Skip to content

Deploying the Pre-Built Binary

This guide shows how to run EventSourcingDB directly using a pre-built binary. It covers a minimal secure baseline and explains how to incrementally add features like licensing and the management UI.

Minimal Secure Setup

To run EventSourcingDB securely in production, you need:

  • A strong API token (minimum 32 characters, mixed-case letters and digits)
  • An HTTPS certificate and private key
  • A persistent data directory

Use the following command as a starting point:

./eventsourcingdb run \
  --api-token=<API_TOKEN> \
  --https-certificate-file=<CONFIG_DIR>/cert.pem \
  --https-private-key-file=<CONFIG_DIR>/key.pem \
  --data-directory=<DATA_DIR>

Replace:

  • <API_TOKEN> with a secure string
  • <CONFIG_DIR> with the directory containing your TLS certificate and private key (e.g., /etc/esdb)
  • <DATA_DIR> with the path to your persistent data directory (e.g., /var/lib/esdb)

No HTTP in Production

In production, do not enable HTTP. HTTPS is enabled by default, so --http-enabled=false is not required – but specifying it explicitly is recommended for clarity.

Changing the Port

By default, EventSourcingDB uses port 4000 for HTTPS. To use a different port, provide the --https-port flag:

./eventsourcingdb run [...] --https-port=443

Adding a Commercial License

If you're using a commercial license, place the license file (e.g., license.lic) in <CONFIG_DIR>, or another suitable location, and provide the --license-file flag:

./eventsourcingdb run [...] --license-file=/etc/esdb/license.lic

Alternatively, you can provide the license as an inline string using the --license-string flag. In this case, there is no need to store the license as a file:

./eventsourcingdb run [...] --license-string=<LICENSE_STRING>

Enabling Event Signing (Optional)

To enable cryptographic signatures for events, provide the --signing-key-file flag and point it to a valid Ed25519 private key in PKCS#8 PEM format:

./eventsourcingdb run [...] --signing-key-file=/etc/esdb/signing-key.pem

If no key is provided, the signature field of returned events will be null.

Enabling the Management UI (Optional)

The management UI provides a visual dashboard but may be unnecessary if you're already using observability tools like Prometheus.

To enable it:

./eventsourcingdb run [...] --with-ui

Use it if no external monitoring is available, or when you want a quick overview of system status.

Production Checklist

For secure and stable operation of EventSourcingDB:

  • Use HTTPS with your own certificates
  • Store the data in a persistent, monitored directory
  • Disable HTTP (or at least don't enable it)
  • Use --https-port to match your infrastructure, if needed
  • Use optional flags like --signing-key-file, --with-ui, --license-file, or --license-string as needed

This setup keeps your instance secure, observable, and predictable – with all changes under your control.