Skip to content

Frequently Asked Questions

Common questions about what SecondStack is, how it deploys, and how it handles models, security, and cost. For a deeper look, start with What is SecondStack and Self-Hosting.

SecondStack is a self-hosted, multi-model LLM platform for deploying, managing, and scaling conversational AI across an organization. It bundles a chat app, an LLM API gateway, guardrails, cost controls, retrieval (RAG), and an agent runtime, all running on infrastructure you control.

Why self-host AI instead of using a hosted SaaS?

Section titled “Why self-host AI instead of using a hosted SaaS?”

Self-hosting keeps data sovereignty: conversations, documents, and usage data stay in your own infrastructure, and you control retention, backups, and access. You also get multi-model flexibility instead of a single vendor, granular per-team cost controls, and the ability to customize behavior through system prompts, guardrails, and agent Skills. Because pricing is consumption-based rather than per-seat, you can deploy for an entire organization at infrastructure cost.

The simplest deployment is a single Linux virtual machine using Docker Compose. You unpack the release, set a few environment variables, and run the initialization script. For production, you expose the VM over HTTPS on port 443, assign a DNS domain, and connect enterprise single sign-on through an OAuth client in your identity provider. See Self-Hosting for details.

Yes. SecondStack is not a SaaS product, and the primary focus is self-serve deployment on your own infrastructure. If you would prefer not to operate it yourself, SecondStack can host and manage a single-tenant, dedicated deployment for you, isolated to your organization.

All major providers are available through the LiteLLM gateway: Anthropic Claude, OpenAI, Azure, Google (AI Studio and Vertex), Amazon Bedrock, Databricks, xAI, and thousands of models via OpenRouter. You can also connect self-hosted open-weight models through vLLM if you run your own GPU infrastructure. Models are grouped by capability — chat, agentic, and image generation — and can be enabled or restricted per team.

The Cowork Agent is an agentic mode in the Chat App. It runs the Claude Code CLI inside per-thread Docker sandboxes with built-in Skills — file operations, browser automation, image generation, diagram authoring, office documents, and persistent memory. Each session gets an isolated workspace. See the Cowork Agent page.

SecondStack authenticates over OAuth. It includes a built-in Authentik identity core so it can run standalone, but enterprise deployments normally federate to an upstream identity provider such as Entra ID (Azure AD), Okta, or Keycloak. Group membership synced from your provider drives team assignment and model access.

Who supports the bundled open-source components?

Section titled “Who supports the bundled open-source components?”

SecondStack takes responsibility for the entire stack it ships — both its own proprietary services and the open-source components it packages, including LiteLLM, Authentik, PostgreSQL, Meilisearch, Qdrant, Kreuzberg, and OpenResty. You get a single point of contact for support across the whole platform, without separate vendor relationships for each component.

What are the minimum infrastructure requirements?

Section titled “What are the minimum infrastructure requirements?”

A Linux VM with roughly 4 vCPU, 16 GB of RAM, and 200 GB of SSD storage; a DNS name with subdomains pointing to the VM; an OAuth client in your identity provider for single sign-on; an S3-compatible bucket for file transfer; and at least one upstream LLM provider API key or endpoint. See Self-Hosting.

Everything runs on your infrastructure — chat history, documents, user data, and usage logs stay in your own PostgreSQL database, and you control retention, backups, and access. The platform also includes a guardrails service that can detect and block PII and secrets before they reach an LLM provider. When you use external providers, many offer short or zero data-retention terms for API traffic.