-4600-9f62-6f4c10b3f16e" id="cbd4e447-a0e8-4600-9f62-6f4c10b3f16e"></a>

Add the following services to your Docker Compose configuration:

```
  chat-db:
    image: "postgres:16.1"
    container_name: chat-db
    restart: always
    command: ["postgres", "-c", "wal_level=logical"]
    environment:
      POSTGRES_USER: "postgres"
      POSTGRES_PASSWORD: "postgres"
      POSTGRES_DB: "chat_db"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U postgres -d chat_db"]
      interval: 1s
      timeout: 5s
      retries: 10
    volumes:
      - chat-db:/var/lib/postgresql/data

  docker-sandbox:
    container_name: docker-sandbox
    image: cruibakeryonprem.azurecr.io/cloud/docker-sandbox-server:${UI_BAKERY_VERSION:-latest}
    restart: always
    privileged: true
    env_file: .env
    healthcheck:
      test: ["CMD", "curl", "-fsS", "http://localhost:7071/status"]
      interval: 30s
      timeout: 5s
      retries: 10
      start_period: 20s

  chat:
    container_name: chat
    depends_on:
      chat-db:
        condition: service_healthy
      docker-sandbox:
        condition: service_healthy
    image: cruibakeryonprem.azurecr.io/cloud/chat:${UI_BAKERY_VERSION:-latest}
    restart: always
    env_file: .env
```

Add the chat database volume:

```
volumes:
  chat-db:
```

### Restart the stack <a href="#id-35abad73-a9ac-466c-9333-a0569d761b6a" id="id-35abad73-a9ac-466c-9333-a0569d761b6a"></a>

Pull the latest images and restart the containers:

```
docker compose pull
docker compose up -d
```

### Minimal setup limitations <a href="#id-0b08bdbe-4599-411e-9d39-01bd72f6ea83" id="id-0b08bdbe-4599-411e-9d39-01bd72f6ea83"></a>

The configuration above is enough to run the self-hosted AI app builder chat with the default Anthropic agent and Docker sandbox. The following features are not available in the minimal setup.

#### Fetch UI inspirations <a href="#id-9bea82d7-1369-437f-add2-75bca7b34b35" id="id-9bea82d7-1369-437f-add2-75bca7b34b35"></a>

The `fetchUiInspirations()` agent tool is not registered unless `UI_BAKERY_FETCH_UI_API_KEY` is set. Without it, the agent still works but cannot fetch component examples from 21st.dev.

To enable it, set:

```
UI_BAKERY_FETCH_UI_API_KEY=<21st-dev-fetch-ui-api-key>
```

The chat container must also be allowed to reach `https://magic.21st.dev/api/fetch-ui`.

#### Sandbox network access <a href="#cdc06e56-843b-47be-9f3e-c4a6c1cec564" id="cdc06e56-843b-47be-9f3e-c4a6c1cec564"></a>

To improve security, disable network access inside generated app runtime containers:

```
UI_BAKERY_SANDBOX_DISALLOW_NETWORK=true
```

This better protects the on-premise network, but package installation and external preview calls from inside the sandbox will not work.

#### Chat attachments and storage asset URLs <a href="#f1f76f21-3e70-4f7e-ba54-cd0ad4a7a990" id="f1f76f21-3e70-4f7e-ba54-cd0ad4a7a990"></a>

In `self_hosted` mode, chat attachment uploads and secure attachment redirects use local on-premise storage. If Azure Blob Storage is not configured, chat attachment uploads and secure redirects fail with storage-not-configured errors.

To store chat attachments and general storage assets locally, configure Azure Blob Storage for the main on-premise stack:

```
UI_BAKERY_AZURE_BLOB_STORAGE_CONNECTION_STRING=<azure-blob-connection-string>
UI_BAKERY_AZURE_CONTAINER_NAME=<container-name>
UI_BAKERY_AZURE_CONTAINER_PREFIX=https://<account>.blob.core.windows.net/<container-name>/
UI_BAKERY_AZURE_BLOB_STORAGE_CHAT_SAS_VALIDITY=900000
```

For Bakery Storage buckets, `UI_BAKERY_AZURE_BAKERY_STORAGE_CONNECTION_STRING` can be set separately. If it is not set, the backend falls back to `UI_BAKERY_AZURE_BLOB_STORAGE_CONNECTION_STRING`.

General storage features outside chat also require Azure Blob Storage.

#### Low-code AI assistant <a href="#id-46446002-f4f4-44fc-898a-aa7f6a33ca50" id="id-46446002-f4f4-44fc-898a-aa7f6a33ca50"></a>

The low-code assistant is a separate OpenAI-based chat flow. It is not enabled by the minimal Anthropic agent setup.

To enable the low-code assistant button and responses, set:

```
UI_BAKERY_SHOW_CHAT_BUTTON=true
UI_BAKERY_CHAT_OPENAI_KEY=<openai-api-key>
```

#### Billing and cloud token purchase <a href="#id-43cc1e51-82c9-4793-9c77-dee0fa52f323" id="id-43cc1e51-82c9-4793-9c77-dee0fa52f323"></a>

Self-hosted chat disables UI Bakery cloud credit billing inside the chat service.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.uibakery.io/on-premise/additional-configurations/self-hosted-ai-chat-setup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.