Deployment Modes

KnoxCall runs the same binary in our cloud and on your infrastructure. You choose where the data plane lives and how your app reaches it — two independent decisions, each with a sensible default.

The 2×2 Matrix

	Direct URL / DNS (code or DNS change)	Via Go Client Agent (no code change)
KnoxCall Cloud proxy (managed, default)	Combo 1 — easiest	Combo 2 — no code change
Self-hosted `knoxcall/proxy` container	Combo 3 — data-residency	Combo 4 — both

Most customers start on Combo 1 (KnoxCall Cloud + Direct). Upgrade to the Go Agent when changing base URLs is impractical. Move to self-hosted when regulation requires API payloads to stay on your infrastructure.

Decision Tree

Does regulation require API payloads to never leave your network? → Yes: Self-hosted proxy
Can your app change its base URL or DNS records? → Yes: direct routing (see Getting Started)
Otherwise → Install the Go Agent

Where Secrets Decrypt

This is the key differentiator between cloud and self-hosted:

KnoxCall Cloud mode: your secrets are decrypted on our servers at request time. This is fine for 99% of customers — we never log plaintext and each secret is envelope-encrypted with a per-row key under our MASTER_KEY_B64.
Self-hosted mode: your secrets decrypt on your infrastructure. The cloud control plane only holds them in their re-encrypted form (wrapped with a session key rotated hourly). No plaintext secret ever leaves your VPC in this mode.

Control Plane vs Data Plane

Regardless of mode, the control plane — the admin UI, route definitions, secret storage, billing, analytics — always lives at knoxcall.com. What varies is the data plane: the service that handles your live API traffic.

┌────────────────────────┐      ┌───────────────────────────┐
│  Control plane         │      │  Data plane               │
│  (always knoxcall.com) │ <──→ │  (cloud OR customer-run)  │
│  Admin UI, routes,     │      │  Handles live API traffic │
│  secrets (encrypted)   │      │                            │
└────────────────────────┘      └───────────────────────────┘

In cloud mode, the data plane runs on our infrastructure at {tenant}.knoxcall.com. In self-hosted mode, you run the same knoxcall/proxy Docker image on your infrastructure — the control plane still holds config and pushes it down via short-lived session bundles every hour.

Pricing

Plan	Cloud (default)	Self-hosted option	Go Agent option
Free	✅	—	—
Starter	✅	—	—
Pro	✅	✅	✅
Enterprise	✅	✅	✅

Self-hosted and the Go Agent are gated by the existing byoAgentEnabled feature flag available on Pro and above.

Next Steps

Install the Go Client Agent for zero-code-change onboarding
Run the Self-hosted proxy on your own Docker infrastructure
Plan a Cloud → Self-hosted migration with shadow-mode testing

AI-Powered Route Setup

Go Client Agent

Deployment Modes
The 2×2 Matrix
Decision Tree
Where Secrets Decrypt
Control Plane vs Data Plane
Pricing
Next Steps

Getting Started

Essentials: Routes

Essentials: Clients

Essentials: Secrets

Essentials: Environments

Essentials: Collections

Webhooks

Workflows

Security

Monitoring

Advanced Features

Infrastructure

Account

Troubleshooting

Support

About

Deployment Modes

Deployment Modes

The 2×2 Matrix

Decision Tree

Where Secrets Decrypt

Control Plane vs Data Plane

Pricing

Next Steps

Getting Started

Essentials: Routes

Essentials: Clients

Essentials: Secrets

Essentials: Environments

Essentials: Collections

Webhooks

Workflows

Security

Monitoring

Advanced Features

Infrastructure

Account

Troubleshooting

Support

About

​Deployment Modes

​The 2×2 Matrix

​Decision Tree

​Where Secrets Decrypt

​Control Plane vs Data Plane

​Pricing

​Next Steps

Deployment Modes

The 2×2 Matrix

Decision Tree

Where Secrets Decrypt

Control Plane vs Data Plane

Pricing

Next Steps