These docs cover the S6S workflow engine — the developer playground layer underneath the product. For the main AI Visibility product (brand monitoring, the unified Report, fix actions), start at /docs/ai-visibility.
Self-Hosting
Run S6S on your own infrastructure. Full control over data, credentials, and execution.
Overview
S6S is open-core (BSL 1.1) and can be self-hosted on any machine that runs Docker or Node.js. There are two ways to get started:
- Docker Compose (recommended) — three commands, everything included.
- Manual setup — install Node.js, pnpm, and PostgreSQL yourself.
Cloud vs Self-hosted
Self-hosted (open-source)
- 32 node types, 23 executors (Slack, Gmail, YouTube, Buffer, HTTP, Database, AI agent…)
- Full compilation pipeline, worker daemon, scheduling
- REST API, TypeScript SDK, MCP server
- Canvas editor, chat builder (BYOLLM)
- OAuth + API key credential management
action.httpfor calling any REST API
S6S Cloud Cloud
- Everything in self-hosted, plus:
- AI Visibility Monitor (track brand mentions across AI engines)
- Dynamic integration learning (unknown APIs auto-discovered)
- Managed LLM for Ali — no keys needed
- Hosted infrastructure, zero ops
Docker Compose (recommended)
The fastest way to run S6S. Three commands and you are up:
git clone https://github.com/Sawan6/S6S-ai.git cd S6S-ai docker compose up -d
This starts:
- PostgreSQL 16 with a persistent volume for data durability.
- S6S (API server + worker daemon) on port
3000. - Migrations run automatically and demo workflows are seeded on first start.
Open http://localhost:3000 to access the dashboard.
Configuration
Create a .env file in the project root to override defaults. Docker Compose reads it automatically.
Core
| Variable | Required | Default | Description |
|---|---|---|---|
| DATABASE_URL | Auto | (docker internal) | PostgreSQL connection string. Set automatically by Docker Compose. |
| S6S_CREDENTIAL_ENCRYPTION_KEY | Yes | — | AES-256 key for encrypting stored credentials. Generate with openssl rand -hex 32. |
| S6S_LIVE_EXECUTION | No | false | Enable real external API calls (HTTP, Slack, Telegram, etc.). When false, integration steps return mock responses. |
| S6S_AUTH_DISABLED | No | true | Bypass authentication. Set to false in production. |
| S6S_JWT_SECRET | Prod | — | JWT session signing secret. Required when auth is enabled. |
| S6S_BASE_URL | Prod | http://localhost:3000 | Public-facing URL. Used for webhook endpoints, OAuth callbacks, and MCP server configuration. |
Authentication (OAuth sign-in)
| Variable | Required | Description |
|---|---|---|
| OAUTH_GOOGLE_CLIENT_ID | No | Google OAuth client ID for sign-in and Google integrations (Drive, Sheets, Gmail). |
| OAUTH_GOOGLE_CLIENT_SECRET | No | Google OAuth client secret. |
| GITHUB_CLIENT_ID | No | GitHub OAuth client ID for sign-in. |
| GITHUB_CLIENT_SECRET | No | GitHub OAuth client secret. |
AI / LLM (chat builder + action.ai steps)
| Variable | Required | Description |
|---|---|---|
| S6S_OPENAI_API_KEY | No | OpenAI API key. Powers the chat workflow builder and action.ai workflow steps (in-workflow LLM calls). |
| S6S_ANTHROPIC_API_KEY | No | Anthropic API key. Alternative to OpenAI for the chat builder and action.ai steps. |
Without an LLM key, workflows can still be deployed and executed via the API, SDK, or MCP — as long as they don't include action.ai steps. The LLM is needed for the chat builder and any workflow step that makes an in-workflow LLM call.
Credential Layers
S6S has four distinct credential layers. Understanding these is important for self-hosters.
1. Platform authentication (signing into S6S)
These let users log into the S6S dashboard via Google or GitHub OAuth. Optional — you can skip this entirely with S6S_AUTH_DISABLED=true for internal use or use email/password auth.
To enable Google sign-in, create an OAuth 2.0 Client ID in the Google Cloud Console and set the callback URL to:
http://localhost:3000/api/auth/google/callback # In production, replace with your S6S_BASE_URL: https://workflows.mycompany.com/api/auth/google/callback
GitHub sign-in follows the same pattern — create an OAuth App in GitHub Developer Settings with callback URL {S6S_BASE_URL}/api/auth/github/callback.
2. Integration OAuth (connecting external services)
When a workflow needs to call Google Drive, Slack, YouTube, etc., users connect their accounts via OAuth. As a self-hoster, you need to create your own OAuth app for each service your users want to connect.
S6S uses a naming convention for integration OAuth env vars:
# Google integrations (Drive, Sheets, YouTube)
# Same credentials as Google sign-in — just enable
# additional scopes in the OAuth consent screen.
OAUTH_GOOGLE_CLIENT_ID=your-client-id
OAUTH_GOOGLE_CLIENT_SECRET=your-client-secret
# Slack
OAUTH_SLACK_CLIENT_ID=your-client-id
OAUTH_SLACK_CLIENT_SECRET=your-client-secret
# General pattern:
# OAUTH_{PROVIDER}_CLIENT_ID=...
# OAUTH_{PROVIDER}_CLIENT_SECRET=...If a user tries to connect a provider that is not configured, S6S returns a clear error message indicating which environment variable to set.
Note: Google sign-in and Google integrations share the same OAUTH_GOOGLE_* credentials. Make sure your OAuth app has the right scopes enabled (Drive, YouTube, Sheets) in the Google Cloud Console under "OAuth consent screen".
3. API key credentials (user-managed)
Many integrations (Buffer, Telegram, Notion, OpenAI, etc.) use API keys instead of OAuth. Users paste their own API keys into the S6S credentials page at /credentials, and S6S stores them encrypted with your S6S_CREDENTIAL_ENCRYPTION_KEY.
This requires no configuration from you as a self-hoster — it is entirely user-managed. When a workflow is deployed that needs credentials, the deploy response includes missing_credentials with a connect_url and setup instructions for each provider.
4. LLM keys (chat builder + action.ai)
S6S uses an LLM for two things: the chat workflow builder (natural-language UI for creating workflows) and action.ai steps that make in-workflow LLM calls (e.g. summarize, classify, extract). Configure via environment variables or the Settings UI at /settings.
Without an LLM key, workflows that don't use action.ai steps can still be deployed and executed via the API, SDK, or MCP.
Cloud-only features: The AI Visibility Monitor is available exclusively on S6S Cloud. The self-hosted version includes the core workflow engine, all 32 node types, API, SDK, and MCP server.
Production Checklist
Before exposing S6S to the internet, work through this checklist:
S6S_CREDENTIAL_ENCRYPTION_KEYGenerate a strong key with openssl rand -hex 32. Never use the default.
S6S_AUTH_DISABLED=falseDisable the auth bypass. Configure at least one OAuth provider or use email/password auth.
S6S_JWT_SECRETSet a strong, random secret for signing JWT session tokens.
S6S_BASE_URLSet to your public-facing URL (e.g. https://workflows.mycompany.com). Required for webhooks and OAuth callbacks.
S6S_LIVE_EXECUTION=trueEnable real API calls. Without this, integration steps return mock responses.
Reverse proxy (TLS)Put nginx, Caddy, or Traefik in front of S6S for HTTPS. S6S itself serves HTTP on port 3000.
Back up pgdata volumeSchedule regular backups of the PostgreSQL data volume. All workflows, runs, and credentials live here.
Manual Setup (without Docker)
Prerequisites
- Node.js 22+
- pnpm 10+
- PostgreSQL 14+
Step-by-step
# Clone and install git clone https://github.com/Sawan6/S6S-ai.git cd S6S-ai pnpm install # Configure environment cp .env.example .env # Edit .env — set DATABASE_URL to your PostgreSQL instance # Run database migrations npx tsx scripts/auto-migrate.ts # Build all packages pnpm -r build # Seed demo workflows (optional) pnpm db:seed # Start the API server (port 3000) pnpm dev:web # In a separate terminal, start the worker daemon pnpm worker:daemon
Both the API server and the worker daemon must be running for workflows to execute. In production, run them as separate processes or systemd services.
Worker Daemon
The worker daemon is the process that actually executes workflows. It uses PostgreSQL LISTEN/NOTIFY for instant wake-up when new runs are created, with adaptive polling (1s–10s) as fallback. It also checks cron schedules every 60 seconds and reaps stale runs.
The worker must be running for workflows to execute. In Docker Compose it starts automatically. For manual setups, run it as a separate process:
NODE_ENV=production npx tsx scripts/worker-daemon.ts
Worker configuration
| Variable | Default | Description |
|---|---|---|
| S6S_WORKER_OWNER | worker-main | Worker identity for run leasing. Use unique values when running multiple workers. |
| S6S_WORKER_MAX_RUNS | 10 | Maximum runs processed per tick. |
| S6S_DAEMON_POLL_MIN_MS | 1000 | Minimum poll interval in milliseconds. |
| S6S_DAEMON_POLL_MAX_MS | 10000 | Maximum poll interval in milliseconds. The daemon adapts between min and max based on activity. |
| S6S_DAEMON_SCHEDULE_INTERVAL_MS | 60000 | How often to check for scheduled workflows (cron triggers). |
Database
S6S requires PostgreSQL (14 or newer). Migrations live in packages/persistence/migrations/ and are applied by auto-migrate.ts, which tracks applied migrations in a _migrations table and applies new ones idempotently.
Connecting to an external database
To use a managed PostgreSQL instance (e.g. Supabase, Neon, RDS), set DATABASE_URL in your environment:
DATABASE_URL=postgresql://user:password@host:5432/s6s?sslmode=require
Running migrations manually
npx tsx scripts/auto-migrate.ts
In Docker Compose, migrations run automatically on container startup.
Health Checks
S6S exposes a /healthz endpoint for monitoring:
| Status | HTTP | Meaning |
|---|---|---|
| ok | 200 | All systems healthy. Database is reachable. |
| degraded | 503 | Database is unreachable. The API is up but cannot process requests. |
curl http://localhost:3000/healthz
# {"status":"ok","version":"1.0.0","uptime":12345}Use this endpoint for load balancer health checks, Docker HEALTHCHECK, and container orchestration liveness probes.
Upgrading
To upgrade to the latest version:
git pull docker compose build docker compose up -d
Migrations run automatically on startup. The seed script is idempotent and will not duplicate demo workflows.
git pull pnpm install npx tsx scripts/auto-migrate.ts pnpm -r build # Restart the API server and worker daemon
MCP Server for Self-Hosted Instances
The S6S MCP server lets AI agents (Claude Desktop, Claude Code, Cursor, etc.) deploy and manage workflows. To point it at your self-hosted instance, set S6S_BASE_URL in the MCP config:
{
"mcpServers": {
"s6s": {
"command": "npx",
"args": ["@s6s/mcp-server"],
"env": {
"S6S_API_KEY": "s6s_your_key_here",
"S6S_BASE_URL": "https://workflows.mycompany.com"
}
}
}
}Replace https://workflows.mycompany.com with your actual S6S_BASE_URL. The MCP server defaults to https://s6s.ai if not set.