Release Passport

Smart install

Install the self-hosted runtime with one token-first command.

Sign in to the Release Passport Portal first, generate an install token, then install the customer runtime: web dashboard, API, worker, CLI gate, detector, connectors, runtime checks, and license verification. Owner checkout, billing mutation, and license issuance stay on releasepassport.com.

Step 1

Sign in to the Release Passport Portal.

Step 2

Generate a Trial install token tied to the portal account.

Step 3

Run the token-first installer command.

Step 4

Let the installer detect Kubernetes or Docker Compose, domain, storage, and connector hints.

Step 5

Open the customer-owned self-hosted console printed by the installer.

Step 6

Upgrade later with releasepassport upgrade or the same token-first installer.

Step 7

Remove the runtime later with releasepassport uninstall.

Target

Auto-detected

The installer chooses Kubernetes only when kubectl, Helm, and a reachable cluster context are ready; otherwise it falls back to Docker Compose when available.

Domain

Smart domain mode

Use a provided HTTPS domain for production or local/SSH-tunnel URLs for first trial access.

Auth

Basic by default

Bootstrap admin with basic auth. OIDC and trusted proxy auth are optional package-gated modes.

Storage

Auto or bundled

Existing DATABASE_URL, VALKEY_URL, and optional OBJECT_STORAGE_ENDPOINT are used when present; otherwise bundled trial storage is installed.

Connectors

Detected hints

The installer suggests CI/CD, GitOps, runtime, metrics, incidents, work items, quality, security, policy, and rollout providers from local/env signals.

One command, smart defaults.

Start with only a portal install token. The installer detects Kubernetes or Docker Compose, asks for a domain only when needed, uses existing storage env vars when present, suggests connector candidates, and keeps owner checkout, billing mutation, and license issuance out of the customer runtime.

Target
Domain
Auth
Storage
First connector
Token-first installer

Copy this first

# Sign in and generate an install token from the entitlement portal first.
# The installer exchanges it for a Trial license and registry pull credential.
# Storage is inferred from DATABASE_URL, VALKEY_URL, and OBJECT_STORAGE_ENDPOINT when present.
curl -fsSL https://releasepassport.com/install.sh | bash -s -- \
  --install-token <portal-install-token>

The installer prints an install plan, console URL, API URL, admin login, storage choice, connector hint, and first shadow gate command. Use advanced flags only when you want to force a specific target.

Connector status is explicit.

The installer can seed connector hints, but hints are not the same as full live sync. Use the connector matrix to distinguish native pull, evidence ingest, detected candidates, manual connectors, planned work, and providers that require credentials.

Native pullEvidence ingestDetected candidateManual connectorPlannedRequires credential
Open connector matrix

Security path: verify, then run.

Security teams can review and verify the installer before execution. The one-command path is still available for disposable trial clusters, but production buyers should prefer the verified flow.

verified installer
curl -fsSLO https://releasepassport.com/install.sh
curl -fsSLO https://releasepassport.com/install.sh.sha256
if command -v shasum >/dev/null 2>&1; then shasum -a 256 -c install.sh.sha256; else sha256sum -c install.sh.sha256; fi

bash install.sh --install-token <portal-install-token>

Fast trial command.

Use this first. If you have no domain, the installer configures local or SSH-tunnel URLs and prints the dashboard/API access path. Generate the install token from the portal first; it replaces manual registry username/password handling. With a domain, the installer checks DNS plus web/API readiness and tells you when firewall, TLS, or routing still blocks public access.

one-command trial
curl -fsSL https://releasepassport.com/install.sh | bash -s -- \
  --install-token <portal-install-token>

Windows operator path.

Windows runtime installs use WSL2 so Kubernetes, Docker Compose, Helm, and the same signed Linux installer stay on one supported path. If WSL2 is missing, the launcher stops and prints the required setup command.

PowerShell
powershell -ExecutionPolicy Bypass -Command "irm https://releasepassport.com/install.ps1 | iex; Install-ReleasePassport -InstallToken '<portal-install-token>'"

Upgrade path.

Upgrade is additive and backward-compatible: the CLI prints a reviewed plan, the installer pins the requested version with --version, and the runtime keeps the same customer-owned console, install ID, storage, and registry entitlement flow.

upgrade
# Preview a token-first runtime upgrade plan.
releasepassport upgrade

# Pin a specific package version when your change-control process requires it.
releasepassport upgrade --version 0.1.1

# Apply remains plan-first: run the printed installer command after review.
releasepassport upgrade apply --version 0.1.1

Clean uninstall path.

The CLI removes the self-hosted runtime without deleting data by default. Use the purge path only when the operator intentionally wants to delete bundled volumes or the Kubernetes namespace.

uninstall
# Stop/remove the self-hosted runtime and preserve data by default.
releasepassport uninstall

# Preview exact Compose or Kubernetes commands first.
releasepassport uninstall --dry-run

# Automation can skip the interactive prompt.
releasepassport uninstall --yes

# Full data wipe: Compose volumes + directory, or Kubernetes namespace.
releasepassport uninstall --purge

Preflight checklist.

The CLI preflight is exposed as releasepassport doctor so operators can verify OS, runtime target, checksum tooling, storage, install-token, and BYOK AI readiness before or after install.

CLI doctor
releasepassport doctor
releasepassport doctor --output json
Docker Engine and Docker Compose v2 available for single-VM installs
kubectl connected to the intended cluster for Kubernetes installs
Helm 3 available for Kubernetes installs
Windows operators use the PowerShell launcher with WSL2 enabled
Namespace and StorageClass available
releasepassport.com portal install-token exchange reachable
registry.releasepassport.com reachable through install-token pull credentials
License public key and refresh endpoint reachable
Customer domain DNS, firewall, TLS, and Gateway or reverse proxy ready when domain mode is selected
Postgres, Redis/Valkey, and S3-compatible storage selected or bundled trial storage accepted
No secrets pasted into public logs, tickets, screenshots, or support email

Storage model.

Production installs should point at customer-owned Postgres, Redis/Valkey, and S3-compatible object storage. Export DATABASE_URL, VALKEY_URL, and optional OBJECT_STORAGE_ENDPOINT before running the token command; Compose consumes those values and disables bundled Postgres/Valkey startup in existing-storage mode.

Storage configuration

Auth and license.

Basic auth is the default. OIDC and trusted proxy auth are optional. The installer generates an install ID, stores it as a secret, and uses it to bind Trial, Starter, Team, and Business licenses to one runtime.

License behavior

Installer output should be immediately actionable.

A successful install prints only customer-safe material. Generated passwords are shown once. Tokens and registry credentials are stored in cluster secrets and redacted from logs.

Dashboard URL
API URL
Bootstrap admin email and one-time password
RELEASEPASSPORT_INSTALL_ID secret
Registry pull secret
First gate token status
Paste-ready releasepassport gate command
Detected connector candidates and manual configuration next steps

Next step: generate your first passport.

After install, open the console first-passport journey or paste the generated CLI command into CI in shadow mode. Nothing needs to enforce production until your evidence path is proven.

View sample passportOpen quick start