diff --git a/app/en/guides/deployment-hosting/_meta.tsx b/app/en/guides/deployment-hosting/_meta.tsx
index d6ae3945f..b24e4d3ae 100644
--- a/app/en/guides/deployment-hosting/_meta.tsx
+++ b/app/en/guides/deployment-hosting/_meta.tsx
@@ -14,16 +14,25 @@ const meta: MetaRecord = {
"arcade-cloud": {
title: "Arcade Cloud",
},
+ azure: {
+ title: "Azure Marketplace",
+ },
+ aws: {
+ title: "AWS Marketplace",
+ },
+ gcp: {
+ title: "GCP (coming soon)",
+ },
+ helm: {
+ title: "Self-host with Helm",
+ },
"on-prem": {
- title: "On-premises MCP servers",
+ title: "Hybrid MCP servers",
},
"warp-pipes": {
title: "Warp Pipes",
display: "hidden",
},
- "configure-engine": {
- title: "Configure Arcade's engine",
- },
"arcade-deploy": {
title: "Arcade Deploy",
},
diff --git a/app/en/guides/deployment-hosting/arcade-cloud/page.mdx b/app/en/guides/deployment-hosting/arcade-cloud/page.mdx
index 8d883a58f..4ec4c3682 100644
--- a/app/en/guides/deployment-hosting/arcade-cloud/page.mdx
+++ b/app/en/guides/deployment-hosting/arcade-cloud/page.mdx
@@ -10,7 +10,7 @@ import { Callout } from "nextra/components";
Arcade Cloud is Arcade's fully-managed SaaS platform: Arcade handles hosting, scaling, and operations so you can focus on building. This page covers the infrastructure behind Arcade Cloud, including networking, data storage, data protection, and sovereignty options.
-This page applies to **Arcade Cloud** only. If you self-host Arcade, you control your own infrastructure and data residency. See [on-premises deployment](/guides/deployment-hosting#on-premise-deployments) for details.
+This page applies to **Arcade Cloud** only. If you self-host Arcade, you control your own infrastructure and data residency. See [on-premises deployment](/guides/deployment-hosting/helm) for details.
## Sovereignty
@@ -122,7 +122,7 @@ Training data is retained for up to 5 years, which is sufficient for model devel
### Regulated Customers
-If your organization has strict data residency requirements—for example, in financial services, healthcare, or government—or you operate within a legal regime that requires data storage in a specific country, you can deploy Arcade on-premises or in your preferred cloud region using a [self-hosted deployment](/guides/deployment-hosting#on-premise-deployments). This keeps all sensitive data within your own infrastructure.
+If your organization has strict data residency requirements—for example, in financial services, healthcare, or government—or you operate within a legal regime that requires data storage in a specific country, you can deploy Arcade on-premises or in your preferred cloud region using a [self-hosted deployment](/guides/deployment-hosting/helm). This keeps all sensitive data within your own infrastructure.
## Questions
diff --git a/app/en/guides/deployment-hosting/arcade-deploy/page.mdx b/app/en/guides/deployment-hosting/arcade-deploy/page.mdx
index 137a437c6..fc7c2f1ff 100644
--- a/app/en/guides/deployment-hosting/arcade-deploy/page.mdx
+++ b/app/en/guides/deployment-hosting/arcade-deploy/page.mdx
@@ -10,6 +10,10 @@ import { SignupLink } from "@/app/_components/analytics";
Running your MCP servers locally is very convenient during development and testing. Once your MCP server is mature, however, you may want to access it from any MCP client, or to facilitate multi-user support. Doing all that from your computer comes with the complexity of running and maintaining a server, handling auth and high availability for all your users and all the integrations you want to support. Arcade Deploy takes care of all that for you. Your MCP server will be registered to Arcade, adding all the tools you created to the larger tool catalog. From there, you can create MCP Gateways to pick and choose which tools you want to use in your MCP clients, which can be from any connected MCP server.
+
+Arcade Deploy hosts *your* MCP server on Arcade Cloud. It's a feature for serving tools — not a way to deploy the Arcade platform. For a full platform deployment, see the [marketplace guides](/guides/deployment-hosting) or [self-host with Helm](/guides/deployment-hosting/helm).
+
+
diff --git a/app/en/guides/deployment-hosting/aws/page.mdx b/app/en/guides/deployment-hosting/aws/page.mdx
new file mode 100644
index 000000000..6b129e343
--- /dev/null
+++ b/app/en/guides/deployment-hosting/aws/page.mdx
@@ -0,0 +1,69 @@
+---
+title: "Deploy on AWS"
+description: "Deploy Arcade into your own AWS account through a private offer"
+---
+
+import { Callout, Steps } from "nextra/components";
+
+# Deploy Arcade on AWS
+
+Arcade runs on AWS as a full platform deployment into **your own AWS account**. The AWS offering is currently available through a **private offer** rather than a public self-serve listing.
+
+
+AWS is available through a private offer. View the [Arcade listing on AWS Marketplace](https://aws.amazon.com/marketplace/seller-profile?id=seller-qbstsdnxkltx6) and [contact us](https://www.arcade.dev/contact) to receive a private offer for your account. If you'd rather manage the platform yourself, see [Self-host with Helm](/guides/deployment-hosting/helm).
+
+
+## What gets deployed
+
+The AWS deployment stands up the complete Arcade platform — Engine, Coordinator, Worker, Dashboard, and Experience API — in your account, using managed AWS services:
+
+| AWS service | Role |
+| --- | --- |
+| **Amazon EKS** | Runs the Arcade services |
+| **Amazon RDS for PostgreSQL** | Primary datastore |
+| **Amazon ElastiCache** | Cache and streams |
+| **VPC + private subnets** | Private networking |
+
+## Before you begin
+
+- **AWS account** with permission to accept a Marketplace private offer and deploy the stack.
+- **Region.** Confirm the offer targets your preferred region.
+- **DNS.** Arcade assigns a managed hostname at deploy time, in the form `.aws.myarcade.dev`.
+- **Identity provider.** Have an [OIDC identity provider](/references/auth-providers) ready — see below.
+
+## Set up your identity provider
+
+Arcade signs users in through your OpenID Connect (OIDC) identity provider. The provider authenticates dashboard users and backs the tokens that MCP gateways validate, so set it up before you deploy.
+
+1. Register an application with your identity provider. Arcade works with [Microsoft Entra ID, Okta, Auth0, or Keycloak](/references/auth-providers), or any standards-compliant OIDC provider.
+2. Copy the application's client ID, generate a client secret, and note the issuer URL. For Microsoft Entra ID, use the v2.0 issuer `https://login.microsoftonline.com//v2.0`.
+3. Provide the client ID, client secret, and issuer in the deployment parameters.
+4. After you deploy, register the redirect URIs shown in the deployment outputs on the application, then sign in to the dashboard.
+
+## Deploy
+
+
+
+### Accept the private offer
+
+Follow the private-offer link we share to subscribe to the Arcade listing in AWS Marketplace.
+
+### Launch the deployment
+
+Launch the deployment and provide your parameters, including your identity provider's **client ID**, **client secret**, and **issuer**.
+
+### Register the redirect URIs
+
+Once the deployment finishes, register the redirect URIs shown in the deployment outputs on your identity provider application, as described in [Set up your identity provider](#set-up-your-identity-provider).
+
+### Verify your deployment
+
+Open the dashboard URL from the deployment output and sign in with your identity provider.
+
+
+
+## Next steps
+
+- [Create an MCP Gateway](/guides/mcp-gateways) to scope tools and auth for each client
+- [Connect an MCP client](/get-started/mcp-clients) to a gateway URL
+- [Set up a User Source](/guides/user-sources) to authenticate end users with your own identity provider
diff --git a/app/en/guides/deployment-hosting/azure/page.mdx b/app/en/guides/deployment-hosting/azure/page.mdx
new file mode 100644
index 000000000..6224fe6b9
--- /dev/null
+++ b/app/en/guides/deployment-hosting/azure/page.mdx
@@ -0,0 +1,104 @@
+---
+title: "Deploy on Azure"
+description: "Deploy Arcade into your own Azure subscription from the Azure Marketplace"
+---
+
+import { Callout, Steps } from "nextra/components";
+
+# Deploy Arcade on Azure
+
+Arcade is available on the Azure Marketplace as a managed application. You deploy it into **your own Azure subscription**, where it's managed by Arcade: your data and the services that run Arcade stay in your subscription, while Arcade handles upgrades and day-to-day operations.
+
+
+The Azure Marketplace deployment is a **full platform deployment** — it stands up the complete Arcade platform in your cloud. If you'd rather manage the platform yourself on an existing Kubernetes cluster, see [Self-host with Helm](/guides/deployment-hosting/helm).
+
+
+
+
+
+A production Arcade platform running in your own Azure subscription, deployed from the Azure Marketplace and operated by Arcade.
+
+
+
+
+
+- An Azure subscription with the **Owner** role
+- A Microsoft Entra tenant (personal Microsoft accounts aren't supported)
+- An [OIDC identity provider](/references/auth-providers)
+
+
+
+
+
+- What the managed application deploys into your subscription
+- How to set up your identity provider
+- How to deploy the offer and verify it
+
+
+
+
+## What gets deployed
+
+The managed application provisions everything Arcade needs inside a managed resource group in your subscription:
+
+| Azure service | Role |
+| --- | --- |
+| **Azure Kubernetes Service (AKS)** | Private cluster that runs the Arcade services (Engine, Coordinator, Worker, Dashboard, Experience API) |
+| **Azure Key Vault** | Stores database, cache, identity-provider, and encryption secrets |
+| **Azure Database for PostgreSQL Flexible Server** | Primary datastore |
+| **Azure Managed Redis** | Cache and streams |
+| **Virtual network + private endpoints** | Private networking with NAT-gateway egress |
+| **Log Analytics, Container Insights, Microsoft Defender** | Monitoring and security |
+
+## Before you begin
+
+- **Subscription and role.** Deploy into a subscription where you hold the **Owner** role, with the spending limit turned off.
+- **Microsoft Entra tenant.** The deployment federates sign-in to your Entra tenant. Personal Microsoft accounts aren't supported.
+- **Region and quota.** Confirm the offer is available in your target region and that the subscription has enough vCPU quota to run an AKS cluster. If you're unsure, [contact us](/resources/contact-us).
+- **DNS.** Arcade assigns a managed hostname at deploy time, in the form `.az.myarcade.dev`.
+- **Identity provider.** Have an [OIDC identity provider](/references/auth-providers) ready — see the next section.
+
+## Set up your identity provider
+
+Arcade signs users in through your OpenID Connect (OIDC) identity provider. The provider authenticates dashboard users and backs the tokens that MCP gateways validate, so set it up before you deploy.
+
+1. Register an application with your identity provider. Arcade works with [Microsoft Entra ID, Okta, Auth0, or Keycloak](/references/auth-providers), or any standards-compliant OIDC provider.
+2. Copy the application's client ID, generate a client secret, and note the issuer URL. For Microsoft Entra ID, use the v2.0 issuer `https://login.microsoftonline.com//v2.0`.
+3. Provide the client ID, client secret, and issuer in the create form.
+4. After you deploy, register the redirect URIs shown in the deployment outputs on the application, then sign in to the dashboard.
+
+## Deploy from the Azure Marketplace
+
+
+
+### Find the Arcade offer
+
+Open the [Arcade offering in the Azure Marketplace](https://marketplace.microsoft.com/en-us/product/arcadeaiinc1779236563291.arcade_managed?tab=Overview) and select **Get it now**. Choose the standard plan for a production, single-tenant deployment.
+
+### Complete the create form
+
+Fill in the deployment form:
+
+- **Region** and **resource group** for the deployment
+- Your identity provider's **client ID**, **client secret**, and **issuer** from the previous section
+- Optionally, a model provider API key (for example, Anthropic) to enable chat in the dashboard
+
+### Deploy
+
+Start the deployment. It takes roughly 30–45 minutes to provision the cluster and supporting services. When it finishes, the deployment outputs your **hostname**, **dashboard URL**, and the **redirect URIs** to register.
+
+### Register the redirect URIs
+
+Add the redirect URIs shown in the deployment outputs to your identity provider application, as described in [Set up your identity provider](#set-up-your-identity-provider).
+
+
+
+## Verify your deployment
+
+Open the dashboard URL from the deployment output and sign in with your identity provider. A successful sign-in confirms the platform is running and your identity provider is wired up correctly.
+
+## Next steps
+
+- [Create an MCP Gateway](/guides/mcp-gateways) to scope tools and auth for each client
+- [Connect an MCP client](/get-started/mcp-clients) to a gateway URL
+- [Set up a User Source](/guides/user-sources) to authenticate end users with your own identity provider
diff --git a/app/en/guides/deployment-hosting/configure-engine/page.mdx b/app/en/guides/deployment-hosting/configure-engine/page.mdx
deleted file mode 100644
index a9d38cbba..000000000
--- a/app/en/guides/deployment-hosting/configure-engine/page.mdx
+++ /dev/null
@@ -1,692 +0,0 @@
----
-title: "Engine Configuration Templates"
-description: "Arcade Engine Configuration Templates"
----
-
-import { Callout, Tabs } from "nextra/components";
-import TableOfContents from "@/app/_components/table-of-contents";
-
-# Engine Configuration
-
-
- This page is for enterprise customers who are self-hosting the Arcade Engine. This is page contains advanced configuration options that are not applicable for most customers.
-
-
-## Getting the Engine
-
-
-
- ```bash
- brew install ArcadeAI/tap/arcade-engine
- ```
-
- Run it with: `arcade-engine`
-
-Troubleshooting:
-
-```bash
-❌ Engine binary not found
-```
-
-or
-
-```bash
-command not found: arcade-engine
-```
-
-This means that the Arcade Engine cannot be found in your path. Brew and Apt will automatically add the binary to your path.
-
-Check that the binary has been properly installed. These are the common installation locations):
-
-**Brew**
-
-```bash
-ls $HOMEBREW_REPOSITORY/Cellar/arcade-engine//bin/arcade-engine
-```
-
-**Apt**
-
-```bash
-ls /usr/bin/arcade-engine
-```
-
-If the binary is found, add it to your path with:
-
-```bash
-export PATH=$PATH:/path/to/your/binary
-```
-
-
- ```bash
- wget -qO - https://deb.arcade.dev/public-key.asc | sudo apt-key add -
- echo "deb https://deb.arcade.dev/ubuntu stable main" | sudo tee /etc/apt/sources.list.d/arcade-ai.list
- sudo apt update
- sudo apt install arcade-engine
- ```
-
-
- The docker image for the engine can be pulled with
-
- ```bash
- docker pull ghcr.io/arcadeai/engine:latest
- ```
-
- The engine can be run with:
-
- ```bash
- docker run -d -p 9099:9099 -v ./engine.yaml:/bin/engine.yaml ghcr.io/arcadeai/engine:latest
- ```
-
- where config.yaml is the path to the [configuration file](/guides/deployment-hosting/configure-engine).
-
-
-
-The Homebrew tab is macOS-only. For native Windows environments, use Docker for
-Arcade Engine. For Arcade CLI setup on Windows, see [Windows environment setup](/get-started/setup/windows-environment).
-
-Arcade uses configuration files to manage engine settings and default values. When you install the Arcade Engine, two files are created:
-- The `engine.yaml` file for engine configuration.
-- The `engine.env` file for environment variables.
-Let's explore each file to understand their purpose and how to locate them.
-
-## Engine configuration file
-
-The `engine.yaml` file controls Arcade Engine settings. It supports variable expansion so you can integrate secrets and environment values seamlessly. You can customize this file to suit your setup. For more details, check the [Engine Configuration](/guides/deployment-hosting/configure-engine) page.
-
-Choose your installation method to view the default location of `engine.yaml`:
-
-
-
- ```bash
- $HOMEBREW_REPOSITORY/etc/arcade-engine/engine.yaml
- ```
-
-
- ```bash
- /etc/arcade-ai/engine.yaml
- ```
-
-
- ```bash
- $HOME/.arcade/engine.yaml
- ```
- To manually download the engine.yaml, you can get an example from the [Configuration Templates](/guides/deployment-hosting/configure-engine#engineyaml) and add it to `$HOME/.arcade/engine.yaml`.
-
-
-
-## Engine environment file
-
-The `engine.env` file contains default environment variables that power Arcade Engine. You can override these defaults by exporting your own variables or by editing the file directly.
-
-Select your installation method below to see the default path for `engine.env`:
-
-
-
- ```bash
- $HOMEBREW_REPOSITORY/etc/arcade-engine/engine.env
- ```
-
-
- ```bash
- /etc/arcade-ai/engine.env
- ```
-
-
- ```bash
- $HOME/.arcade/engine.env
- ```
- To manually download the `engine.env`, refer to the [Configuration Templates](/guides/deployment-hosting/configure-engine#engineenv).
-
-
-
-
-Arcade Engine's configuration is a [YAML file](https://yaml.org/) with the following sections:
-
-
-
-## Specify a config file
-
-To start the Arcade Engine, pass a config file with `-c` or `--config`:
-
-```bash
-arcade-engine -c /path/to/config.yaml
-```
-
-## Dotenv files
-
-Arcade Engine automatically loads environment variables from `.env` files in the directory where it was called. Use the `-e` or`--env` flag to specify a path:
-
-```bash
-arcade-engine -e .env.dev -c config.yaml
-```
-
-## Secrets
-
-Arcade Engine supports two ways of passing sensitive information like API keys without storing them directly in the config file.
-
-Environment variables:
-
-```yaml {5}
-topic:
- area:
- - id: primary
- vendor:
- api_key: ${env:OPENAI_API_KEY}
-```
-
-External files (useful in cloud setups):
-
-```yaml {5}
-topic:
- area:
- - id: primary
- vendor:
- api_key: ${file:/path/to/secret}
-```
-
-## API configuration
-
-HTTP is the supported protocol for Arcade Engine's API. The following configuration options are available:
-
-- `api.development` _(optional, default: `false`)_ - Enable development mode, with more logging.
-- `api.host` _(default: `localhost`)_ - Address to which Arcade Engine binds its server (e.g., `localhost` or `0.0.0.0`)
-- `api.port` _(default: `9099`)_ - Port to which Arcade Engine binds its server (e.g., `9099` or `8080`)
-- `api.public_host` _(optional)_ - External hostname of the API (e.g., `my-public-host.com`), if it differs from `api.host` (for example, when Arcade Engine is behind a reverse proxy)
-- `api.read_timeout` _(optional, default: `30s`)_ - Timeout for reading data from clients
-- `api.write_timeout` _(optional, default: `1m`)_ - Timeout for writing data to clients
-- `api.idle_timeout` _(optional, default: `30s`)_ - Timeout for idle connections
-- `api.max_request_body_size` _(optional, default: `4Mb`)_ - Maximum request body size
-
-A typical configuration for production looks like:
-
-```yaml
-api:
- development: false
- host: localhost
- port: 9099
-```
-
-When the Arcade Engine is hosted in a container or behind a reverse proxy, set `api.public_host` to the external hostname of the API:
-
-```yaml
-api:
- development: false
- host: localhost
- port: 9099
- public_host: my-public-host.com
-```
-
-For local development, set `api.development = true`.
-
-## Auth configuration
-
-Arcade Engine manages auth for [AI tools](/guides/tool-calling/custom-apps/auth-tool-calling) and [direct API calls](/guides/tool-calling/call-third-party-apis). It supports many built-in [auth providers](/references/auth-providers), and can also connect to any [OAuth 2.0](/references/auth-providers/oauth2) authorization server.
-
-The `auth.providers` section defines the providers that users can authorize with. Each provider must have a unique `id` in the array. There are two ways to configure a provider:
-
-For [built-in providers](/references/auth-providers), use the `provider_id` field to reference the pre-built configuration. For example:
-
-```yaml
-auth:
- providers:
- - id: default-github
- description: The default GitHub provider
- enabled: true
- type: oauth2
- provider_id: github
- client_id: ${env:GITHUB_CLIENT_ID}
- client_secret: ${env:GITHUB_CLIENT_SECRET}
-```
-
-For custom OAuth 2.0 providers, specify the full connection details in the `oauth2` sub-section. For full documentation on the custom provider configuration, see the [OAuth 2.0 provider configuration](/references/auth-providers/oauth2) page.
-
-You can specify a mix of built-in and custom providers.
-
-## Cache configuration
-
-The `cache` section configures the short-lived cache.
-
-
- Configuring the cache is optional. If not configured, the cache will default
- to an in-memory cache implementation suitable for a single-node Arcade Engine
- deployment.
-
-
-The `cache` section has the following configuration options:
-
-- `api_key_ttl` _(optional, default: `10s`)_ - The time-to-live for API keys in the cache
-
-Two cache implementations are available:
-
-- `in_memory` - _(default)_ An in-memory cache implementation suitable for a single-node Arcade Engine deployment.
-- `redis` - A Redis cache implementation suitable for a multi-node Arcade Engine deployment:
-
-```yaml
-cache:
- api_key_ttl: 10s
- redis:
- addr: "localhost:6379"
- password: ""
- db: 0
-```
-
-## Security configuration
-
-The `security` section configures the root encryption keys that the Arcade Engine uses to encrypt and decrypt data at rest. See the [storage configuration](#storage-configuration) section below to configure where data is stored.
-
-A typical configuration looks like this:
-
-```yaml
-security:
- root_keys:
- - id: key1
- default: true
- value: ${env:ROOT_KEY_1}
- - id: key2
- value: ${env:ROOT_KEY_2}
-```
-
-Keys should be a long random string of characters. For example:
-
-```bash
-openssl rand -base64 32
-```
-
-### Default root key
-
-When you [install Arcade Engine locally](/guides/deployment-hosting/configure-engine), an `engine.env` file is created with a default root key:
-
-```bash
-# Encryption keys (change this when deploying to production)
-ROOT_KEY_1=default-key-value
-```
-
-This default value can only be used in development mode (see [API configuration](#api-configuration) above).
-
-
- You **must** replace the value of `ROOT_KEY_1` in `engine.env` before
- deploying to production.
-
-
-## Storage configuration
-
-The `storage` section configures the storage backend that the Arcade Engine uses to store persistent data.
-
-There are three storage implementations available:
-
-- `in_memory` - _(default)_ An in-memory database, suitable for testing.
-- `sqlite` - A SQLite file on disk, suitable for local development:
-
-```yaml
-storage:
- sqlite:
- # Stores DB in ~/.arcade/arcade-engine.sqlite3
- connection_string: "@ARCADE_HOME/arcade-engine.sqlite3"
-```
-
-- `postgres` - A PostgreSQL database, suitable for production:
-
-```yaml
-storage:
- postgres:
- user: ${env:POSTGRES_USER}
- password: ${env:POSTGRES_PASSWORD}
- host: ${env:POSTGRES_HOST}
- port: ${env:POSTGRES_PORT}
- db: ${env:POSTGRES_DB}
- sslmode: require
-```
-
-## Telemetry configuration
-
-Arcade supports logs, metrics, and traces with [OpenTelemetry](https://opentelemetry.io/).
-
-If you are using the Arcade Engine locally, you can set the `environment` field to `local`. This will only output logs to the console:
-
-```yaml
-telemetry:
- environment: local
- logging:
- # debug, info, warn, error, fatal
- level: debug
- encoding: console
-```
-
-To connect to OpenTelemetry compatible collectors, set the necessary [OpenTelemetry environment variables](https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/) in the `engine.env` file.
-`environment` and `version` are fields that are added to the telemetry attributes, which can be filtered on later.
-
-```yaml
-telemetry:
- environment: prod
- logging:
- level: info
- encoding: console
-```
-
-### Notes
-
-- The Engine service name is set to `arcade_engine`
-- Traces currently cover the `/v1/health` endpoints, as well as authentication attempts
-
-## Tools configuration
-
-Arcade Engine orchestrates [tools](/guides/tool-calling) that AI models can use.
-
-The `tools.directors` section configures the mcp servers that are available to service tool calls:
-
-```yaml
-tools:
- directors:
- - id: default
- enabled: true
- max_tools: 64
- workers:
- - id: local_worker
- enabled: true
- http:
- uri: "http://localhost:8002"
- timeout: 30
- retry: 3
- secret: ${env:ARCADE_WORKER_SECRET}
-```
-
-When an MCP server is added to an enabled director, all of the tools hosted by that MCP server will be available to the model and through the Arcade API.
-
-### HTTP MCP Server configuration
-
-The `http` sub-section configures the HTTP client used to call the MCP Server's tools:
-
-- `uri` _(required)_ - The base URL of the MCP Server's tools
-- `secret` _(required)_ - Secret used to authenticate with the MCP Server
-- `timeout` _(optional, default: `30s`)_ - Timeout for calling the MCP Server's tools
-- `retry` _(optional, default: `3`)_ - Number of times to retry a failed tool call
-
-
- MCP Servers must be configured with a `secret` that is used to authenticate with
- the MCP Server. This ensures that MCP Servers are not exposed to the public internet
- without security.
-
-If `api.development = true`, the secret will default to `"dev"` for local development **only**. In production, the secret must be set to a random value.
-
-
-
-## Config file version history
-
-- 1.0: [schema](https://raw.githubusercontent.com/ArcadeAI/schemas/refs/heads/main/engine/config/1.0/schema.json)
-
-
-## Engine Config Templates
-
-### engine.yaml
-
-```yaml
-# yaml-language-server: $schema=https://raw.githubusercontent.com/ArcadeAI/schemas/main/engine/config/1.0/schema.json
-$schema: https://raw.githubusercontent.com/ArcadeAI/schemas/main/engine/config/1.0/schema.json
-
-api:
- development: ${env:API_DEVELOPMENT}
- host: ${env:ARCADE_API_HOST}
- port: ${env:ARCADE_API_PORT}
- # Optionally set public_host, in case the Arcade Engine is hosted in a container or behind a reverse proxy
- #public_host: ${env:ARCADE_API_PUBLIC_HOST}
-
-auth:
- providers:
- - id: default-atlassian
- description: "The default Atlassian provider"
- enabled: false
- type: oauth2
- provider_id: atlassian
- client_id: ${env:ATLASSIAN_CLIENT_ID}
- client_secret: ${env:ATLASSIAN_CLIENT_SECRET}
-
- - id: default-discord
- description: "The default Discord provider"
- enabled: false
- type: oauth2
- provider_id: discord
- client_id: ${env:DISCORD_CLIENT_ID}
- client_secret: ${env:DISCORD_CLIENT_SECRET}
-
- - id: default-dropbox
- description: "The default Dropbox provider"
- enabled: false
- type: oauth2
- provider_id: dropbox
- client_id: ${env:DROPBOX_CLIENT_ID}
- client_secret: ${env:DROPBOX_CLIENT_SECRET}
-
- - id: default-github
- description: "The default GitHub provider"
- enabled: false
- type: oauth2
- provider_id: github
- client_id: ${env:GITHUB_CLIENT_ID}
- client_secret: ${env:GITHUB_CLIENT_SECRET}
-
- - id: default-google
- description: "The default Google provider"
- enabled: false
- type: oauth2
- provider_id: google
- client_id: ${env:GOOGLE_CLIENT_ID}
- client_secret: ${env:GOOGLE_CLIENT_SECRET}
-
- - id: default-linkedin
- description: "The default LinkedIn provider"
- enabled: false
- type: oauth2
- provider_id: linkedin
- client_id: ${env:LINKEDIN_CLIENT_ID}
- client_secret: ${env:LINKEDIN_CLIENT_SECRET}
-
- - id: default-microsoft
- description: "The default Microsoft provider"
- enabled: false
- type: oauth2
- provider_id: microsoft
- client_id: ${env:MICROSOFT_CLIENT_ID}
- client_secret: ${env:MICROSOFT_CLIENT_SECRET}
-
- - id: default-reddit
- description: "The default Reddit provider"
- enabled: false
- type: oauth2
- provider_id: reddit
- client_id: ${env:REDDIT_CLIENT_ID}
- client_secret: ${env:REDDIT_CLIENT_SECRET}
-
- - id: default-slack
- description: "The default Slack provider"
- enabled: false
- type: oauth2
- provider_id: slack
- client_id: ${env:SLACK_CLIENT_ID}
- client_secret: ${env:SLACK_CLIENT_SECRET}
-
- - id: default-spotify
- description: "The default Spotify provider"
- enabled: false
- type: oauth2
- provider_id: spotify
- client_id: ${env:SPOTIFY_CLIENT_ID}
- client_secret: ${env:SPOTIFY_CLIENT_SECRET}
-
- - id: default-twitch
- description: "The default Twitch provider"
- enabled: false
- type: oauth2
- provider_id: twitch
- client_id: ${env:TWITCH_CLIENT_ID}
- client_secret: ${env:TWITCH_CLIENT_SECRET}
-
- - id: default-x
- description: "The default X provider"
- enabled: false
- type: oauth2
- provider_id: x
- client_id: ${env:X_CLIENT_ID}
- client_secret: ${env:X_CLIENT_SECRET}
-
- - id: default-zoom
- description: "The default Zoom provider"
- enabled: false
- type: oauth2
- provider_id: zoom
- client_id: ${env:ZOOM_CLIENT_ID}
- client_secret: ${env:ZOOM_CLIENT_SECRET}
-
-llm:
- models:
- - id: my-openai-model-provider
- openai:
- api_key: ${env:OPENAI_API_KEY}
- #- id: my-anthropic-model-provider
- # anthropic:
- # api_key: ${env:ANTHROPIC_API_KEY}
- # - id: my-ollama-model-provider
- # openai:
- # base_url: http://localhost:11434
- # chat_endpoint: /v1/chat/completions
- # model: llama3.2
- # api_key: ollama
- #- id: my-groq-model-provider
- # openai:
- # base_url: 'https://api.groq.com/openai/v1'
- # api_key: ${env:GROQ_API_KEY}
-
-security:
- root_keys:
- - id: key1
- default: true
- value: ${env:ROOT_KEY_1}
-
-storage:
- postgres:
- user: ${env:POSTGRES_USER}
- password: ${env:POSTGRES_PASSWORD}
- host: ${env:POSTGRES_HOST}
- port: ${env:POSTGRES_PORT}
- db: ${env:POSTGRES_DB}
- sslmode: require
-
-telemetry:
- environment: ${env:TELEMETRY_ENVIRONMENT}
- logging:
- # debug, info, warn, error
- level: ${env:TELEMETRY_LOGGING_LEVEL}
- encoding: ${env:TELEMETRY_LOGGING_ENCODING}
-
-tools:
- directors:
- - id: default
- enabled: true
- max_tools: 64
- workers:
- - id: worker
- enabled: true
- http:
- uri: ${env:ARCADE_WORKER_URI}
- timeout: 30
- retry: 3
- secret: ${env:ARCADE_WORKER_SECRET}
-```
-
-### engine.env
-
-```bash
-### Engine configuration ###
-API_DEVELOPMENT=true
-ARCADE_API_HOST=localhost
-ARCADE_API_PORT=9099
-ANALYTICS_ENABLED=true
-
-# Encryption keys (change this when deploying to production)
-ROOT_KEY_1=default-key-value
-
-### Model Provider API keys ###
-# OPENAI_API_KEY=
-# ANTHROPIC_API_KEY=
-# GROQ_API_KEY=
-
-
-### Security configuration ###
-ROOT_KEY_1=
-
-
-### Storage configuration ###
-# POSTGRES_USER=
-# POSTGRES_PASSWORD=
-# POSTGRES_HOST=
-# POSTGRES_PORT=
-# POSTGRES_DB=
-
-
-### Telemetry (OTEL) configuration ###
-TELEMETRY_ENVIRONMENT=local
-TELEMETRY_LOGGING_LEVEL=debug
-TELEMETRY_LOGGING_ENCODING=console
-
-
-### Worker Configuration ###
-ARCADE_WORKER_URI=http://localhost:8002
-ARCADE_WORKER_SECRET=dev
-
-
-# OAuth Providers
-ATLASSIAN_CLIENT_ID=""
-ATLASSIAN_CLIENT_SECRET=
-
-DISCORD_CLIENT_ID=""
-DISCORD_CLIENT_SECRET=
-
-DROPBOX_CLIENT_ID=""
-DROPBOX_CLIENT_SECRET=
-
-GITHUB_CLIENT_ID=""
-GITHUB_CLIENT_SECRET=
-
-GOOGLE_CLIENT_ID=""
-GOOGLE_CLIENT_SECRET=
-
-LINKEDIN_CLIENT_ID=""
-LINKEDIN_CLIENT_SECRET=
-
-MICROSOFT_CLIENT_ID=""
-MICROSOFT_CLIENT_SECRET=
-
-REDDIT_CLIENT_ID=""
-REDDIT_CLIENT_SECRET=
-
-SLACK_CLIENT_ID=""
-SLACK_CLIENT_SECRET=
-
-SPOTIFY_CLIENT_ID=""
-SPOTIFY_CLIENT_SECRET=
-
-TWITCH_CLIENT_ID=""
-SPOTIFY_CLIENT_SECRET=
-
-X_CLIENT_ID=""
-X_CLIENT_SECRET=
-
-ZOOM_CLIENT_ID=""
-ZOOM_CLIENT_SECRET=
-```
diff --git a/app/en/guides/deployment-hosting/gcp/page.mdx b/app/en/guides/deployment-hosting/gcp/page.mdx
new file mode 100644
index 000000000..3e5b31209
--- /dev/null
+++ b/app/en/guides/deployment-hosting/gcp/page.mdx
@@ -0,0 +1,35 @@
+---
+title: "Deploy on GCP"
+description: "The Arcade deployment for Google Cloud is coming soon"
+---
+
+import { Callout } from "nextra/components";
+
+# Deploy Arcade on GCP
+
+
+A turnkey Arcade deployment for Google Cloud is **in development**. [Request early access](https://www.arcade.dev/contact) to be notified when it's available and to help shape it.
+
+
+Arcade on GCP will deploy the full platform — Engine, Coordinator, Worker, Dashboard, and Experience API — into your own Google Cloud project, using managed Google Cloud services.
+
+## Planned architecture
+
+| Google Cloud service | Role |
+| --- | --- |
+| **Google Kubernetes Engine (GKE)** | Runs the Arcade services |
+| **Cloud SQL for PostgreSQL** | Primary datastore |
+| **Memorystore for Redis** | Cache and streams |
+| **VPC + Cloud NAT** | Private networking and egress |
+| **Cloud Load Balancing** | Ingress |
+| **Secret Manager** | Secrets (via the External Secrets Operator) |
+| **Google-managed certificates** | TLS |
+
+## Deploy on GCP today
+
+You don't have to wait to run Arcade on Google Cloud. You can [self-host with Helm](/guides/deployment-hosting/helm) on an existing GKE cluster, bringing your own Cloud SQL and Memorystore instances.
+
+## Next steps
+
+- [Self-host with Helm](/guides/deployment-hosting/helm) on GKE
+- [Request early access](https://www.arcade.dev/contact) to the GCP deployment
diff --git a/app/en/guides/deployment-hosting/helm/page.mdx b/app/en/guides/deployment-hosting/helm/page.mdx
new file mode 100644
index 000000000..500c18bc1
--- /dev/null
+++ b/app/en/guides/deployment-hosting/helm/page.mdx
@@ -0,0 +1,81 @@
+---
+title: "Self-host with Helm"
+description: "Deploy and run the Arcade platform yourself on your own Kubernetes cluster"
+---
+
+import { Callout, Steps } from "nextra/components";
+
+# Self-host Arcade with Helm
+
+The Arcade Helm chart deploys the full Arcade platform onto a Kubernetes cluster you manage. It's the bring-your-own-Kubernetes alternative to the cloud marketplaces: you control the cluster, the data, and the upgrade cadence.
+
+
+If you'd rather not manage Kubernetes yourself, the [Azure](/guides/deployment-hosting/azure) and [AWS](/guides/deployment-hosting/aws) marketplace deployments run the same platform as turnkey, Arcade-operated deployments in your own cloud account.
+
+
+## What it deploys
+
+The chart installs the complete platform — Engine, Coordinator, Worker, Dashboard, and Experience API — into a namespace on your cluster, along with the supporting controllers it needs.
+
+## Prerequisites
+
+- **Kubernetes** 1.30 or later
+- **Helm** 3.8 or later (for OCI chart support)
+- **PostgreSQL** and **Redis** — bundled by the chart for proof-of-concept, or bring your own managed instances for production
+- An [OIDC identity provider](/references/auth-providers)
+- An ingress controller or Gateway API implementation, TLS certificates, and a DNS hostname
+
+## Set up your identity provider
+
+Arcade signs users in through your OpenID Connect (OIDC) identity provider. The provider authenticates dashboard users and backs the tokens that MCP gateways validate, so set it up before you deploy.
+
+1. Register an application with your identity provider. Arcade works with [Microsoft Entra ID, Okta, Auth0, or Keycloak](/references/auth-providers), or any standards-compliant OIDC provider.
+2. Copy the application's client ID, generate a client secret, and note the issuer URL. For Microsoft Entra ID, use the v2.0 issuer `https://login.microsoftonline.com//v2.0`.
+3. Provide the client ID, client secret, and issuer in your Helm values.
+4. After you deploy, register the redirect URI for your hostname's `/signin/oidc/callback` path on the application, then sign in to the dashboard.
+
+## Install the chart
+
+
+
+### Install from the OCI registry
+
+The chart is published as an OCI artifact, so there's no repository to add — install it directly. Provide your configuration in a `values.yaml` file (see [Configuration](#configuration)).
+
+```bash
+helm install arcade \
+ oci://public.ecr.aws/s5i6x9d1/charts/arcade \
+ --namespace arcade --create-namespace \
+ -f values.yaml
+```
+
+### Verify the deployment
+
+Once the pods are running, open your configured hostname and sign in through your identity provider to confirm the platform is up.
+
+
+
+## Configuration
+
+Configure the platform through Helm values. The chart covers:
+
+- **Components** — Engine, Coordinator, Worker, Dashboard, and Experience API
+- **Identity** — your OIDC identity provider and [OAuth providers](/references/auth-providers)
+- **Data stores** — bundled or external PostgreSQL and Redis
+- **Networking** — ingress or Gateway API, TLS, and the `engine.ssrfAllowlist` for reaching internal services
+- **Security** — encryption keys, network policies, and RBAC
+- **Telemetry** — OpenTelemetry (OTLP) logs, metrics, and traces
+
+
+The full, versioned values reference lives on [Artifact Hub](https://artifacthub.io/packages/helm/arcade/arcade). Use it as the source of truth for every value and default.
+
+
+## Upgrade and roll back
+
+Upgrade to a new chart version with `helm upgrade`, and roll back with `helm rollback` if needed. See the [Artifact Hub listing](https://artifacthub.io/packages/helm/arcade/arcade) for version-specific upgrade notes.
+
+## Next steps
+
+- [Create an MCP Gateway](/guides/mcp-gateways) to scope tools and auth for each client
+- [Connect external clients with Warp Pipes](/guides/deployment-hosting/warp-pipes)
+- [Set up a User Source](/guides/user-sources) to authenticate end users with your own identity provider
diff --git a/app/en/guides/deployment-hosting/on-prem/page.mdx b/app/en/guides/deployment-hosting/on-prem/page.mdx
index 88bacd08d..ffa857348 100644
--- a/app/en/guides/deployment-hosting/on-prem/page.mdx
+++ b/app/en/guides/deployment-hosting/on-prem/page.mdx
@@ -1,11 +1,11 @@
---
-title: "On-premises MCP Servers"
-description: "Learn how to deploy MCP servers in a hybrid architecture"
+title: "Hybrid MCP servers"
+description: "Run MCP servers in your own environment and connect them to Arcade Cloud"
---
import { Steps, Tabs, Callout } from "nextra/components";
-# On-premise MCP Servers
+# Hybrid MCP servers
diff --git a/app/en/guides/deployment-hosting/page.mdx b/app/en/guides/deployment-hosting/page.mdx
index b256f062a..7d40a5e54 100644
--- a/app/en/guides/deployment-hosting/page.mdx
+++ b/app/en/guides/deployment-hosting/page.mdx
@@ -1,60 +1,53 @@
---
title: "Overview"
-description: "Learn about the different ways to host Arcade"
+description: "Learn about the different ways to host and deploy Arcade"
---
-# Hosting Options Overview
+import { Callout } from "nextra/components";
-The easiest and best way to use Arcade is via the Arcade Cloud service - sign up for free at [https://api.arcade.dev](https://api.arcade.dev). However, you might need to connect your tools to local resources (e.g. a local database or filesystem) or keep data within your own infrastructure. Don't worry, Arcade has you covered via either Arcade Cloud or our on-premise deployment options.
+# Hosting options overview
-## Arcade Cloud
-
-Arcade Cloud is the default option — sign up and start building immediately:
+There are two ways to run Arcade: use **Arcade Cloud**, our fully-managed service, or **run Arcade in your own infrastructure**. This page helps you choose and points you to the right guide.
-- **Zero Infrastructure**: No servers or databases to manage
-- **Automatic Updates**: Always access the latest tools and features
-- **Built-in Scaling**: Handles traffic spikes automatically
-- **Free Tier**: Start building without a credit card
-
-### MCP Server Deployment
+## Arcade Cloud
-You can route and manage tool calls from your agents to MCP servers hosted anywhere—on your machine, on your own infrastructure, in a private cloud, or on Arcade Cloud. This allows you to mix the best public tools with your own private tools.
+[Arcade Cloud](https://api.arcade.dev) is the easiest way to start — sign up and build immediately, with no infrastructure to manage:
-Connect on-premises MCP servers to Arcade Cloud for a hybrid deployment:
+- **Zero infrastructure**: no servers or databases to run
+- **Automatic updates**: always on the latest tools and features
+- **Built-in scaling**: handles traffic spikes for you
+- **Free tier**: start building without a credit card
-- **Private Resources**: Access databases and APIs within your network
-- **Data Control**: Keep sensitive data in your environment
-- **Custom Dependencies**: Use specific runtime requirements or configurations
-- **Compliance**: Meet regulatory requirements while using Arcade's capabilities
+See [Arcade Cloud infrastructure](/guides/deployment-hosting/arcade-cloud) for data residency, storage, and security details.
-See [On-premise MCP Servers](/guides/deployment-hosting/on-prem) for more information about how to use your own MCP servers running anywhere, and see [Arcade Deploy](/guides/deployment-hosting/arcade-deploy) to learn how to deploy to Arcade Cloud.
+## Run Arcade in your own infrastructure
-### Customizing Auth
+Deploy the full Arcade platform into your own cloud account or cluster when you need data residency, network isolation, or to meet compliance requirements. There are two paths.
-You don't have to self-host Arcade to customize your auth experiences. Arcade Cloud supports a number of auth providers out of the box, and you can provide your own OAuth app credentials to brand your end-user experience. We recommend doing this for all production use cases, so that you can have isolated rate limits with the OAuth service provider and you can give your users a consistent experience when they go through an auth flow.
-You can still use the same tools when you customize your auth, no code changes are required.
+### Cloud marketplaces (recommended)
-See [Customizing Auth](/references/auth-providers) for more information.
+Deploy a turnkey, Arcade-operated platform into your own cloud account:
-### Arcade Cloud Pricing
+- [**Azure Marketplace**](/guides/deployment-hosting/azure) — available now as a managed application
+- [**AWS**](/guides/deployment-hosting/aws) — available through a private offer
+- [**GCP**](/guides/deployment-hosting/gcp) — coming soon
-Arcade Cloud offers a generous free tier to get started:
+### Self-host with Helm
-- **Free Tier**: Includes access to all public MCP Servers and basic features
-- **Usage-Based**: Pay only for what you use as you scale
+Prefer to run it yourself? [Deploy the platform with Helm](/guides/deployment-hosting/helm) on your own Kubernetes cluster and manage it end to end.
-Visit [https://api.arcade.dev](https://api.arcade.dev) for current pricing details.
+
+The marketplace and Helm options are **full platform deployments**. The features below run *on top of* Arcade — they aren't ways to stand up the platform.
+
-## On-Premise Deployments
+## Related features
-Fully on-premise deployments of the Arcade platform are available! Arcade can be deployed on Kubernetes via our Helm chart and Docker images as part of our enterprise offering. [Contact us to learn more](/resources/contact-us).
+These connect your tools and clients to Arcade. They are not platform deployments:
-To connect a self-hosted Arcade runtime to MCP servers inside your private network, and to reach it from external AI clients without opening inbound ports, see [Warp Pipes](/guides/deployment-hosting/warp-pipes).
+- [**Arcade Deploy**](/guides/deployment-hosting/arcade-deploy) — host *your* MCP server on Arcade Cloud with the `arcade deploy` command.
+- [**Hybrid MCP servers**](/guides/deployment-hosting/on-prem) — run MCP servers in your own environment and connect them to Arcade Cloud, so tools reach private resources.
+- [**Warp Pipes**](/guides/deployment-hosting/warp-pipes) — connect external AI clients to a self-hosted Arcade runtime without opening inbound ports.
-The requirements for deploying Arcade on-premise are:
+## Customizing auth
-- Kubernetes cluster (1.30+) (We have tested this helm chart on AKS, GKE, and EKS).
-- Helm 3.x
-- kubectl configured to access your cluster
-- Cert Manager for securing Redis and Postgres and public ingress (see below)
-- Nginx Ingress for accessing Arcade.dev from outside the cluster (see below)
+You don't have to self-host to customize your auth experience. Arcade Cloud supports many [auth providers](/references/auth-providers) out of the box, and you can supply your own OAuth app credentials to brand the end-user experience. We recommend this for all production use cases.
diff --git a/app/en/guides/deployment-hosting/warp-pipes/page.mdx b/app/en/guides/deployment-hosting/warp-pipes/page.mdx
index f32666d3c..be5598174 100644
--- a/app/en/guides/deployment-hosting/warp-pipes/page.mdx
+++ b/app/en/guides/deployment-hosting/warp-pipes/page.mdx
@@ -10,7 +10,7 @@ import { Callout, Steps, Tabs } from "nextra/components";
Connecting AI agents to private tools is two problems. The first is **networking**: your internal MCP servers and services aren't reachable from the public internet, by design. The second is **governance**: a tunnel only moves bytes, so authentication, per-user credentials, access scoping, and audit are a separate problem that the tunnel products leave to you.
-The Arcade runtime already solves governance. **Warp Pipes** is a managed service that solves the networking — Arcade hands you a public MCP URL and forwards traffic to your private runtime, so you don't run the connection yourself.
+The Arcade runtime already solves governance. **Warp Pipes** is a managed service that solves the networking — Arcade hands you a public MCP URL and forwards traffic to your private runtime, so you don't run the connection yourself. Warp Pipes front-ends a runtime you've already deployed; it isn't itself a way to deploy the Arcade platform.
**Warp Pipes is in early access.** [Request access](https://www.arcade.dev/contact) to have Arcade manage the connection from your AI clients to your runtime. You can also connect clients today with your own reverse proxy — see [Bring your own reverse proxy](#bring-your-own-reverse-proxy).
@@ -25,8 +25,8 @@ Connect external AI clients to private MCP servers through a self-hosted Arcade
-- A [self-hosted Arcade runtime](/guides/deployment-hosting/on-prem)
-- Access to your [engine.yaml configuration](/guides/deployment-hosting/configure-engine)
+- A [self-hosted Arcade runtime](/guides/deployment-hosting/helm)
+- Access to your [Arcade configuration](/guides/deployment-hosting/helm#configuration) (Helm values)
- The private hostnames or IP ranges of your internal MCP servers
@@ -83,7 +83,7 @@ For Claude, through the Messages API or managed agents, use **Arcade Auth** or *
## Connect to internal MCP servers
-Your internal MCP servers live at private hostnames or IP addresses. Configure the `ssrf_allowlist` in `engine.yaml` to tell the runtime which internal addresses it's permitted to call, then register each MCP server URI as a worker.
+Your internal MCP servers live at private hostnames or IP addresses. Configure the runtime's SSRF allowlist through your Helm values to tell the runtime which internal addresses it's permitted to call, then register each MCP server URI as a worker.
The runtime calls these servers directly over your private network, by their internal addresses. No inbound ports, and no tunnel, are required.
@@ -96,34 +96,16 @@ The runtime calls these servers directly over your private network, by their int
unoptimized
/>
-Add the allowlist and workers to the `tools.directors` section of `engine.yaml`:
-
-```yaml filename="engine.yaml"
-tools:
- directors:
- - id: default
- ssrf_allowlist:
- - "*.corp.internal" # any subdomain
- - "10.10.0.0/16" # IP range
- workers:
- - id: bloomberg
- enabled: true
- http:
- uri: "http://bloomberg.corp.internal:8000"
- secret: "${env:BLOOMBERG_SECRET}"
- - id: sap
- enabled: true
- http:
- uri: "http://sap.corp.internal:8080"
- secret: "${env:SAP_SECRET}"
- - id: github-enterprise
- enabled: true
- http:
- uri: "http://github.corp.internal"
- secret: "${env:GITHUB_SECRET}"
+Set the allowlist in your Helm values:
+
+```yaml filename="values.yaml"
+engine:
+ ssrfAllowlist:
+ - "*.corp.internal" # any subdomain
+ - "10.10.0.0/16" # IP range
```
-For the rest of the `tools.directors` and worker options, see [runtime configuration](/guides/deployment-hosting/configure-engine#tools-configuration).
+Then register each internal MCP server as a worker so the runtime can route tool calls to it. For the full set of worker and allowlist values, see the [values reference](https://artifacthub.io/packages/helm/arcade/arcade) and [Self-host with Helm](/guides/deployment-hosting/helm#configuration).
### Allowlist entry types
@@ -140,12 +122,12 @@ Keep these rules in mind when you write allowlist entries:
- CIDR entries match against the resolved IP. For split-horizon DNS, where a hostname resolves to different IPs inside and outside the network, use exact-host or wildcard entries instead.
- Malformed entries cause the runtime to fail at startup.
-### Configure the allowlist with Helm
+### Set the allowlist with `--set`
-If you deploy the runtime with the Arcade Helm chart, set the allowlist with `--set`:
+You can also set the allowlist imperatively when you install or upgrade the chart:
```bash
-helm upgrade arcade monorepo/deploy/charts/arcade/ \
+helm upgrade arcade oci://public.ecr.aws/s5i6x9d1/charts/arcade \
--set engine.ssrfAllowlist[0]="*.corp.internal" \
--set engine.ssrfAllowlist[1]="10.10.0.0/16"
```
@@ -303,7 +285,7 @@ The path `/mcp/{slug}` must also pass through intact. The runtime routes by gate
## Next steps
-- [Configure the Arcade runtime](/guides/deployment-hosting/configure-engine) for the full `engine.yaml` reference
+- [Self-host with Helm](/guides/deployment-hosting/helm) for the full configuration reference
- [Create an MCP Gateway](/guides/mcp-gateways) to scope tools and auth for each client
- [Set up a User Source](/guides/user-sources) to authenticate end users with your own identity provider
- [Connect your MCP client](/get-started/mcp-clients) to a gateway URL
diff --git a/app/en/references/auth-providers/airtable/page.mdx b/app/en/references/auth-providers/airtable/page.mdx
index c87d2452e..230606abd 100644
--- a/app/en/references/auth-providers/airtable/page.mdx
+++ b/app/en/references/auth-providers/airtable/page.mdx
@@ -115,7 +115,7 @@ Hit the **Create** button and the provider will be ready to be used.
This method is only available when you are [self-hosting the
- engine](/guides/deployment-hosting/on-prem)
+ engine](/guides/deployment-hosting/helm)
diff --git a/app/en/references/auth-providers/calendly/page.mdx b/app/en/references/auth-providers/calendly/page.mdx
index f3214058e..c2f14ba4e 100644
--- a/app/en/references/auth-providers/calendly/page.mdx
+++ b/app/en/references/auth-providers/calendly/page.mdx
@@ -111,7 +111,7 @@ Hit the **Create** button and the provider will be ready to be used.
This method is only available when you are [self-hosting the
- engine](/guides/deployment-hosting/on-prem)
+ engine](/guides/deployment-hosting/helm)
diff --git a/app/en/references/auth-providers/figma/page.mdx b/app/en/references/auth-providers/figma/page.mdx
index 1bc6d233d..720e85aa6 100644
--- a/app/en/references/auth-providers/figma/page.mdx
+++ b/app/en/references/auth-providers/figma/page.mdx
@@ -140,7 +140,7 @@ Hit the **Create** button and the provider will be ready to be used.
This method is only available when you are [self-hosting the
- engine](/guides/deployment-hosting/on-prem
+ engine](/guides/deployment-hosting/helm
diff --git a/app/en/references/auth-providers/mailchimp/page.mdx b/app/en/references/auth-providers/mailchimp/page.mdx
index 4d8d92706..cc04ece81 100644
--- a/app/en/references/auth-providers/mailchimp/page.mdx
+++ b/app/en/references/auth-providers/mailchimp/page.mdx
@@ -113,7 +113,7 @@ Hit the **Create** button and the provider will be ready to be used.
This method is only available when you are [self-hosting the
- engine](/guides/deployment-hosting/on-prem
+ engine](/guides/deployment-hosting/helm
diff --git a/app/en/references/auth-providers/miro/page.mdx b/app/en/references/auth-providers/miro/page.mdx
index d5f4fce3c..9bd724c89 100644
--- a/app/en/references/auth-providers/miro/page.mdx
+++ b/app/en/references/auth-providers/miro/page.mdx
@@ -115,7 +115,7 @@ Hit the **Create** button and the provider will be ready to be used.
This method is only available when you are [self-hosting the
- engine](/guides/deployment-hosting/on-prem
+ engine](/guides/deployment-hosting/helm
diff --git a/app/en/references/auth-providers/oauth2/page.mdx b/app/en/references/auth-providers/oauth2/page.mdx
index 1032e70d8..c7daeb6fe 100644
--- a/app/en/references/auth-providers/oauth2/page.mdx
+++ b/app/en/references/auth-providers/oauth2/page.mdx
@@ -30,7 +30,7 @@ The only supported OAuth 2.0 flow is the authorization code grant flow (with or
## Configuring OAuth 2.0
-How you configure the OAuth 2.0 provider depends on whether you use the Arcade Cloud Engine or a [self-hosted Engine](/guides/deployment-hosting/on-prem). If you use the Cloud Engine, you must configure your provider in the Dashboard.
+How you configure the OAuth 2.0 provider depends on whether you use the Arcade Cloud Engine or a [self-hosted Engine](/guides/deployment-hosting/helm). If you use the Cloud Engine, you must configure your provider in the Dashboard.
When configuring your app in the OAuth 2.0 enabled service, you must use the
@@ -43,7 +43,7 @@ How you configure the OAuth 2.0 provider depends on whether you use the Arcade C
When using the Arcade Cloud Platform, the Dashboard is available at
[`https://api.arcade.dev/dashboard`](https://api.arcade.dev/dashboard). If you
- are [self-hosting Arcade](/guides/deployment-hosting/on-prem), by default
+ are [self-hosting Arcade](/guides/deployment-hosting/helm), by default
the Dashboard is available at
[`http://localhost:9099/dashboard`](http://localhost:9099/dashboard). Adjust
the host and port, if necessary, to match your environment.
@@ -62,7 +62,7 @@ When you use tools that require OAuth 2.0 authorization using your Arcade accoun
This method is only available when you are [self-hosting the
- engine](/guides/deployment-hosting/on-prem
+ engine](/guides/deployment-hosting/helm
@@ -84,7 +84,7 @@ HOOLI_CLIENT_SECRET=""
```
- See [configuration](/guides/deployment-hosting/configure-engine) for more
+ See [configuration](/guides/deployment-hosting/helm#configuration) for more
information on how to set environment variables and configure the Arcade
Engine.
@@ -94,7 +94,7 @@ HOOLI_CLIENT_SECRET=""
To locate the `engine.yaml` file in your OS after installing the Arcade
Engine, check the [Engine configuration
- file](/guides/deployment-hosting/configure-engine)
+ file](/guides/deployment-hosting/helm#configuration)
documentation.
diff --git a/app/en/references/auth-providers/pagerduty/page.mdx b/app/en/references/auth-providers/pagerduty/page.mdx
index 01af07a78..afb56542c 100644
--- a/app/en/references/auth-providers/pagerduty/page.mdx
+++ b/app/en/references/auth-providers/pagerduty/page.mdx
@@ -122,7 +122,7 @@ Hit the **Create** button and the provider will be ready to be used.
This method is only available when you are [self-hosting the
- engine](/guides/deployment-hosting/on-prem
+ engine](/guides/deployment-hosting/helm
diff --git a/app/en/references/auth-providers/square/page.mdx b/app/en/references/auth-providers/square/page.mdx
index 46cb7e58a..8906d6d8f 100644
--- a/app/en/references/auth-providers/square/page.mdx
+++ b/app/en/references/auth-providers/square/page.mdx
@@ -117,7 +117,7 @@ Hit the **Create** button and the provider will be ready to be used.
This method is only available when you are [self-hosting the
- engine](/guides/deployment-hosting/on-prem
+ engine](/guides/deployment-hosting/helm
diff --git a/app/en/references/auth-providers/ticktick/page.mdx b/app/en/references/auth-providers/ticktick/page.mdx
index 14ff5bbc7..95a320b6a 100644
--- a/app/en/references/auth-providers/ticktick/page.mdx
+++ b/app/en/references/auth-providers/ticktick/page.mdx
@@ -110,7 +110,7 @@ Hit the **Create** button and the provider will be ready to be used.
This method is only available when you are [self-hosting the
- engine](/guides/deployment-hosting/on-prem
+ engine](/guides/deployment-hosting/helm
diff --git a/app/en/references/auth-providers/zoho/page.mdx b/app/en/references/auth-providers/zoho/page.mdx
index 3a1550a3b..f77956167 100644
--- a/app/en/references/auth-providers/zoho/page.mdx
+++ b/app/en/references/auth-providers/zoho/page.mdx
@@ -126,7 +126,7 @@ Hit the **Create** button and the provider will be ready to be used.
This method is only available when you are [self-hosting the
- engine](/guides/deployment-hosting/on-prem
+ engine](/guides/deployment-hosting/helm
diff --git a/next.config.ts b/next.config.ts
index c3347c3d6..b7634c2e8 100644
--- a/next.config.ts
+++ b/next.config.ts
@@ -592,7 +592,7 @@ const nextConfig: NextConfig = withLlmsTxt({
},
{
source: "/:locale/home/deployment/engine-configuration",
- destination: "/:locale/guides/deployment-hosting/configure-engine",
+ destination: "/:locale/guides/deployment-hosting/helm",
permanent: true,
},
{
@@ -812,7 +812,12 @@ const nextConfig: NextConfig = withLlmsTxt({
},
{
source: "/:locale/guides/deployment-hosting/engine-configuration",
- destination: "/:locale/guides/deployment-hosting/configure-engine",
+ destination: "/:locale/guides/deployment-hosting/helm",
+ permanent: true,
+ },
+ {
+ source: "/:locale/guides/deployment-hosting/configure-engine",
+ destination: "/:locale/guides/deployment-hosting/helm",
permanent: true,
},
{
diff --git a/public/llms.txt b/public/llms.txt
index 399a0821e..bd4c1058e 100644
--- a/public/llms.txt
+++ b/public/llms.txt
@@ -1,4 +1,4 @@
-
+
# Arcade
@@ -103,9 +103,11 @@ Arcade delivers three capabilities. Enforce (Agent Authorization): deploy agents
- [Create an MCP tool with secrets](https://docs.arcade.dev/en/guides/create-tools/tool-basics/create-tool-secrets): This documentation page guides users on how to create custom MCP tools that securely handle sensitive information, known as secrets, using the Arcade platform. It covers the process of reading secrets from various sources, such as environment variables and the Arcade Dashboard, and provides best
- [Create via Dashboard](https://docs.arcade.dev/en/guides/mcp-gateways/create-via-dashboard): This documentation page guides users through the process of creating and configuring MCP Gateways using the Arcade dashboard, detailing the necessary prerequisites and configuration options available. Users will learn how to select tools, set authentication modes, and manage gateway settings effectively. Additionally, it
- [Creating an MCP Server with Arcade](https://docs.arcade.dev/en/guides/create-tools/tool-basics/build-mcp-server): This documentation page provides a comprehensive guide for users to create, test, deploy, and publish a custom MCP Server using the Arcade framework. It details the installation of the Arcade CLI, the scaffolding of a new server project, and the setup of necessary
+- [Deploy Arcade on AWS](https://docs.arcade.dev/en/guides/deployment-hosting/aws): Documentation page
+- [Deploy Arcade on Azure](https://docs.arcade.dev/en/guides/deployment-hosting/azure): Documentation page
+- [Deploy Arcade on GCP](https://docs.arcade.dev/en/guides/deployment-hosting/gcp): Documentation page
- [Deploying to the cloud with Arcade Deploy](https://docs.arcade.dev/en/guides/deployment-hosting/arcade-deploy): This documentation page provides a comprehensive guide on deploying an MCP server to the cloud using Arcade Deploy, enabling users to access their server from any MCP client and support multi-user functionality. It outlines the prerequisites, deployment steps, and how to create MCP Gateways
- [Directly call third-party APIs](https://docs.arcade.dev/en/guides/tool-calling/call-third-party-apis): This documentation page provides a comprehensive guide on how to directly call third-party APIs using Arcade, focusing on obtaining user authorization tokens and managing authentication flows. Users will learn to implement these processes through practical examples, particularly with Google's Gmail API, enabling them to interact
-- [Engine Configuration](https://docs.arcade.dev/en/guides/deployment-hosting/configure-engine): This documentation page provides enterprise customers with advanced guidance on configuring the Arcade Engine, specifically for self-hosted environments. It details the installation process across different platforms, explains the purpose and customization of key configuration files (`engine.yaml` and `engine.env`),
- [Evaluate Tools](https://docs.arcade.dev/en/guides/create-tools/evaluate-tools): The "Evaluate Tools" documentation page provides guidance on systematically testing and enhancing tools using Arcade's evaluation framework. It helps users validate the performance of their tools post-development and offers techniques for iterative improvements to ensure reliability in production.
- [Frequently Asked Questions](https://docs.arcade.dev/en/resources/faq): This documentation page provides answers to common questions about the Arcade platform, including how to create and contribute tools, the differences between various API keys, and authentication methods. Users can learn how to build custom tools, manage API keys for team collaboration, and understand
- [Get Formatted Tool Definitions](https://docs.arcade.dev/en/guides/tool-calling/custom-apps/get-tool-definitions): This documentation page provides guidance on how to retrieve formatted tool definitions using the Arcade Client, allowing users to obtain both single and multiple tool definitions in specific model provider formats. It also details methods for converting these definitions into Zod schemas for enhanced type safety and
@@ -140,6 +142,7 @@ Arcade delivers three capabilities. Enforce (Agent Authorization): deploy agents
- [Secure and Brand the Auth Flow in Production](https://docs.arcade.dev/en/guides/user-facing-agents/secure-auth-production): This documentation page guides users on how to secure and customize authentication flows in production using Arcade.dev. It outlines the use of the default Arcade user verifier for development and the implementation of a custom user verifier for production applications, ensuring user safety and a tailored user
- [Securing Arcade MCP Deployments](https://docs.arcade.dev/en/guides/create-tools/secure-your-server): This documentation page provides guidance on securing Arcade MCP deployments by outlining two primary methods: deploying the MCP server through the Arcade platform for built-in security features and implementing OAuth 2.1 Resource Server authentication for self-hosted setups. Users will learn how to
- [Security Research Program](https://docs.arcade.dev/en/resources/security-research-program): The Security Research Program documentation page outlines how users can report security vulnerabilities in Arcade's tools and services, emphasizing the importance of community involvement in enhancing security. It details the types of vulnerabilities sought, the reporting process, and guidelines for responsible disclosure. Additionally,
+- [Self-host Arcade with Helm](https://docs.arcade.dev/en/guides/deployment-hosting/helm): Documentation page
- [Server-Level vs Tool-Level Authorization](https://docs.arcade.dev/en/learn/server-level-vs-tool-level-auth): This documentation page explains the differences between server-level authorization (Resource Server auth) and tool-level authorization in Arcade MCP servers, highlighting their respective roles in securing access to the server and external APIs. It provides guidance on when to implement each type of authorization and
- [Setup Arcade with Google ADK (Python)](https://docs.arcade.dev/en/get-started/agent-frameworks/google-adk/setup-python): This documentation page provides a comprehensive guide for users to set up and integrate Arcade tools with the Google ADK framework using Python. It outlines the necessary prerequisites, teaches users how to build a Google ADK agent that utilizes Arcade tools, and explains how to
- [Setup Arcade with Google ADK (TypeScript)](https://docs.arcade.dev/en/get-started/agent-frameworks/google-adk/setup-typescript): This documentation page guides users through the process of setting up an AI agent using Arcade tools with the Google ADK in TypeScript. It covers prerequisites, integration steps, and key concepts such as tool conversion and session management, enabling users to build agents that