> ## Documentation Index
> Fetch the complete documentation index at: https://radarhq.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Self-hosted Radar Cloud

> Run the Radar Cloud control plane inside your own VPC. The same Go API + web app we operate at app.radarhq.io, deployed via Helm in a customer-controlled cluster.

Self-hosted Radar Cloud is the control plane (`radar-hub` Go service + `radar-hub-web` nginx + web app + Postgres) running inside your own infrastructure. The cluster-side Radar binary is unchanged - the only thing that moves on-prem is the team / tenancy / tunnel-orchestration layer.

## When to choose self-hosted

Pick self-hosted when:

* Cluster metadata cannot leave your VPC for compliance reasons (regulated industries, customer-data-handling clusters, government).
* Your security team requires every dependency in the auth + observability path to be inside your perimeter.
* You already operate Postgres and a Helm-managed application stack and would rather add a service than buy a SaaS.

Pick the hosted Cloud at `app.radarhq.io` when:

* Speed-of-onboarding matters more than the deployment-shape concession.
* You don't want to operate a Postgres + control-plane upgrade cadence.
* Your fleet is small enough that the free tier covers it.

## What ships in this section

<CardGroup cols={2}>
  <Card title="Requirements" icon="list-checks" href="/cloud/self-hosted/requirements">
    Kubernetes versions, Postgres versions, resource ask, network egress.
  </Card>

  <Card title="Install" icon="terminal" href="/cloud/self-hosted/install">
    Helm walkthrough, BYO Postgres / CloudNativePG variants, license setup.
  </Card>

  <Card title="Configuration reference" icon="sliders" href="/cloud/self-hosted/configuration">
    Full `values.yaml` reference and the `RADAR_HUB_*` env-var matrix.
  </Card>

  <Card title="Authentication" icon="key" href="/cloud/self-hosted/auth">
    OIDC (Okta / Auth0 / Google / Azure AD) and the always-available break-glass admin.
  </Card>

  <Card title="Licensing" icon="file-shield" href="/cloud/self-hosted/licensing">
    What gets sent home, the warn-only banner ladder, key rotation.
  </Card>

  <Card title="Upgrades" icon="arrow-up-circle" href="/cloud/self-hosted/upgrade">
    Helm upgrade flow, migration safety, version-skew policy.
  </Card>

  <Card title="Backups" icon="database" href="/cloud/self-hosted/backups">
    `pg_dump` recipe, restore drill, what's recoverable from K8s state alone.
  </Card>

  <Card title="Troubleshooting" icon="life-buoy" href="/cloud/self-hosted/troubleshooting">
    License-not-renewing, db-migration-failed, log collection.
  </Card>

  <Card title="Architecture" icon="diagram-project" href="/cloud/self-hosted/architecture">
    Component diagram, data flow, trust boundaries.
  </Card>
</CardGroup>

## What's the same as Cloud

Everything except the deployment shape:

* The Radar binary you install in each customer cluster is unchanged - same Helm chart (`skyhook-io/radar`), same `cloud.url` / `cloud.token` config.
* The tunnel protocol (yamux over WebSocket) is unchanged.
* The web app UX is unchanged. Multi-org create + the Billing tab are hidden via `/api/config` - everything else looks identical.
* Personal access tokens (`rhp_*`) work identically for MCP and CLI.

## What's different

|         | **Cloud**                          | **Self-hosted**                                          |
| ------- | ---------------------------------- | -------------------------------------------------------- |
| Hosting | `app.radarhq.io` (Skyhook)         | Your cluster                                             |
| Auth    | WorkOS AuthKit                     | OIDC + always-available break-glass admin                |
| Orgs    | Multi-tenant                       | Single org per deployment                                |
| Billing | Stripe per cluster                 | Annual license; cluster count reported, not metered      |
| Support | Public docs + `support@radarhq.io` | Per-contract; license heartbeat carries support metadata |
| Updates | Skyhook deploys; you see it        | You run `helm upgrade`                                   |
