Appearance
On-Prem
The on-prem version of elsai Prompt Manager runs entirely inside your infrastructure. It's the same product as SaaS, packaged for self-hosting on Kubernetes or Docker.
Same SDK
Identical elsai-prompts Python package; you point base_url at your deployment.
Same UI
Same web console; you deploy it under your own domain.
Same concepts
Org → Project → Prompt → Version, the four kinds, environments — all identical.
Your stack
Postgres for data, JWT for auth, your TLS termination, your monitoring.
Key characteristics
| Detail | |
|---|---|
| Identity | JWT (built-in user/password, optional SSO via SAML/OIDC) |
| Data plane | PostgreSQL (your instance) |
| Cache layer | Optional Redis |
| Deployment | Docker Compose or Kubernetes (Helm chart available) |
| Backups | Your responsibility (standard Postgres tooling) |
| TLS | Your reverse proxy (nginx, Caddy, ALB, etc.) |
When to choose on-prem
Data residency / sovereignty
Your prompts and metadata stay inside your VPC, region, or country. Required for EU data-protection, healthcare, financial services.
Air-gapped environments
Defense, internal-only networks, environments with no public-internet egress.
Compliance posture
SOC2, FedRAMP, HIPAA-adjacent, or other postures that mandate self-host with specific audit controls.
Custom auth integration
Your enterprise SSO, your existing SAML IdP, your custom group-based permissions.
Differences from SaaS
Architectural: the authorization model
On-prem uses a membership-based authorization model that's different from SaaS:
- SaaS: API key is validated and the project's org is loaded; the key doesn't carry an explicit org binding.
- On-prem: API key is validated, then the key's owner is checked for current membership in the project's organization. If they're not a member, you get a 404.
This means on on-prem:
- A user who belongs to multiple orgs needs only one API key — it works for every project they have access to.
- Removing a user from an org immediately revokes their key's access to that org — no separate key revocation step.
- Adding a user to a new org immediately grants their existing key access to the new org's projects — no key reissue.
See Authentication( for full details.
Operational
- Strict environment matching. The on-prem backend doesn't do environment aliases (
dev → development, etc.). Use canonical names:development,testing,production. - Base URL is required. Either pass
base_url=toPromptManager(...)or setPROMPT_MANAGER_API_URLin the environment. - Backups are yours. Standard Postgres backup tooling —
pg_dump, replication slots, managed backups via your cloud provider.
Install the on-prem SDK
bash
pip install --extra-index-url https://elsai-core-package.optisolbusiness.com/root/elsai-prompts/ elsai-prompts==2.0.0The on-prem build requires base_url:
python
from elsai_prompts.prompt_manager import PromptManager
pm = PromptManager(
api_key="YOUR_KEY",
project_id="YOUR_PROJECT_ID",
environment="development",
base_url="https://prompts.your-company.com",
)Or via env var:
bash
PROMPT_MANAGER_API_URL=https://prompts.your-company.compython
pm = PromptManager(
api_key=...,
project_id=...,
environment="development",
# base_url auto-read from PROMPT_MANAGER_API_URL
)Deployment overview
A typical on-prem deployment has four moving parts:
┌──────────────┐
│ Reverse │
│ proxy / │ ← TLS terminates here
│ ingress │
└──────┬───────┘
│
┌────────┴────────┐
│ │
┌────▼────┐ ┌────▼─────┐
│ Backend │ │ Frontend │
│ FastAPI │ │ Nginx + │
│ :8000 │ │ React │
└────┬────┘ └──────────┘
│
┌────▼────────┐
│ PostgreSQL │
│ (and Redis │
│ if used) │
└─────────────┘A minimal deploy uses Docker Compose; production deployments are typically Kubernetes via the provided Helm chart. Contact support for the latest deployment guides.
Configuration essentials
Environment variables your on-prem backend will need:
bash
# Database
DATABASE_URL=postgresql+psycopg2://user:pass@db:5432/elsai_prompt_manager
# JWT (sign your own - generate a 256-bit secret)
JWT_SECRET_KEY=<long random string>
JWT_AUDIENCE=elsai-prompt-manager
JWT_ISSUER=https://prompts.your-company.com
# Optional: SSO
SSO_PROVIDER=...
# Optional: SMTP for invites
SMTP_HOST=smtp.your-company.com
SMTP_USER=...
SMTP_PASS=...The full operator runbook (SSO, backups, scaling) lives in the Promptmanager-onprem repo's docs/ folder — ask your administrator for the link.
Migrating from SaaS to on-prem
See SaaS → migrating(. The summary: no SDK code changes; add PROMPT_MANAGER_API_URL to your .env; reinstall from the on-prem index URL.
Support
- Email: dev@elsaifoundry.ai
- Deployment assistance available — ask about onboarding sessions.