Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Nettalco/dokploy/llms.txt

Use this file to discover all available pages before exploring further.

Dokploy Enterprise extends the open source platform with features built for security-conscious teams and organizations. On top of everything available in the free, self-hostable version, Enterprise unlocks centralized identity management through SAML and OIDC single sign-on, immutable audit trails for compliance, fine-grained role-based access control, white-label branding for internal or customer-facing deployments, and Traefik forward authentication integration — all managed from the same familiar Dokploy dashboard.

Enterprise Features

Single Sign-On (SSO)

Authenticate your team with SAML 2.0 or OIDC through any compatible identity provider — Okta, Azure AD, Google Workspace, and more.

Audit Logs

Record every create, update, delete, deploy, and login event across your entire Dokploy instance for compliance and security investigations.

Custom Roles

Define roles beyond the built-in owner, admin, and member tiers with granular per-resource permission sets and assign them to organization members.

Whitelabeling

Replace the Dokploy name, logo, and colors with your own brand identity. Configure app name, login logo, favicon, custom CSS, footer text, and support links.

Forward Authentication

Protect any application domain behind your SSO provider using Traefik’s forward auth middleware — no changes to the underlying application required.

Enterprise Settings

Toggle enterprise features on or off and inspect license validity directly from the Settings panel.

License Key Activation

Enterprise features are gated behind a valid license key. The licenseKey router exposes all activation, validation, and deactivation operations. All endpoints require the owner role.
1

Obtain a license key

Purchase or request an Enterprise license at dokploy.com. You will receive a license key string (e.g. DPLY-XXXX-XXXX-XXXX).
2

Enable enterprise features

In the Dokploy dashboard go to Settings → Enterprise. Toggle Enable Enterprise Features on. This sets enableEnterpriseFeatures: true on the owner user record, which is required before a key can be activated.Internally this calls licenseKey.updateEnterpriseSettings:
// Input
{ enableEnterpriseFeatures: true }
3

Enter your license key

Paste your key into the License Key field and click Activate. Dokploy calls licenseKey.activate:
// Input
{ licenseKey: "DPLY-XXXX-XXXX-XXXX" }

// On success
{ success: true }
The key is stored on the owner user row and isValidEnterpriseLicense is set to true.
4

Confirm activation

Use licenseKey.haveValidLicenseKey to verify the license is active for the current organization:
// Returns boolean
true

Other License Key Operations

ProcedureTypeDescription
licenseKey.validatemutationRe-validates the stored key against the licensing server and updates isValidEnterpriseLicense accordingly.
licenseKey.deactivatemutationRevokes the key remotely and clears licenseKey and isValidEnterpriseLicense from the owner record.

Checking License Status

Two procedures let you inspect the current license state programmatically: licenseKey.haveValidLicenseKey — available to all authenticated users, returns true when the active organization has a valid Enterprise license.
// Returns: boolean
const isLicensed = await trpc.licenseKey.haveValidLicenseKey.query();
licenseKey.getEnterpriseSettings — owner-only query that returns both the raw key and the enableEnterpriseFeatures flag, useful for pre-filling the Settings form:
// Returns:
{
  enableEnterpriseFeatures: boolean;
  licenseKey: string; // empty string when not set
}

Enterprise Settings

licenseKey.updateEnterpriseSettings is the mutation that drives the Enable Enterprise Features toggle in Settings. It accepts a single boolean and must be called before activating a license key for the first time:
// Input
{
  enableEnterpriseFeatures: boolean;
}

// Returns: true on success
Disabling enterprise features while a valid license key is present does not deactivate the license remotely. Use licenseKey.deactivate to fully revoke the key.

Custom Roles

The customRole router lets organizations define roles beyond the three built-in tiers (owner, admin, member). Each custom role has a name and a permissions map — a record of resource names to the array of allowed actions.
// Create a custom role (Enterprise only)
await trpc.customRole.create.mutate({
  roleName: "deployer",
  permissions: {
    service: ["read", "create", "update"],
    deployment: ["read", "create"],
  },
});
Key constraints enforced by the API:
  • Role names cannot conflict with owner, admin, or member.
  • A maximum of 10 custom roles per organization is enforced.
  • Roles that still have assigned members cannot be deleted — reassign or remove members first.
  • Actions are validated against the allowed statements for each resource; invalid combinations are rejected.
  • Internal resources (organization, invitation, team, ac) cannot be assigned to custom roles.
Use customRole.all (available to all authenticated users) to list roles with member counts, customRole.update to rename or change permissions, customRole.remove to delete, and customRole.membersByRole to inspect which users hold a given role.

Whitelabeling

whitelabeling.update (Enterprise, owner only) writes a whitelabelingConfig object to the web server settings file. The following branding fields are supported:
FieldDescription
appNameReplaces “Dokploy” throughout the UI
appDescriptionSubtitle shown on the login page
logoUrlMain navigation logo URL
loginLogoUrlLogo shown on the login / register pages
faviconUrlBrowser tab icon URL
customCssInjected into every page for advanced theme overrides
metaTitleHTML <title> tag content
footerTextFooter label
supportUrlLink shown in support prompts
docsUrlLink shown in documentation prompts
errorPageTitleTitle on the error page
errorPageDescriptionDescription on the error page
Use whitelabeling.reset to restore all fields to null (the Dokploy defaults). The whitelabeling.getPublic endpoint is unauthenticated and returns only the fields needed by the login, register, and error pages.
Whitelabeling is not available on Dokploy Cloud — it applies only to self-hosted installations.

Forward Authentication

The forwardAuth router lets you place any application domain behind your SSO provider using Traefik’s forwardAuth middleware. Once enabled, unauthenticated visitors to a protected domain are redirected to your identity provider before reaching the upstream service. Typical workflow:
  1. Configure an SSO provider (see SSO).
  2. Call forwardAuth.setAuthDomain to register a dedicated authentication domain and optional HTTPS settings.
  3. Call forwardAuth.deployOnServer to deploy the forward auth proxy container.
  4. Call forwardAuth.enable on any application domain to activate protection.
  5. Use forwardAuth.status to verify per-domain SSO status and forwardAuth.disable to remove protection.
All Enterprise features — SSO, Audit Logs, Custom Roles, Whitelabeling, and Forward Authentication — require a valid Enterprise license key activated on the owner account. The open source version of Dokploy includes the built-in owner, admin, and member roles, project/service management, multi-server support, and all core deployment features at no cost. Contact sales@dokploy.com or visit dokploy.com to get a license or learn more about Enterprise pricing.

Build docs developers (and LLMs) love