Before you start
- Docker 24.0+ with Compose v2 (see Requirements)
- Outbound HTTPS to
api.guardway.aiand to whichever LLM provider APIs you plan to use - An inbound port on the gateway host (default 8080) reachable from the machine running the dashboard — LAN address is fine
Step 1 — Generate a registration token
In the dashboard, open Gateways and click Register New Gateway. The dialog generates a token valid for 1 hour and shows you the fulldocker run command with the token already inlined.
Step 2 — Run the container
On the host where you want the gateway to live:Required environment variables
| Variable | Purpose |
|---|---|
GUARDWAY_REGISTRATION_TOKEN | One-time pairing token from the dashboard. Used exactly once; the gateway persists long-lived credentials after first boot. |
GUARDWAY_CLOUD_ENABLED | Set to true to register the gateway with the Guardway control plane. |
GUARDWAY_CLOUD_URL | Control-plane URL. Default https://api.guardway.ai for SaaS customers. |
Step 3 — Verify it started
registered with control plane followed by a heartbeat line every few seconds. The gateway is now ready for the dashboard to connect.
What comes next
Activate the gateway
Point the dashboard at the running gateway and confirm it’s online.
Production notes
TLS and reverse proxies
TLS and reverse proxies
For production, put a reverse proxy (nginx, Caddy, an ALB) in front of the gateway with a real certificate. The gateway itself can also terminate TLS — see Environment variables.
Persistence
Persistence
Mount a volume at
/var/lib/guardway to persist local state (audit logs, cache, keys) across container restarts.Kubernetes, ECS, Nomad
Kubernetes, ECS, Nomad
The image is a regular container and runs in any orchestrator. Treat
GUARDWAY_REGISTRATION_TOKEN as a one-time secret; once the gateway has registered, you can remove it from subsequent manifests.