Production checklist

• Check your credentials. The installer generates random Postgres/MinIO passwords into .env; if you wrote .env by hand, rotate any defaults before exposing the stack.
• Set server.public_url to your HTTPS hostname.
• Lock server.cors.allowed_origins to your own host(s); drop the localhost wildcard.
• Running the web UI? Point EDDYTOR_UI_ORIGIN and EDDYTOR_UI_API_BASE_URL at the public HTTPS origins — see Web UI.
• Wire real SMTP — without it, magic links only log to stdout.
• Front Eddytor with a TLS-terminating load balancer or ingress.
• Back up `.env` (compose) or the eddytor-secrets Secret (k8s) — losing EDDYTOR_ENCRYPTION_KEY makes stored secrets unrecoverable.
• Snapshot Postgres before upgrades; migrations are forward-only.

I can't sign in / lost my API key

Nothing to recover and nothing to miss — there is no one-shot token. Re-run the in-container tools as often as you like (the auth boundary is exec access, not a secret):

# Lost your key? Mint a fresh one (existing admin):
docker compose exec eddytor-server eddytoradm create-api-key --email you@example.com

# Or just sign in again — the magic link is re-requestable:
eddytor login
# With SMTP unset the link is in the logs:
docker compose logs --tail 50 eddytor-server | grep -i 'sign in to eddytor'

eddytoradm setup is idempotent: once an admin exists it's a no-op, so it can't be used to seize a second admin. To restart from zero on a throwaway local stack: docker compose down -v && docker compose up -d.

Going deeper

The full guide — provider OAuth apps, SSO via Okta/OIDC, MCP clients, encryption-key rotation — ships with every install as HOSTING.md in your install directory.