Quick Start
This guide walks you through self-hosting Kagi and making your first API call.
Prerequisites
Section titled “Prerequisites”- Docker + Docker Compose
1. Choose an auth method
Section titled “1. Choose an auth method”Kagi supports two login methods — pick one or both.
Option A — Email / password
Section titled “Option A — Email / password”The simplest option, no external dependencies required. An admin account is created automatically on first startup.
ENABLE_EMAIL_PASSWORD=trueADMIN_EMAIL=you@example.comADMIN_PASSWORD=your-passwordOption B — Keycloak (SSO)
Section titled “Option B — Keycloak (SSO)”For teams or when you already run Keycloak. See Keycloak Setup for a full Docker Compose walkthrough.
KEYCLOAK_URL=https://sso.example.comKEYCLOAK_REALM=kagiKEYCLOAK_CLIENT_ID=kagiKEYCLOAK_CLIENT_SECRET=<client-secret>Set the Keycloak client’s redirect URI to https://your-kagi-url/api/auth/callback/keycloak.
2. Configure environment variables
Section titled “2. Configure environment variables”Create an .env file in the same directory as docker-compose.yml:
# Database — auto-managed by Docker ComposePOSTGRES_PASSWORD=secret
# Encryption — generate with: openssl rand -hex 32KAGI_ENCRYPTION_KEY=<64-hex-chars>
# better-authBETTER_AUTH_SECRET=<random-string>BETTER_AUTH_URL=http://localhost:3000NEXT_PUBLIC_APP_URL=http://localhost:3000
# Auth — pick one or both from step 1ENABLE_EMAIL_PASSWORD=trueADMIN_EMAIL=you@example.comADMIN_PASSWORD=<your-password>
# Keycloak (optional — see step 1)# KEYCLOAK_URL=https://sso.example.com# KEYCLOAK_REALM=kagi# KEYCLOAK_CLIENT_ID=kagi# KEYCLOAK_CLIENT_SECRET=<client-secret>
# OpenAI (optional — for AI extraction feature)# OPENAI_API_KEY=sk-...3. Start with Docker Compose
Section titled “3. Start with Docker Compose”docker compose pulldocker compose up -dThe prebuilt image yanceyofficial/kagi:latest is pulled from Docker Hub — no build step needed. Database migrations run automatically on startup before the app begins serving requests.
The app is now running at http://localhost:3000.
4. Upgrading
Section titled “4. Upgrading”docker compose pulldocker compose up -dNew migrations are applied automatically on every startup.
5. Log in and create an access key
Section titled “5. Log in and create an access key”- Open
http://localhost:3000and sign in. - Go to Settings → API Keys.
- Click New API Key, give it a name, select scopes, and click Create.
- Copy the key — it is shown only once.
6. Make your first API call
Section titled “6. Make your first API call”# List your categoriescurl -H "Authorization: Bearer kagi_<your-key>" \ http://localhost:3000/api/categories# Reveal an entry valuecurl -X POST \ -H "Authorization: Bearer kagi_<your-key>" \ http://localhost:3000/api/entries/<entry-id>/reveal7. Explore the OpenAPI spec
Section titled “7. Explore the OpenAPI spec”The full OpenAPI 3.1.0 spec is served at:
GET /api/openapiImport this URL directly into Postman, Insomnia, or any OpenAPI-compatible client.
Next steps
Section titled “Next steps”- Keycloak Setup — self-host Keycloak with Docker Compose
- Authentication: Access Keys — key format, scopes, expiry
- API Reference — complete endpoint documentation
- AI Extraction — generate
.envfiles with AI