QUESTPIE Autopilot
Security

Self-Hosting

Network security, Tailscale VPN, reverse proxy, Docker deployment, and hardening checklist for self-hosted QUESTPIE Autopilot.

How to secure a self-hosted Autopilot instance for team or production use.

Ports

The orchestrator exposes two ports:

PortPurposeWho needs access
7778REST API + DashboardYour team (humans, CLI, CI/CD)
7777Webhook serverExternal services (GitHub, Stripe, Slack)

Network Security

Tailscale creates a WireGuard mesh VPN. No port exposure, no TLS setup, identity-based access.

server
# Install Tailscale and join your network
tailscale up --hostname autopilot

# API is now at http://autopilot:7778 from any Tailscale device
# Encrypted in transit, no firewall rules needed

For webhooks (must be publicly reachable):

server
# Expose only webhook port via Tailscale Funnel
tailscale funnel --bg 7777

Why Tailscale:

  • Zero-config WireGuard encryption
  • Identity-based access (SSO integration)
  • No open ports on the firewall
  • MagicDNS (autopilot.tailnet-name.ts.net)
  • ACL policies for fine-grained access

Option 2: Reverse Proxy + TLS

For a publicly accessible instance:

Caddyfile
autopilot.yourdomain.com {
    reverse_proxy localhost:7778
}

webhooks.yourdomain.com {
    reverse_proxy localhost:7777
}

Caddy auto-provisions TLS via Let's Encrypt. With Nginx, configure TLS manually and set proxy_set_header X-Forwarded-For $remote_addr so audit logs capture client IPs.

When behind a reverse proxy, set NODE_ENV=production to enable:

  • secure: true cookies (HTTPS-only)
  • sameSite: strict (CSRF protection)
  • httpOnly: true (XSS protection)

Option 3: Firewall + SSH Tunnel (Solo)

server
ufw deny 7778     # Block external API access
ufw allow 7777    # Webhooks still reachable
your machine
ssh -L 7778:localhost:7778 user@server
# Access at http://localhost:7778

Docker

terminal
docker run -d \
  --name autopilot \
  -p 7778:7778 \
  -p 7777:7777 \
  -v /path/to/company:/data/company \
  -e COMPANY_ROOT=/data/company \
  -e NODE_ENV=production \
  -e AUTOPILOT_MASTER_KEY="$(openssl rand -base64 32)" \
  -e OPENROUTER_API_KEY="sk-or-..." \
  questpie/autopilot-orchestrator:latest

Environment Variables

VariableRequiredDefaultDescription
OPENROUTER_API_KEYYes--Claude API key for agent sessions
COMPANY_ROOTYes--Path to company data directory
AUTOPILOT_MASTER_KEYRecommendedAuto-generated file256-bit base64 key for secrets encryption
NODE_ENVRecommendeddevelopmentSet production for secure cookies and HTTPS
PORTNo7778API server port
WEBHOOK_PORTNo7777Webhook server port

Hardening Checklist

  • Set AUTOPILOT_MASTER_KEY as env var (not the auto-generated file)
  • Set NODE_ENV=production
  • Create owner account with autopilot auth setup
  • Define team members in team/humans.yaml with appropriate roles
  • Restrict CORS: set settings.auth.cors_origin to your dashboard domain
  • Restrict API port (7778) to your team via Tailscale, firewall, or reverse proxy
  • Keep webhook port (7777) reachable only for services that need it
  • Ensure secrets/.master-key is NOT committed to git
  • Ensure .auth/ directory is NOT backed up to insecure locations
  • Set OPENROUTER_API_KEY as env var, not in company files
  • Review audit logs periodically (logs/audit/)
  • Configure secret_ref on all authenticated webhooks
  • Configure IP allowlist in settings.auth.ip_allowlist for production
  • Enable 2FA for all human users with autopilot auth 2fa enable

Secrets

AES-256-GCM encryption at rest, master key management, per-agent secret scoping, and webhook authentication.

Self-Hosting Overview

Run QUESTPIE Autopilot on your own infrastructure for full data sovereignty and control.

On this page

PortsNetwork SecurityOption 1: Tailscale (Recommended for Teams)Option 2: Reverse Proxy + TLSOption 3: Firewall + SSH Tunnel (Solo)DockerEnvironment VariablesHardening Checklist