Deployment Modes
KnoxCall runs the same binary in our cloud and on your infrastructure. You choose where the data plane lives and how your app reaches it — two independent decisions, each with a sensible default.The 2×2 Matrix
| Direct URL / DNS (code or DNS change) | Via Go Client Agent (no code change) | |
|---|---|---|
| KnoxCall Cloud proxy (managed, default) | Combo 1 — easiest | Combo 2 — no code change |
Self-hosted knoxcall/proxy container | Combo 3 — data-residency | Combo 4 — both |
Decision Tree
- Does regulation require API payloads to never leave your network? → Yes: Self-hosted proxy
- Can your app change its base URL or DNS records? → Yes: direct routing (see Getting Started)
- Otherwise → Install the Go Agent
Where Secrets Decrypt
This is the key differentiator between cloud and self-hosted:- KnoxCall Cloud mode: your secrets are decrypted on our servers at request time. This is fine for 99% of customers — we never log plaintext and each secret is envelope-encrypted with a per-row key under our MASTER_KEY_B64.
- Self-hosted mode: your secrets decrypt on your infrastructure. The cloud control plane only holds them in their re-encrypted form (wrapped with a session key rotated hourly). No plaintext secret ever leaves your VPC in this mode.
Control Plane vs Data Plane
Regardless of mode, the control plane — the admin UI, route definitions, secret storage, billing, analytics — always lives at knoxcall.com. What varies is the data plane: the service that handles your live API traffic.{tenant}.knoxcall.com. In self-hosted mode, you run the same knoxcall/proxy Docker image on your infrastructure — the control plane still holds config and pushes it down via short-lived session bundles every hour.
Pricing
| Plan | Cloud (default) | Self-hosted option | Go Agent option |
|---|---|---|---|
| Free | ✅ | — | — |
| Starter | ✅ | — | — |
| Pro | ✅ | ✅ | ✅ |
| Enterprise | ✅ | ✅ | ✅ |
byoAgentEnabled feature flag available on Pro and above.
Next Steps
- Install the Go Client Agent for zero-code-change onboarding
- Run the Self-hosted proxy on your own Docker infrastructure
- Plan a Cloud → Self-hosted migration with shadow-mode testing