These docs cover the S6S workflow engine — the developer playground layer underneath the product. For the main AI Visibility product (brand monitoring, the unified Report, fix actions), start at /docs/ai-visibility.

Self-Hosting

Run S6S on your own infrastructure. Full control over data, credentials, and execution.

Overview

S6S is open-core (BSL 1.1) and can be self-hosted on any machine that runs Docker or Node.js. There are two ways to get started:

  • Docker Compose (recommended) — three commands, everything included.
  • Manual setup — install Node.js, pnpm, and PostgreSQL yourself.

Cloud vs Self-hosted

Self-hosted (open-source)

  • 32 node types, 23 executors (Slack, Gmail, YouTube, Buffer, HTTP, Database, AI agent…)
  • Full compilation pipeline, worker daemon, scheduling
  • REST API, TypeScript SDK, MCP server
  • Canvas editor, chat builder (BYOLLM)
  • OAuth + API key credential management
  • action.http for calling any REST API

S6S Cloud Cloud

  • Everything in self-hosted, plus:
  • AI Visibility Monitor (track brand mentions across AI engines)
  • Dynamic integration learning (unknown APIs auto-discovered)
  • Managed LLM for Ali — no keys needed
  • Hosted infrastructure, zero ops

Docker Compose (recommended)

The fastest way to run S6S. Three commands and you are up:

Terminal
git clone https://github.com/Sawan6/S6S-ai.git
cd S6S-ai
docker compose up -d

This starts:

  • PostgreSQL 16 with a persistent volume for data durability.
  • S6S (API server + worker daemon) on port 3000.
  • Migrations run automatically and demo workflows are seeded on first start.

Open http://localhost:3000 to access the dashboard.

Configuration

Create a .env file in the project root to override defaults. Docker Compose reads it automatically.

Core

VariableRequiredDefaultDescription
DATABASE_URLAuto(docker internal)PostgreSQL connection string. Set automatically by Docker Compose.
S6S_CREDENTIAL_ENCRYPTION_KEYYesAES-256 key for encrypting stored credentials. Generate with openssl rand -hex 32.
S6S_LIVE_EXECUTIONNofalseEnable real external API calls (HTTP, Slack, Telegram, etc.). When false, integration steps return mock responses.
S6S_AUTH_DISABLEDNotrueBypass authentication. Set to false in production.
S6S_JWT_SECRETProdJWT session signing secret. Required when auth is enabled.
S6S_BASE_URLProdhttp://localhost:3000Public-facing URL. Used for webhook endpoints, OAuth callbacks, and MCP server configuration.

Authentication (OAuth sign-in)

VariableRequiredDescription
OAUTH_GOOGLE_CLIENT_IDNoGoogle OAuth client ID for sign-in and Google integrations (Drive, Sheets, Gmail).
OAUTH_GOOGLE_CLIENT_SECRETNoGoogle OAuth client secret.
GITHUB_CLIENT_IDNoGitHub OAuth client ID for sign-in.
GITHUB_CLIENT_SECRETNoGitHub OAuth client secret.

AI / LLM (chat builder + action.ai steps)

VariableRequiredDescription
S6S_OPENAI_API_KEYNoOpenAI API key. Powers the chat workflow builder and action.ai workflow steps (in-workflow LLM calls).
S6S_ANTHROPIC_API_KEYNoAnthropic API key. Alternative to OpenAI for the chat builder and action.ai steps.

Without an LLM key, workflows can still be deployed and executed via the API, SDK, or MCP — as long as they don't include action.ai steps. The LLM is needed for the chat builder and any workflow step that makes an in-workflow LLM call.

Credential Layers

S6S has four distinct credential layers. Understanding these is important for self-hosters.

1. Platform authentication (signing into S6S)

These let users log into the S6S dashboard via Google or GitHub OAuth. Optional — you can skip this entirely with S6S_AUTH_DISABLED=true for internal use or use email/password auth.

To enable Google sign-in, create an OAuth 2.0 Client ID in the Google Cloud Console and set the callback URL to:

http://localhost:3000/api/auth/google/callback
# In production, replace with your S6S_BASE_URL:
https://workflows.mycompany.com/api/auth/google/callback

GitHub sign-in follows the same pattern — create an OAuth App in GitHub Developer Settings with callback URL {S6S_BASE_URL}/api/auth/github/callback.

2. Integration OAuth (connecting external services)

When a workflow needs to call Google Drive, Slack, YouTube, etc., users connect their accounts via OAuth. As a self-hoster, you need to create your own OAuth app for each service your users want to connect.

S6S uses a naming convention for integration OAuth env vars:

.env
# Google integrations (Drive, Sheets, YouTube)
# Same credentials as Google sign-in — just enable
# additional scopes in the OAuth consent screen.
OAUTH_GOOGLE_CLIENT_ID=your-client-id
OAUTH_GOOGLE_CLIENT_SECRET=your-client-secret

# Slack
OAUTH_SLACK_CLIENT_ID=your-client-id
OAUTH_SLACK_CLIENT_SECRET=your-client-secret

# General pattern:
# OAUTH_{PROVIDER}_CLIENT_ID=...
# OAUTH_{PROVIDER}_CLIENT_SECRET=...

If a user tries to connect a provider that is not configured, S6S returns a clear error message indicating which environment variable to set.

Note: Google sign-in and Google integrations share the same OAUTH_GOOGLE_* credentials. Make sure your OAuth app has the right scopes enabled (Drive, YouTube, Sheets) in the Google Cloud Console under "OAuth consent screen".

3. API key credentials (user-managed)

Many integrations (Buffer, Telegram, Notion, OpenAI, etc.) use API keys instead of OAuth. Users paste their own API keys into the S6S credentials page at /credentials, and S6S stores them encrypted with your S6S_CREDENTIAL_ENCRYPTION_KEY.

This requires no configuration from you as a self-hoster — it is entirely user-managed. When a workflow is deployed that needs credentials, the deploy response includes missing_credentials with a connect_url and setup instructions for each provider.

4. LLM keys (chat builder + action.ai)

S6S uses an LLM for two things: the chat workflow builder (natural-language UI for creating workflows) and action.ai steps that make in-workflow LLM calls (e.g. summarize, classify, extract). Configure via environment variables or the Settings UI at /settings.

Without an LLM key, workflows that don't use action.ai steps can still be deployed and executed via the API, SDK, or MCP.

Cloud-only features: The AI Visibility Monitor is available exclusively on S6S Cloud. The self-hosted version includes the core workflow engine, all 32 node types, API, SDK, and MCP server.

Production Checklist

Before exposing S6S to the internet, work through this checklist:

S6S_CREDENTIAL_ENCRYPTION_KEY

Generate a strong key with openssl rand -hex 32. Never use the default.

S6S_AUTH_DISABLED=false

Disable the auth bypass. Configure at least one OAuth provider or use email/password auth.

S6S_JWT_SECRET

Set a strong, random secret for signing JWT session tokens.

S6S_BASE_URL

Set to your public-facing URL (e.g. https://workflows.mycompany.com). Required for webhooks and OAuth callbacks.

S6S_LIVE_EXECUTION=true

Enable real API calls. Without this, integration steps return mock responses.

Reverse proxy (TLS)

Put nginx, Caddy, or Traefik in front of S6S for HTTPS. S6S itself serves HTTP on port 3000.

Back up pgdata volume

Schedule regular backups of the PostgreSQL data volume. All workflows, runs, and credentials live here.

Manual Setup (without Docker)

Prerequisites

  • Node.js 22+
  • pnpm 10+
  • PostgreSQL 14+

Step-by-step

Terminal
# Clone and install
git clone https://github.com/Sawan6/S6S-ai.git
cd S6S-ai
pnpm install

# Configure environment
cp .env.example .env
# Edit .env — set DATABASE_URL to your PostgreSQL instance

# Run database migrations
npx tsx scripts/auto-migrate.ts

# Build all packages
pnpm -r build

# Seed demo workflows (optional)
pnpm db:seed

# Start the API server (port 3000)
pnpm dev:web

# In a separate terminal, start the worker daemon
pnpm worker:daemon

Both the API server and the worker daemon must be running for workflows to execute. In production, run them as separate processes or systemd services.

Worker Daemon

The worker daemon is the process that actually executes workflows. It uses PostgreSQL LISTEN/NOTIFY for instant wake-up when new runs are created, with adaptive polling (1s–10s) as fallback. It also checks cron schedules every 60 seconds and reaps stale runs.

The worker must be running for workflows to execute. In Docker Compose it starts automatically. For manual setups, run it as a separate process:

NODE_ENV=production npx tsx scripts/worker-daemon.ts

Worker configuration

VariableDefaultDescription
S6S_WORKER_OWNERworker-mainWorker identity for run leasing. Use unique values when running multiple workers.
S6S_WORKER_MAX_RUNS10Maximum runs processed per tick.
S6S_DAEMON_POLL_MIN_MS1000Minimum poll interval in milliseconds.
S6S_DAEMON_POLL_MAX_MS10000Maximum poll interval in milliseconds. The daemon adapts between min and max based on activity.
S6S_DAEMON_SCHEDULE_INTERVAL_MS60000How often to check for scheduled workflows (cron triggers).

Database

S6S requires PostgreSQL (14 or newer). Migrations live in packages/persistence/migrations/ and are applied by auto-migrate.ts, which tracks applied migrations in a _migrations table and applies new ones idempotently.

Connecting to an external database

To use a managed PostgreSQL instance (e.g. Supabase, Neon, RDS), set DATABASE_URL in your environment:

DATABASE_URL=postgresql://user:password@host:5432/s6s?sslmode=require

Running migrations manually

npx tsx scripts/auto-migrate.ts

In Docker Compose, migrations run automatically on container startup.

Health Checks

S6S exposes a /healthz endpoint for monitoring:

StatusHTTPMeaning
ok200All systems healthy. Database is reachable.
degraded503Database is unreachable. The API is up but cannot process requests.
Example
curl http://localhost:3000/healthz
# {"status":"ok","version":"1.0.0","uptime":12345}

Use this endpoint for load balancer health checks, Docker HEALTHCHECK, and container orchestration liveness probes.

Upgrading

To upgrade to the latest version:

Docker Compose
git pull
docker compose build
docker compose up -d

Migrations run automatically on startup. The seed script is idempotent and will not duplicate demo workflows.

Manual setup
git pull
pnpm install
npx tsx scripts/auto-migrate.ts
pnpm -r build
# Restart the API server and worker daemon

MCP Server for Self-Hosted Instances

The S6S MCP server lets AI agents (Claude Desktop, Claude Code, Cursor, etc.) deploy and manage workflows. To point it at your self-hosted instance, set S6S_BASE_URL in the MCP config:

Claude Desktop / Claude Code / Cursor — MCP config
{
  "mcpServers": {
    "s6s": {
      "command": "npx",
      "args": ["@s6s/mcp-server"],
      "env": {
        "S6S_API_KEY": "s6s_your_key_here",
        "S6S_BASE_URL": "https://workflows.mycompany.com"
      }
    }
  }
}

Replace https://workflows.mycompany.com with your actual S6S_BASE_URL. The MCP server defaults to https://s6s.ai if not set.

Next Steps

Need help?

Open an issue on GitHub or join the community for self-hosting support.