Docs/Deployment

Deployment

FlowGuard runs in four places, and you can mix them. The agent and API are the same container images in every mode — what changes is where they run and which AI endpoint they call. Pick by data boundary and ops budget, not by tech preference.

Our cloud (Azure)

Fully managed FlowGuard on Pintor Project's Azure tenant. Dashboard, API, and runtime browsers all live there. You install the agent locally only if you want to run flows from inside your network — otherwise, point an Application's base URL at a public URL and the cloud runtime handles the rest.

Zero ops — auto-updates, automated backups, App Insights monitoring
Default for Free, Pro, and Business
Regions: US (East US), EU (West Europe), UK (UK South — Enterprise)

Your cloud — AWS or Azure

Deploy the entire FlowGuard stack into your own AWS or Azure subscription. Same container images either way — Terraform stands up ECS Fargate + Aurora Postgres + ElastiCache + S3 on AWS; Bicep stands up App Service + Azure SQL + Blob Storage + Key Vault on Azure. Use this when test traffic must originate from your VPC, when staging URLs are firewalled to your IPs, or when data must stay inside an account you control.

IaC included: Bicep for Azure, Terraform for AWS (single command bring-up)
Database portable: SQL Server (Azure) or Aurora/RDS for Postgres (AWS)
Object storage portable: Azure Blob, S3, or filesystem
Available on Business and Enterprise

Self-hosted Kubernetes

Helm chart that runs on any Kubernetes cluster — EKS, AKS, GKE, OpenShift, or on-prem. You provide the database (SQL Server or Postgres), object storage (S3 or filesystem PVC), Redis for SignalR, and an OIDC IdP. The chart provisions API + Web deployments with non-root pod security, optional ingress with path-based routing, and a license-required startup gate that refuses to run without a valid signed JWT.

Helm chart in the FlowGuard distribution — `helm install flowguard`
Hot-reload license without pod restart (sales rotates the JWT)
Works on air-gapped clusters; phone-home disabled by default
Enterprise only

Behind your firewall

Air-gapped operation for regulated environments. Run the agent on a laptop, build server, or on-prem VM. Bring your own AI endpoint (Azure AI Foundry, AWS Bedrock, or self-hosted Claude). Nothing FlowGuard runs needs egress to the public internet — your code, your screenshots, and your test results stay on your network.

Enterprise only
BYO AI endpoint via OpenAI-compatible API
Combines with self-hosted Kubernetes for a fully isolated stack

Choosing a mode

If…	Pick
Your apps are public-internet reachable	Our cloud
Standardized on AWS, want everything in one bill	Your cloud — AWS (Terraform)
Already on Azure with Entra ID + Defender	Your cloud — Azure (Bicep)
Staging is locked to internal IPs	Your cloud (or run agent in your network in Listen mode)
Kubernetes is the deployment standard at your org	Self-hosted Kubernetes (Helm)
EU data residency mandated by contract	Our cloud — West Europe region
Compliance bars data leaving your network	Behind your firewall
Already paying for Bedrock / Foundry	Behind your firewall — point us at it
Want the lowest setup cost	Our cloud

CI/CD: post-deploy runs

The most common production setup is to fire FlowGuard runs from your deploy pipeline. Use Listen mode (recommended) or trigger the CLI directly.

.github/workflows/post-deploy-uat.yml

1- name: Run FlowGuard smoke suite
2  run: |
3    dotnet tool install --global FlowGuard.Agent
4    flowguard run \
5      --app-id ${{ secrets.FLOWGUARD_APP_ID }} \
6      --tag smoke \
7      --base-url ${{ steps.deploy.outputs.url }} \
8      --fail-on-failure

--fail-on-failure exits non-zero on any failed flow, blocking the deploy. Tags let you scope to a smoke suite for fast feedback and run the full regression set on a slower path.

Single Sign-On + SCIM

SSO (OIDC): per-tenant OIDC config configured under Settings → Identity. You provide issuer URL + audience + (optional) JWKS URI and claim mappings. Default mappings work for Microsoft Entra ID, Okta, Google Workspace, JumpCloud, and OneLogin out of the box.

SCIM 2.0: external IdPs provision and deprovision FlowGuard members via /scim/v2/Users. Per-tenant Bearer tokens are generated under Settings → Identity → SCIM tokens — the plaintext is shown once; only its SHA-256 hash is stored. New users are provisioned as Viewer by default; Owners promote them from the team UI after first sign-in. Deprovisioning is a soft delete (preserves audit log references).

Both SSO and SCIM are included on Business and Enterprise. Once OIDC is enabled, password login is disabled for your tenant — make sure at least one Owner has access via the IdP before flipping the switch.

Enterprise licensing (self-hosted)

Self-hosted deployments validate a signed JWT license at startup using an embedded RS256 public key — no phone-home required for air-gapped customers. The token grants tier, seats, and a list of features, and expires on a date set by sales.

Rotate the license without a pod restart by POSTing the new JWT to /api/v1/platform/licenses/on-prem/reload. The swap is atomic; if the new token fails validation, the old license stays active. Owners are emailed at 30/7/1-day expiry thresholds. Revoked licenses are blocked even when the JWT signature is still valid (revocation list checked on every gated request).

Up next

Security & Privacy — encryption, residency, roles, audit