Self-Hosting AI Agent Wallets: Production Docker Setup with Secrets and Auto-Updates
Self-hosting AI agent wallets gives you complete control over your private keys and transaction policies without relying on third-party custody services. With production-grade Docker deployment, you can run a Wallet-as-a-Service infrastructure that handles secrets management, automatic updates, and secure multi-agent authentication — all from your own server.
Why Self-Hosting Matters for AI Agent Wallets
When AI agents control real money, the stakes couldn't be higher. Hosted wallet services mean trusting a third party with your private keys, dealing with API rate limits, and accepting their terms of service. Self-hosting puts you back in control: your keys stay on your hardware, your policies run on your infrastructure, and your agents operate without external dependencies.
WAIaaS provides production-ready Docker deployment with enterprise features like Docker Secrets integration, automatic health checks, and watchtower compatibility for seamless updates. This isn't just a development setup — it's designed for real money and real agents.
Production Docker Setup: Beyond the Basics
Quick Start with Docker Compose
The simplest way to get started is cloning and running:
# Clone and start — that's it
git clone https://github.com/minhoyoo-iotrust/WAIaaS.git
cd WAIaaS
docker compose up -d
This uses the default Docker image ghcr.io/minhoyoo-iotrust/waiaas:latest with port binding on 127.0.0.1:3100:3100. The container runs as non-root user (UID 1001) with a named volume for data persistence.
Production Secrets Management
For production deployments, you need proper secrets management. WAIaaS supports Docker Secrets through a production overlay configuration:
# Create secret files
mkdir -p secrets
echo "your-secure-password" > secrets/master_password.txt
chmod 600 secrets/master_password.txt
# Deploy with secrets overlay
docker compose -f docker-compose.yml -f docker-compose.secrets.yml up -d
The secrets overlay (docker-compose.secrets.yml) mounts secret files from your host system, keeping sensitive data out of environment variables and image layers. This follows security best practices for containerized applications handling financial data.
Auto-Provisioning for Headless Deployment
When deploying to headless servers, manual password setup isn't practical. WAIaaS includes auto-provisioning that generates a secure master password automatically:
docker run -d \
--name waiaas \
-p 127.0.0.1:3100:3100 \
-v waiaas-data:/data \
-e WAIAAS_AUTO_PROVISION=true \
ghcr.io/minhoyoo-iotrust/waiaas:latest
# Retrieve auto-generated master password
docker exec waiaas cat /data/recovery.key
The auto-generated password is cryptographically secure and stored in /data/recovery.key. After initial setup, you can change to a known password and delete the recovery key file.
Health Checks and Monitoring
Production deployments need proper health monitoring. The Docker configuration includes comprehensive health checks:
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3100/health"]
interval: 30s
timeout: 5s
start_period: 10s
retries: 3
This monitors the HTTP API endpoint every 30 seconds. Failed health checks trigger container restart through the restart: unless-stopped policy. The health endpoint validates that the daemon is running and the 39 REST API route modules are responsive.
Automatic Updates with Watchtower
For production systems managing real funds, staying updated is critical for security patches. WAIaaS containers are compatible with watchtower for automatic updates:
# Add to your docker-compose.yml
services:
watchtower:
image: containrrr/watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
command: --interval 3600 --cleanup
Watchtower checks for new images hourly and performs rolling updates. Since WAIaaS uses named volumes for data persistence, updates preserve all wallet data, policies, and session tokens.
Multi-Service Architecture
Production deployments often need additional services. WAIaaS supports 2 Docker images: the main daemon plus an optional push-relay service for mobile notifications:
services:
daemon:
image: ghcr.io/minhoyoo-iotrust/waiaas:latest
# ... configuration
push-relay:
image: ghcr.io/minhoyoo-iotrust/waiaas-push-relay:latest
environment:
- WAIAAS_DAEMON_URL=http://daemon:3100
depends_on:
- daemon
The push-relay service handles 3 signing channels: push notifications, Telegram integration, and WalletConnect for owner approval of high-value transactions. This separation keeps the core daemon lightweight while supporting advanced notification workflows.
Environment Configuration for Production
Production deployments need proper RPC endpoints and logging configuration:
# Core settings
WAIAAS_AUTO_PROVISION=true # Auto-generate master password on first start
WAIAAS_DAEMON_PORT=3100 # Listening port
WAIAAS_DAEMON_HOSTNAME=0.0.0.0 # Bind address
WAIAAS_DAEMON_LOG_LEVEL=info # Log level (trace/debug/info/warn/error)
WAIAAS_DATA_DIR=/data # Data directory
# RPC endpoints for mainnet operations
WAIAAS_RPC_SOLANA_MAINNET=<url> # Solana mainnet RPC endpoint
WAIAAS_RPC_EVM_ETHEREUM_MAINNET=<url> # Ethereum mainnet RPC endpoint
Using dedicated RPC endpoints (Alchemy, QuickNode, or self-hosted) is essential for production reliability. Free public endpoints have rate limits that will cause transaction failures under load.
Security Hardening
Self-hosted deployments should implement additional security layers:
Network Security: Bind to localhost (127.0.0.1:3100:3100) and use a reverse proxy (nginx/Caddy) with TLS termination for external access. This keeps the raw HTTP daemon isolated from the internet.
File Permissions: WAIaaS runs as UID 1001 (non-root) inside the container. Ensure your data volume has appropriate ownership:
# Set proper ownership for data volume
sudo chown -R 1001:1001 /path/to/waiaas-data
Firewall Configuration: Limit access to essential ports only. The daemon only needs port 3100 for API access. Block all other ports unless specifically required for your setup.
Backup Strategy: The data directory contains private keys and transaction history. Implement automated backups with encryption:
# Backup script example
docker exec waiaas tar czf - /data | gpg --encrypt -r your-key@example.com > waiaas-backup-$(date +%Y%m%d).tar.gz.gpg
Quick Production Setup
Here's a minimal 5-step production deployment:
Clone and configure secrets:
git clone https://github.com/minhoyoo-iotrust/WAIaaS.git cd WAIaaS mkdir secrets openssl rand -base64 32 > secrets/master_password.txt chmod 600 secrets/master_password.txtSet production environment variables:
cp .env.example .env # Edit .env with your RPC endpoints and log levelDeploy with secrets overlay:
docker compose -f docker-compose.yml -f docker-compose.secrets.yml up -dVerify health and create first wallet:
curl http://127.0.0.1:3100/health # Should return {"status": "ok"}Set up reverse proxy and TLS (nginx example):
server { listen 443 ssl; server_name wallet-api.yourdomain.com; location / { proxy_pass http://127.0.0.1:3100; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } }
The self-hosted approach gives you complete sovereignty over your AI agents' financial infrastructure. With proper secrets management, automatic updates, and security hardening, you can run a production-grade wallet service that scales from single agents to entire agent fleets.
What's Next
Ready to deploy your own AI agent wallet infrastructure? Check out the complete documentation on GitHub for advanced configuration options, or visit waiaas.ai to explore the full platform capabilities. Your keys, your server, your rules.