Tauth

Appearance

Self-Hosting

Tauth is designed to run on a single Linux VM. This guide covers a production-grade setup on Ubuntu 22.04.

Requirements

ComponentMinimum
CPU2 vCPUs
RAM2 GB
Disk20 GB
OSUbuntu 22.04 LTS
Python3.11
PostgreSQL14+
Node.js18+
Nginx1.18+

System setup

bash
# Install system packages
sudo apt update && sudo apt install -y python3.11 python3.11-venv \
  postgresql nginx certbot python3-certbot-nginx

# Create database
sudo -u postgres psql -c "CREATE USER tauth WITH PASSWORD 'tauth123';"
sudo -u postgres psql -c "CREATE DATABASE tauth OWNER tauth;"

Application setup

bash
# Clone and install
cd /home/ubuntu
git clone https://github.com/tauth-io/tauth.git p
cd p
python3.11 -m venv env
source env/bin/activate
pip install -r requirements.txt

# Configure
cp .env.example .env
nano .env   # fill in AZURE_VAULT_URL, JWT_SECRET, etc.

# Run migrations
cd db && alembic upgrade head && cd ..

Systemd service for the API

ini
# /etc/systemd/system/tauth-api.service
[Unit]
Description=Tauth API
After=network.target postgresql.service

[Service]
User=ubuntu
WorkingDirectory=/home/ubuntu/p
EnvironmentFile=/home/ubuntu/p/.env
ExecStart=/home/ubuntu/env/bin/uvicorn server:app --host 127.0.0.1 --port 8003
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
bash
sudo systemctl daemon-reload
sudo systemctl enable --now tauth-api

OCSP responder service

bash
sudo cp /tmp/tauth-ocsp.service /etc/systemd/system/
sudo systemctl enable --now tauth-ocsp

See CRL & OCSP for the responder setup.

Nginx configuration

bash
sudo cp /tmp/tauth-pki.conf /etc/nginx/sites-available/tauth-pki.conf
sudo ln -s /etc/nginx/sites-available/tauth-pki.conf /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx

Web app (production build)

bash
cd proofmed-trust-protocol
npm install
npm run build
# Output is in dist/ (serve with nginx or a CDN)

Add an nginx server block to serve dist/:

nginx
server {
    listen 80;
    server_name app.tauth.io;
    root /home/ubuntu/p/proofmed-trust-protocol/dist;
    index index.html;
    location / { try_files $uri $uri/ /index.html; }
}

Security checklist

  • [ ] Generate a strong JWT_SECRET (openssl rand -hex 32)
  • [ ] Set DEPLOYER_PRIVATE_KEY from a dedicated wallet with minimal funds
  • [ ] Enable UFW: allow ports 22, 80, 443, 8003
  • [ ] Run certbot to get TLS certificates for all domains
  • [ ] Schedule weekly CRL regeneration via cron
  • [ ] Set up log rotation for uvicorn and nginx logs

Built on C2PA · Secured by Azure Key Vault · Anchored on Ethereum

© 2026 Tauth