Dokploy Enterprise extends the open source platform with features built for security-conscious teams and organizations. On top of everything available in the free, self-hostable version, Enterprise unlocks centralized identity management through SAML and OIDC single sign-on, immutable audit trails for compliance, fine-grained role-based access control, white-label branding for internal or customer-facing deployments, and Traefik forward authentication integration — all managed from the same familiar Dokploy dashboard.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Nettalco/dokploy/llms.txt
Use this file to discover all available pages before exploring further.
Enterprise Features
Single Sign-On (SSO)
Authenticate your team with SAML 2.0 or OIDC through any compatible identity provider — Okta, Azure AD, Google Workspace, and more.
Audit Logs
Record every create, update, delete, deploy, and login event across your entire Dokploy instance for compliance and security investigations.
Custom Roles
Define roles beyond the built-in
owner, admin, and member tiers with granular per-resource permission sets and assign them to organization members.Whitelabeling
Replace the Dokploy name, logo, and colors with your own brand identity. Configure app name, login logo, favicon, custom CSS, footer text, and support links.
Forward Authentication
Protect any application domain behind your SSO provider using Traefik’s forward auth middleware — no changes to the underlying application required.
Enterprise Settings
Toggle enterprise features on or off and inspect license validity directly from the Settings panel.
License Key Activation
Enterprise features are gated behind a valid license key. ThelicenseKey router exposes all activation, validation, and deactivation operations. All endpoints require the owner role.
Obtain a license key
Purchase or request an Enterprise license at dokploy.com. You will receive a license key string (e.g.
DPLY-XXXX-XXXX-XXXX).Enable enterprise features
In the Dokploy dashboard go to Settings → Enterprise. Toggle Enable Enterprise Features on. This sets
enableEnterpriseFeatures: true on the owner user record, which is required before a key can be activated.Internally this calls licenseKey.updateEnterpriseSettings:Enter your license key
Paste your key into the License Key field and click Activate. Dokploy calls The key is stored on the owner user row and
licenseKey.activate:isValidEnterpriseLicense is set to true.Other License Key Operations
| Procedure | Type | Description |
|---|---|---|
licenseKey.validate | mutation | Re-validates the stored key against the licensing server and updates isValidEnterpriseLicense accordingly. |
licenseKey.deactivate | mutation | Revokes the key remotely and clears licenseKey and isValidEnterpriseLicense from the owner record. |
Checking License Status
Two procedures let you inspect the current license state programmatically:licenseKey.haveValidLicenseKey — available to all authenticated users, returns true when the active organization has a valid Enterprise license.
licenseKey.getEnterpriseSettings — owner-only query that returns both the raw key and the enableEnterpriseFeatures flag, useful for pre-filling the Settings form:
Enterprise Settings
licenseKey.updateEnterpriseSettings is the mutation that drives the Enable Enterprise Features toggle in Settings. It accepts a single boolean and must be called before activating a license key for the first time:
Disabling enterprise features while a valid license key is present does not deactivate the license remotely. Use
licenseKey.deactivate to fully revoke the key.Custom Roles
ThecustomRole router lets organizations define roles beyond the three built-in tiers (owner, admin, member). Each custom role has a name and a permissions map — a record of resource names to the array of allowed actions.
- Role names cannot conflict with
owner,admin, ormember. - A maximum of 10 custom roles per organization is enforced.
- Roles that still have assigned members cannot be deleted — reassign or remove members first.
- Actions are validated against the allowed statements for each resource; invalid combinations are rejected.
- Internal resources (
organization,invitation,team,ac) cannot be assigned to custom roles.
customRole.all (available to all authenticated users) to list roles with member counts, customRole.update to rename or change permissions, customRole.remove to delete, and customRole.membersByRole to inspect which users hold a given role.
Whitelabeling
whitelabeling.update (Enterprise, owner only) writes a whitelabelingConfig object to the web server settings file. The following branding fields are supported:
| Field | Description |
|---|---|
appName | Replaces “Dokploy” throughout the UI |
appDescription | Subtitle shown on the login page |
logoUrl | Main navigation logo URL |
loginLogoUrl | Logo shown on the login / register pages |
faviconUrl | Browser tab icon URL |
customCss | Injected into every page for advanced theme overrides |
metaTitle | HTML <title> tag content |
footerText | Footer label |
supportUrl | Link shown in support prompts |
docsUrl | Link shown in documentation prompts |
errorPageTitle | Title on the error page |
errorPageDescription | Description on the error page |
whitelabeling.reset to restore all fields to null (the Dokploy defaults). The whitelabeling.getPublic endpoint is unauthenticated and returns only the fields needed by the login, register, and error pages.
Whitelabeling is not available on Dokploy Cloud — it applies only to self-hosted installations.
Forward Authentication
TheforwardAuth router lets you place any application domain behind your SSO provider using Traefik’s forwardAuth middleware. Once enabled, unauthenticated visitors to a protected domain are redirected to your identity provider before reaching the upstream service.
Typical workflow:
- Configure an SSO provider (see SSO).
- Call
forwardAuth.setAuthDomainto register a dedicated authentication domain and optional HTTPS settings. - Call
forwardAuth.deployOnServerto deploy the forward auth proxy container. - Call
forwardAuth.enableon any application domain to activate protection. - Use
forwardAuth.statusto verify per-domain SSO status andforwardAuth.disableto remove protection.
All Enterprise features — SSO, Audit Logs, Custom Roles, Whitelabeling, and Forward Authentication — require a valid Enterprise license key activated on the owner account. The open source version of Dokploy includes the built-in
owner, admin, and member roles, project/service management, multi-server support, and all core deployment features at no cost. Contact sales@dokploy.com or visit dokploy.com to get a license or learn more about Enterprise pricing.