Self-Hosted
Herald is available as a Docker image for teams that need to run it on their own infrastructure. The self-hosted version has the same features as the managed service.
Docker images
Herald uses compile-time feature flags to produce different images. Pick the one that matches the engines you need.
| Image | Engines |
|---|---|
herald/herald | Transport only |
herald/chat | Transport + Chat |
herald/presence | Transport + Presence |
herald/social | Transport + Chat + Presence (default) |
Quick start
docker run -d \
--name herald \
-p 4000:4000 \
-e SHROUDB_MASTER_KEY=$(openssl rand -hex 32) \
herald/socialHerald starts on port 4000. A default tenant is created on first boot. No external database — storage is an encrypted WAL on disk.
Docker Compose
services:
herald:
image: herald/social
ports:
- "4000:4000"
environment:
SHROUDB_MASTER_KEY: ${SHROUDB_MASTER_KEY}
volumes:
- herald_data:/data
volumes:
herald_data:Server configuration
Self-hosted Herald reads configuration from a TOML file (default herald.toml) and environment variables. The only required env var is SHROUDB_MASTER_KEY — a 32-byte hex string for WAL encryption.
Server
[server]
host = "0.0.0.0"
port = 4000
max_connections = 10000Storage
[store]
path = "/data/herald"
event_ttl_days = 7Authentication
[auth]
password = "admin-secret" # admin API bearer token
token_ttl_secs = 3600
token_warning_secs = 60Webhooks
[webhook]
url = "https://your-app.com/webhooks/herald"
secret = "webhook-signing-secret"
timeout_ms = 5000
max_retries = 3TLS
[tls]
enabled = false
cert_path = "/certs/herald.crt"
key_path = "/certs/herald.key"Presence
[presence]
linger_secs = 10
override_ttl_secs = 14400
heartbeat_interval = 30
heartbeat_timeout = 10Health checks
| Endpoint | Description |
|---|---|
GET /health | Overall health |
GET /health/live | Liveness probe |
GET /health/ready | Readiness probe |
Metrics
Prometheus metrics are exposed at /metrics (no auth).
| Metric | Type | Description |
|---|---|---|
herald_connections_total | Gauge | Active WebSocket connections |
herald_streams_total | Gauge | Active streams |
herald_events_sent_total | Counter | Events delivered |
herald_events_dropped_total | Counter | Events dropped (backpressure) |
herald_ws_auth_failures_total | Counter | Failed auth attempts |
herald_uptime_seconds | Gauge | Server uptime |
herald_event_store_seconds | Histogram | WAL write latency |
herald_event_fanout_seconds | Histogram | Fan-out delivery latency |
Admin API
Self-hosted deployments expose an admin API for multi-tenant management. Authenticate with the auth.password bearer token.
| Method | Endpoint | Description |
|---|---|---|
POST | /admin/tenants | Create a tenant |
GET | /admin/tenants | List tenants |
GET | /admin/tenants/:id | Tenant details |
PATCH | /admin/tenants/:id | Update tenant |
DELETE | /admin/tenants/:id | Delete tenant |
GET | /admin/connections | Active connections |
GET | /admin/stats | Platform statistics |
GET | /admin/audit | Audit log |