Deployment
Backend
Required Configuration
Security note: Do not commit sensitive credentials (JWT keys, OAuth secrets, DB/Redis passwords, email API keys) directly in
.yaml. Keep safe defaults/placeholders inconfig.yamland override real secrets from.env(or your deployment secret manager) at runtime.
Use the following .yaml config sections from Backend/config.yaml:
- app: port, name, dev, debug, domain, secure_cookies
- db: dns
- redis: address, password, db, pool_size, min_idle_conns, dial_timeout, read_timeout, write_timeout, pool_timeout, max_retries
- rate_limiter.auth: limit, window
- rate_limiter.api_key: max_keys_per_user, daily_limit
- jwt_config: access_key, refresh_key, access_ttl, refresh_ttl
- google_oauth: client_id, client_secret, redirect_url, user_url
- github_oauth: client_id, client_secret, redirect_url, user_url
- email: username, api_key
Example skeleton:
# IMPORTANT:
# Do not put real secrets in this file.
# Use environment variables or a local .env file to override sensitive values.
# This YAML is only a public-safe structure/template for configuration keys.
app:
name: spidergo
port: "8080"
env: development
debug: true
domain: localhost
secure_cookies: false
db:
dns: postgres://postgres:postgres@localhost:5432/spidergo?sslmode=disable
redis:
address: localhost:6379
password: ""
db: 0
pool_size: 10
min_idle_conns: 2
dial_timeout: 5s
read_timeout: 3s
write_timeout: 3s
pool_timeout: 4s
max_retries: 2
security:
min_entropy_bits: 30
rate_limiter:
auth:
limit: 5
window: 1m
trial:
limit: 3
window: 0s
api_key:
max_keys_per_user: 3
daily_limit: 1000
jwt_config:
access_key: replace-from-env
refresh_key: replace-from-env
access_ttl: 10m
refresh_ttl: 48h
google_oauth:
client_id: replace-from-env
client_secret: replace-from-env
redirect_url: http://localhost:8080/auth/google/callback
user_url: https://www.googleapis.com/oauth2/v3/userinfo
scopes:
- openid
- email
- profile
github_oauth:
client_id: replace-from-env
client_secret: replace-from-env
redirect_url: http://localhost:8080/auth/github/callback
user_url: https://api.github.com/user
scopes:
- read:user
- user:email
# email sending is using render
email:
username: replace-from-env
api_key: replace-from-env
crawler:
max_depth: 3
max_pages: 10
max_concurrency: 10
scraper:
max_links_per_page: 100
max_images_per_page: 50
max_products_per_page: 20CORS
Backend allows configured domain plus listed production origins in main.go.
When deploying, ensure:
- frontend origin is included
- secure cookies and same-site settings match HTTPS behavior
Runtime Dependencies
- PostgreSQL must be reachable
- Redis must be reachable
- OAuth credentials must be valid
- email API key must be configured for verification/reset workflows
Frontend
Set Vite environment variables at build time:
VITE_API_BASE_URL=https://api.your-domain.comDeploy static build output produced by:
npm run buildDocs (Next.js)
Docs app requires standard Next.js deployment.
cd docs/spider-go
npm run build
npm run startIf AI docs assistant is enabled, set OPENAI_API_KEY for docs runtime.
Production Hardening Checklist
- Enable HTTPS on all public endpoints.
- Set secure_cookies=true in backend config.
- Use strong JWT keys and rotate secrets.
- Restrict CORS to trusted domains only.
- Monitor 429 rates for auth and trial endpoints.
- Set sensible Redis and DB resource limits.