Skip to content

On-Prem

The on-prem version of elsai Prompt Manager runs entirely inside your infrastructure. It's the same product as SaaS, packaged for self-hosting on Kubernetes or Docker.

Same SDK

Identical elsai-prompts Python package; you point base_url at your deployment.

Same UI

Same web console; you deploy it under your own domain.

Same concepts

Org → Project → Prompt → Version, the four kinds, environments — all identical.

Your stack

Postgres for data, JWT for auth, your TLS termination, your monitoring.

Key characteristics

Detail
IdentityJWT (built-in user/password, optional SSO via SAML/OIDC)
Data planePostgreSQL (your instance)
Cache layerOptional Redis
DeploymentDocker Compose or Kubernetes (Helm chart available)
BackupsYour responsibility (standard Postgres tooling)
TLSYour reverse proxy (nginx, Caddy, ALB, etc.)

When to choose on-prem

Data residency / sovereignty

Your prompts and metadata stay inside your VPC, region, or country. Required for EU data-protection, healthcare, financial services.

Air-gapped environments

Defense, internal-only networks, environments with no public-internet egress.

Compliance posture

SOC2, FedRAMP, HIPAA-adjacent, or other postures that mandate self-host with specific audit controls.

Custom auth integration

Your enterprise SSO, your existing SAML IdP, your custom group-based permissions.

Differences from SaaS

Architectural: the authorization model

On-prem uses a membership-based authorization model that's different from SaaS:

  • SaaS: API key is validated and the project's org is loaded; the key doesn't carry an explicit org binding.
  • On-prem: API key is validated, then the key's owner is checked for current membership in the project's organization. If they're not a member, you get a 404.

This means on on-prem:

  • A user who belongs to multiple orgs needs only one API key — it works for every project they have access to.
  • Removing a user from an org immediately revokes their key's access to that org — no separate key revocation step.
  • Adding a user to a new org immediately grants their existing key access to the new org's projects — no key reissue.

See Authentication( for full details.

Operational

  • Strict environment matching. The on-prem backend doesn't do environment aliases (dev → development, etc.). Use canonical names: development, testing, production.
  • Base URL is required. Either pass base_url= to PromptManager(...) or set PROMPT_MANAGER_API_URL in the environment.
  • Backups are yours. Standard Postgres backup tooling — pg_dump, replication slots, managed backups via your cloud provider.

Install the on-prem SDK

bash
pip install --extra-index-url https://elsai-core-package.optisolbusiness.com/root/elsai-prompts/ elsai-prompts==2.0.0

The on-prem build requires base_url:

python
from elsai_prompts.prompt_manager import PromptManager

pm = PromptManager(
    api_key="YOUR_KEY",
    project_id="YOUR_PROJECT_ID",
    environment="development",
    base_url="https://prompts.your-company.com",
)

Or via env var:

bash
PROMPT_MANAGER_API_URL=https://prompts.your-company.com
python
pm = PromptManager(
    api_key=...,
    project_id=...,
    environment="development",
    # base_url auto-read from PROMPT_MANAGER_API_URL
)

Deployment overview

A typical on-prem deployment has four moving parts:

         ┌──────────────┐
         │  Reverse     │
         │  proxy /     │ ← TLS terminates here
         │  ingress     │
         └──────┬───────┘

       ┌────────┴────────┐
       │                 │
  ┌────▼────┐       ┌────▼─────┐
  │ Backend │       │ Frontend │
  │ FastAPI │       │  Nginx + │
  │  :8000  │       │  React   │
  └────┬────┘       └──────────┘

  ┌────▼────────┐
  │ PostgreSQL  │
  │ (and Redis  │
  │  if used)   │
  └─────────────┘

A minimal deploy uses Docker Compose; production deployments are typically Kubernetes via the provided Helm chart. Contact support for the latest deployment guides.

Configuration essentials

Environment variables your on-prem backend will need:

bash
# Database
DATABASE_URL=postgresql+psycopg2://user:pass@db:5432/elsai_prompt_manager

# JWT (sign your own - generate a 256-bit secret)
JWT_SECRET_KEY=<long random string>
JWT_AUDIENCE=elsai-prompt-manager
JWT_ISSUER=https://prompts.your-company.com

# Optional: SSO
SSO_PROVIDER=...

# Optional: SMTP for invites
SMTP_HOST=smtp.your-company.com
SMTP_USER=...
SMTP_PASS=...

The full operator runbook (SSO, backups, scaling) lives in the Promptmanager-onprem repo's docs/ folder — ask your administrator for the link.

Migrating from SaaS to on-prem

See SaaS → migrating(. The summary: no SDK code changes; add PROMPT_MANAGER_API_URL to your .env; reinstall from the on-prem index URL.

Support

Copyright © 2026 elsai foundry.