> ## Documentation Index
> Fetch the complete documentation index at: https://docs.parmanasystems.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Local / Self-Hosted Deployment

> The real, current deployment model: a single Node.js process, local PEM keys, your choice of memory or Supabase storage.

<Info>**\[AVAILABLE]**, this is what actually runs. Cloud/KMS/multi-instance/HA deployment is \[ROADMAP], see [Roadmap](/roadmap).</Info>

## What runs today

One Express process (`packages/api/src/server.ts`), single instance, no load balancer or
orchestration assumed. Signing keys are local PEM files read by `FileKeyProvider`. Storage
is either fully in-process (`memory`, non-persistent) or Supabase.

## Configuration

Real `.env` keys (from this repo, values redacted):

```bash theme={null}
NODE_ENV=...
PORT=3000
PARMANA_STORAGE=supabase     # or: memory
HASH_PROVIDER=sha256
PRIMARY_SIGNATURE_PROVIDER=ed25519   # or: dilithium3 (needs Node >= 24)
KEY_PROVIDER=local
PARMANA_KEY_DIR=./keys
PARMANA_GATEWAY_KEY_ID=gateway       # optional, defaults to "gateway"
TRUST_PROFILE=v1
LOG_LEVEL=...                # read into config; no logger currently consumes it, see Roadmap
PARMANA_POLICY_DIR=...
VENDOR_PAYMENT_TOKEN=...     # credential for the one wired connector, see below
```

`PARMANA_KEY_DIR` is a single directory containing every keypair `FileKeyProvider` reads:
`default.*.pem` (authorization signing/verification) and `gateway.*.pem` (gateway
attestation, see [Gateway attestation](/concepts/gateway-attestation)). They are
deliberately separate keys in the same directory, not one key used for two purposes.
`PARMANA_GATEWAY_KEY_ID` lets you point the gateway at a differently-named key pair (for
example during rotation, run both `gateway` and `gateway-v2` side by side, then flip the
env var) without touching `default.*.pem` at all.

## Running it

```bash theme={null}
PARMANA_STORAGE=memory \
  PARMANA_POLICY_DIR=/absolute/path/to/policies \
  VENDOR_PAYMENT_TOKEN=quickstart-demo-token \
  npm run dev
```

Generate the gateway keypair first if you haven't, `npm run generate:gateway-keys`, see
[Quickstart](/quickstart) step 2. Without it, the server refuses to start: the gateway is
wired unconditionally (see [The gateway](/concepts/the-gateway)), there is no code path that
skips needing this key.

## What this deployment does not give you

* **No authentication.** Every route is open.
* **No KMS/HSM.** Your private keys, both `default.private.pem` and `gateway.private.pem`,
  are files on disk, exactly the exposure that produced the incident noted on
  [Security](/security/overview).
* **Single process, single instance.** No shared `NonceStore` across replicas, no HA. A
  fleet of these processes would each accept the same authorization once, not once
  fleet-wide (CLAIMS.md 3.2).
* **Only one connector registered.** `vendor-payment`, a reference mock. See [The
  gateway](/concepts/the-gateway) for what adding another requires today.

## Node version

Root `package.json` requires Node ≥ 22. ML-DSA-65 (post-quantum signing) specifically
requires Node ≥ 24 for native `node:crypto` support (CLAIMS.md 2.14).
