# Deploy A Remote AutoVault

Deploy AutoVault when a team needs a shared remote vault, OAuth-protected MCP access, and role-aware skill delivery.

## Remote mode

- Serves Streamable HTTP MCP at /mcp.
- Uses OAuth for registration, login, token issuance, and protected-resource metadata.
- Keeps validation, signing, transforms, resource reads, and drift checks on the same code path as local mode.
- Remote mode cannot create symlinks on client machines. Remote clients should discover and read skills through get_skill; local filesystem-native hosts still need local sync-profiles or a future mirror helper.

## Railway template

Use the Railway template as the primary self-hosted setup path:

https://railway.com/deploy/autovault?referralCode=VuFE6g&utm_medium=integration&utm_source=template&utm_campaign=generic

Template checklist:

- Provide AUTOVAULT_ADMIN_EMAIL and AUTOVAULT_ADMIN_PASSWORD during deploy. The password must be at least 12 characters and is hashed on first boot.
- Keep the persistent volume mounted at /data/autovault before the first healthy deploy.
- Set AUTOVAULT_MODE=remote and AUTOVAULT_STORAGE_PATH=/data/autovault.
- Confirm AUTOVAULT_PUBLIC_URL matches the generated https://<service>.up.railway.app domain. Railway injects PORT, so do not override it.
- Verify /healthz, /.well-known/oauth-authorization-server, and /mcp after deploy.

## Manual image deploy

Advanced operators can deploy the public GHCR image directly:

```text
ghcr.io/autoworks-ai/autovault:v0.2.1
volume: /data/autovault
leave PORT unset
```

Required variables:

```bash
AUTOVAULT_MODE=remote
AUTOVAULT_STORAGE_PATH=/data/autovault
AUTOVAULT_PUBLIC_URL=https://<your-service>.up.railway.app
AUTOVAULT_ADMIN_EMAIL=admin@example.com
AUTOVAULT_ADMIN_PASSWORD=<long random string, min 12 chars>
AUTOVAULT_SECURITY_STRICT=true
AUTOVAULT_LOG_LEVEL=info
```

Remote MCP URL:

```text
https://<your-service>.up.railway.app/mcp
```