Self-hosted AI chat setup

UI Bakery On-Premise can run the AI app builder chat and Docker sandbox inside your installation. Use this setup when you want to run the chat service locally and provide your own Anthropic API key.

Prerequisites

Before you start, make sure you have:

A working UI Bakery On-Premise installation.
A UI Bakery license that supports self-hosted chat.
Access to the .env file and Docker Compose configuration.
An Anthropic API key for the default claude-* agent models.

Set environment variables

Add the following variables to your .env file:

UI_BAKERY_CHAT_OPERATING_MODE=self_hosted
UI_BAKERY_CHAT_URL=http://chat:7070
UI_BAKERY_CHAT_SERVICE_URL=http://chat:7070
UI_BAKERY_CHAT_API_URL=https://<your-onprem-host>/chat
UI_BAKERY_JWT_CHAT_SECRET=<random-secret>
UI_BAKERY_CHAT_SERVICE_SECRET=<random-secret>
UI_BAKERY_CHAT_DATABASE_URL=postgres://postgres:postgres@chat-db:5432/chat_db
UI_BAKERY_CHAT_UID_SALT=<random-secret>

UI_BAKERY_AGENT_ANTHROPIC_KEY=<anthropic-api-key>

UI_BAKERY_DOCKER_SANDBOX=http://docker-sandbox:7071
UI_BAKERY_DOCKER_SANDBOX_API_KEY=<random-secret>
UI_BAKERY_SANDBOX_DISALLOW_NETWORK=false
UI_BAKERY_SANDBOX_BLOCKED_EGRESS_CIDRS=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

Fill in these values before starting the stack:

UI_BAKERY_CHAT_API_URL - the public URL where users' browsers can reach the chat service through the on-premise host.
UI_BAKERY_AGENT_ANTHROPIC_KEY - the Anthropic API key used by the default agent models.
UI_BAKERY_JWT_CHAT_SECRET - a generated stable secret shared by the Bakery backend and the chat service.
UI_BAKERY_CHAT_SERVICE_SECRET - a generated stable secret used for service-to-service chat API calls.
UI_BAKERY_CHAT_UID_SALT - a generated stable salt used by the chat service for user identifiers.
UI_BAKERY_DOCKER_SANDBOX_API_KEY - a generated stable secret shared by the chat service and Docker sandbox service.

Generate the random secret values once and keep them stable for the installation:

secret() {
  openssl rand -hex 32
}

cat <<EOF
UI_BAKERY_JWT_CHAT_SECRET=$(secret)
UI_BAKERY_CHAT_SERVICE_SECRET=$(secret)
UI_BAKERY_CHAT_UID_SALT=$(secret)
UI_BAKERY_DOCKER_SANDBOX_API_KEY=$(secret)
EOF

Optionally, choose specific Anthropic models instead of the chat service defaults:

UI_BAKERY_AGENT_MODEL=claude-sonnet-4-6
UI_BAKERY_AGENT_FAST_MODEL=claude-haiku-4-5

UI_BAKERY_AGENT_MODEL is used for high-power agent work. UI_BAKERY_AGENT_FAST_MODEL is used for faster changes and helper tasks. Keep UI_BAKERY_AGENT_ANTHROPIC_KEY set when using Anthropic claude-* models.

Add Docker Compose services

Add the following services to your Docker Compose configuration:

  chat-db:
    image: "postgres:16.1"
    container_name: chat-db
    restart: always
    command: ["postgres", "-c", "wal_level=logical"]
    environment:
      POSTGRES_USER: "postgres"
      POSTGRES_PASSWORD: "postgres"
      POSTGRES_DB: "chat_db"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U postgres -d chat_db"]
      interval: 1s
      timeout: 5s
      retries: 10
    volumes:
      - chat-db:/var/lib/postgresql/data

  docker-sandbox:
    container_name: docker-sandbox
    image: cruibakeryonprem.azurecr.io/cloud/docker-sandbox-server:${UI_BAKERY_VERSION:-latest}
    restart: always
    privileged: true
    env_file: .env
    healthcheck:
      test: ["CMD", "curl", "-fsS", "http://localhost:7071/status"]
      interval: 30s
      timeout: 5s
      retries: 10
      start_period: 20s

  chat:
    container_name: chat
    depends_on:
      chat-db:
        condition: service_healthy
      docker-sandbox:
        condition: service_healthy
    image: cruibakeryonprem.azurecr.io/cloud/chat:${UI_BAKERY_VERSION:-latest}
    restart: always
    env_file: .env

Add the chat database volume:

volumes:
  chat-db:

Restart the stack

Pull the latest images and restart the containers:

docker compose pull
docker compose up -d

Minimal setup limitations

The configuration above is enough to run the self-hosted AI app builder chat with the default Anthropic agent and Docker sandbox. The following features are not available in the minimal setup.

Fetch UI inspirations

The fetchUiInspirations() agent tool is not registered unless UI_BAKERY_FETCH_UI_API_KEY is set. Without it, the agent still works but cannot fetch component examples from 21st.dev.

To enable it, set:

UI_BAKERY_FETCH_UI_API_KEY=<21st-dev-fetch-ui-api-key>

The chat container must also be allowed to reach https://magic.21st.dev/api/fetch-ui.

Sandbox network access

To improve security, disable network access inside generated app runtime containers:

UI_BAKERY_SANDBOX_DISALLOW_NETWORK=true

This better protects the on-premise network, but package installation and external preview calls from inside the sandbox will not work.

Chat attachments and storage asset URLs

In self_hosted mode, chat attachment uploads and secure attachment redirects use local on-premise storage. If Azure Blob Storage is not configured, chat attachment uploads and secure redirects fail with storage-not-configured errors.

To store chat attachments and general storage assets locally, configure Azure Blob Storage for the main on-premise stack:

UI_BAKERY_AZURE_BLOB_STORAGE_CONNECTION_STRING=<azure-blob-connection-string>
UI_BAKERY_AZURE_CONTAINER_NAME=<container-name>
UI_BAKERY_AZURE_CONTAINER_PREFIX=https://<account>.blob.core.windows.net/<container-name>/
UI_BAKERY_AZURE_BLOB_STORAGE_CHAT_SAS_VALIDITY=900000

For Bakery Storage buckets, UI_BAKERY_AZURE_BAKERY_STORAGE_CONNECTION_STRING can be set separately. If it is not set, the backend falls back to UI_BAKERY_AZURE_BLOB_STORAGE_CONNECTION_STRING.

General storage features outside chat also require Azure Blob Storage.

Low-code AI assistant

The low-code assistant is a separate OpenAI-based chat flow. It is not enabled by the minimal Anthropic agent setup.

To enable the low-code assistant button and responses, set:

UI_BAKERY_SHOW_CHAT_BUTTON=true
UI_BAKERY_CHAT_OPENAI_KEY=<openai-api-key>

Billing and cloud token purchase

Self-hosted chat disables UI Bakery cloud credit billing inside the chat service.

PreviousUI Bakery Postgres NextNetworking & security

Last updated 1 month ago

Was this helpful?