Recommended host profiles
The runtime is latency-sensitive. Prefer predictable CPU, NVMe storage, and a nearby region for telephony and provider egress.
Trial
2 vCPU, 8 GB RAM, 100 GB NVMe, Docker Compose, one runtime deployment.
Production start
4 vCPU, 16 GB RAM, 200 GB NVMe, external Postgres/S3 preferred, Redis local or managed.
High volume
Enterprise custom: multiple nodes, managed Postgres, managed Redis, S3/R2/MinIO, ClickHouse, and explicit routing/load-balancing design.
Production readiness gates
In production mode the runtime fails closed when critical storage, auth, or signing settings are missing. That prevents a customer from accidentally running a memory-only lab setup in production.
API authProtected routes require bearer or API key authentication.RUNTIME_PUBLIC_URLPublic HTTPS origin used for callbacks, artifacts, monitor URLs, and web transports.PostgresSource of truth for assistants, credentials, calls, tools, logs, and webhook jobs.Redis / ValkeyLive call leases and background job coordination across nodes.S3 artifactsShared recordings, PCAP, and artifact access across runtime deployments.Webhook signingNon-default signing secret for outbound webhook trust.Environment skeleton
The installer writes these values into the runtime environment. Secrets belong on the host or in the customer's secret manager, not in Aywa's control plane.
AYWA_INSTALL_TOKENShort-lived activation credential generated in app.aywaruntime.com.AYWA_RUNTIME_IMAGEDigest-pinned official runtime image pulled from Aywa's private registry.AYWA_LICENSE_PUBLIC_KEY_PEMVerification material used by the runtime to validate signed license leases locally.RUNTIME_PUBLIC_URLPublic HTTPS URL that the runtime reports back during heartbeat.NODE_ENV=production
RUNTIME_PUBLIC_URL=https://voice.example.com
RUNTIME_STORE_POSTGRES_URL=postgres://runtime:secret@postgres:5432/aywa_voice_runtime
RUNTIME_STORE_ENCRYPTION_KEY=base64-or-long-random-secret
REDIS_URL=redis://redis:6379
RUNTIME_ARTIFACT_S3_BUCKET=voice-artifacts
WEBHOOK_SIGNING_SECRET=long-random-webhook-secret
CORS_ORIGINS=https://app.customer.example
Compose topology
Runtime service
Stateless application container. It owns sessions, API resources, voice orchestration, and provider routing.
Postgres
Durable documents, webhook outbox, logs, credentials, calls, and backup/export metadata.
Redis or Valkey
Active-call leases, replay leases, and coordination for webhook delivery workers.
Object storage
S3-compatible artifacts for recordings, stereo recordings, PCAP, and exported support data.
Kubernetes path
Kubernetes is a deployment target, not the default onboarding path. When used, the runtime uses separate secrets, a deployment with readiness probes, a service, ingress, and external stateful services.
livenessProbe: GET /health
readinessProbe: GET /readyz
metrics: GET /metrics
Backups and rollback
Back up Postgres and artifacts together. Redis can be treated as coordination state, but active calls are drained before planned maintenance. Runtime updates support rollback to the previous signed image.
RUNTIME_STORE_BACKUP_FILE=/secure/backups/aywa-runtime-store.json \
npm run audit:persistence
RUNTIME_STORE_DRILL_MODE=restore \
RUNTIME_STORE_BACKUP_FILE=/secure/backups/aywa-runtime-store.json \
npm run audit:persistence