Self-hosted
Self-hosted gateway.
Deploy the Mnemom gateway on your own infrastructure. Your data, prompts, and tool arguments never leave your network. Only heartbeat, telemetry, and signed verdict metadata flow to the Mnemom control plane.
Architecture
The self-hosted gateway runs in your network. It proxies LLM calls, runs integrity checks locally, and streams telemetry back to the Mnemom control plane. Nothing sensitive leaves your perimeter.
Your Infrastructure Mnemom Cloud
+---------------------------+ +------------------+
| | | |
| +--------+ +--------+ | heartbeat | Control Plane |
| | App |-->|Gateway |--+--------------->| (api.mnemom.ai) |
| +--------+ +--------+ | telemetry | |
| | | | | Dashboard |
| v v | | Alerts |
| +------+ +-----+ | | Fleet Mgmt |
| | AIP | | LLM | | +------------------+
| |Check | |Proxy | |
| +------+ +-----+ |
| | |
+---------------------------+
|
v
LLM Providers
(OpenAI, Anthropic, etc.)Stays inside your network
- - Prompts, tool arguments, and LLM responses.
- - Customer data, PII, and regulated payloads.
- - Alignment Cards, card hashes, and proof chains.
- - LLM provider credentials (OpenAI, Anthropic, etc.).
Sent to the control plane
- - Heartbeat and version metadata (every 30s).
- - Signed verdict summaries — labels, not content.
- - Telemetry counters and anomaly statistics.
- - Trust Rating calibration data (scores, not traces).
Quickstart — Docker Compose
The fastest way to try the gateway. Spin it up, point your agent at it, and verify a signed integrity check in under five minutes.
1. Create your .env file
Drop the license JWT and org ID we sent you into a .env file alongside the compose file. Everything else is optional.
2. Create docker-compose.yml
version: "3.8"
services:
gateway:
image: ghcr.io/mnemom/gateway:latest
container_name: mnemom-gateway
restart: unless-stopped
ports:
- "${GATEWAY_PORT:-8080}:8080"
env_file:
- .env
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
interval: 30s
timeout: 10s
retries: 3
start_period: 10s
volumes:
- gateway-data:/data
volumes:
gateway-data:3. Start the gateway
docker compose up -d docker compose logs -f gateway
4. Verify it's healthy
curl http://localhost:8080/health
# Expected: {"status":"ok","version":"1.x.x"}Production — Helm
For Kubernetes production deployments, the Helm chart is the supported path. TLS, ingress, autoscaling, and resource limits are first-class.
1. Add the Helm repo
helm repo add mnemom https://charts.mnemom.ai helm repo update
2. Author your values.yaml
# values.yaml
replicaCount: 2
gateway:
licenseJwt: "<YOUR_LICENSE_JWT>"
orgId: "<YOUR_ORG_ID>"
region: "us-east-1"
resources:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "2Gi"
cpu: "1000m"
ingress:
enabled: true
className: nginx
hosts:
- host: gateway.internal.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: gateway-tls
hosts:
- gateway.internal.example.com
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 10
targetCPUUtilizationPercentage: 703. Install the chart
helm install mnemom-gateway mnemom/gateway \ -f values.yaml \ -n mnemom --create-namespace
4. Verify the rollout
kubectl get pods -n mnemom kubectl logs -f deployment/mnemom-gateway -n mnemom
Configuration reference
Everything the gateway reads from the environment. Only license and org are required; the rest have sensible defaults.
| Variable | Required | Description |
|---|---|---|
| MNEMOM_LICENSE_JWT | Required | Signed JWT that authorizes this gateway to call the Mnemom control plane. |
| MNEMOM_ORG_ID | Required | Your Mnemom organization UUID. Binds this gateway to your tenant. |
| GATEWAY_PORT | Optional | Port the gateway listens on. Defaults to 8080. |
| GATEWAY_HOST | Optional | Bind address for the gateway. Defaults to 0.0.0.0. |
| MNEMOM_API_URL | Optional | Mnemom control-plane URL. Only change for air-gapped mirrors. |
| OPENAI_API_KEY | Optional | Optional OpenAI key if the gateway proxies OpenAI calls. |
| ANTHROPIC_API_KEY | Optional | Optional Anthropic key if the gateway proxies Claude calls. |
| MNEMOM_REGION | Optional | Region label used in verdicts and telemetry (e.g. us-east-1). |
| LOG_LEVEL | Optional | debug | info | warn | error. Defaults to info. |
| TLS_CERT_PATH | Optional | Absolute path to TLS cert if the gateway terminates TLS locally. |
| TLS_KEY_PATH | Optional | Absolute path to TLS key matching TLS_CERT_PATH. |
| HEARTBEAT_INTERVAL_S | Optional | Heartbeat interval in seconds. Defaults to 30. |
| MAX_CONCURRENT_CHECKS | Optional | Upper bound on concurrent integrity checks. Defaults to 256. |
Managed vs self-hosted
| Feature | Managed | Self-hosted |
|---|---|---|
| Infrastructure | Hosted by Mnemom on Cloudflare Workers. | Docker or Kubernetes inside your perimeter. |
| LLM routing | Through Mnemom's egress (observable, auditable). | Direct from your network to the LLM provider. |
| Time to install | Under 5 minutes. | About 30 minutes for Docker; 1–2 hours for Helm. |
| Scaling | Automatic. | You control the autoscaler; Helm chart ships sane defaults. |
| Dashboard | app.mnemom.ai. | app.mnemom.ai (reads from your gateway's telemetry). |
| Integrity checks | Included. | Included, run locally. |
| Drift detection | Included. | Included, run locally. |
| Data residency | US, EU regions. | Wherever you deploy — fully in your control. |
| Air-gapped / offline | Not supported. | Supported on Enterprise. |
| Self-managed model routing | Limited. | Full — any LLM provider or on-prem model. |
| SLA | 99.9% standard; custom on Enterprise. | You own the SLA; we support the gateway. |
| Plan required | All plans. | Enterprise only. |
FAQ
Ready to deploy?
Self-hosted is an Enterprise tier feature. Tell us about your environment and we'll ship you the license and the Helm values to match.
