Allotment AI gives every team and person an enforced AI budget — self-hosted, so nothing goes outbound except the AI providers you enable and a monthly license check (never employee data).
localhost| console | the app — budgets, pools, dashboards |
| postgres | the ledger (all your data, in a Docker volume) |
| gateway | the AI gateway — starts in safe mock mode |
| worker · redis | background jobs · cache |
| caddy | HTTPS — console on 443, gateway on 8443 |
🔐 The console requires sign-in — company SSO (Microsoft Entra / OpenID Connect) and/or a break-glass admin password. See "Who can open the console?" below.
curl -fsSLO https://allotmentai.com/downloads/tokenshare-install-v0.5.5.tar.gz curl -fsSLO https://allotmentai.com/downloads/tokenshare-install-v0.5.5.tar.gz.sha256 sha256sum -c tokenshare-install-v0.5.5.tar.gz.sha256
tar xzf tokenshare-install-v0.5.5.tar.gz cd tokenshare-install/install ./install.sh
https://YOUR-HOST/ — you're in. License & updates at /?screen=license. installed ✓
A public DNS name (resolves to this server, ports 80/443 reachable) → a real HTTPS certificate is fetched automatically.
An internal-only name (no public DNS) → edit Caddyfile, un-comment tls internal in both blocks, then docker compose up -d.
localhost → works immediately; your browser shows a one-time certificate warning — expected.
Copy this prompt into your AI assistant. If it can run commands on your server (Claude Code, Cursor, an agent) it does the whole install; in a chat (Claude, ChatGPT) it walks you through every step.
Help me install Allotment AI — a self-hosted AI-credit management app that runs entirely on my own server with Docker. Nothing goes outbound except the AI providers I enable and a monthly license check (no employee data). Ask me before anything destructive. If you can run shell commands on my Linux server, do the install and explain each step, pausing for anything you need from me. If you can't run commands, give me exact copy-paste commands and walk me through them. 1. Check prerequisites: Docker + Docker Compose v2 installed and running, and host ports 80/443/8443 free. If Docker is missing: https://docs.docker.com/get-docker/ 2. Download and verify the bundle: curl -fsSLO https://allotmentai.com/downloads/tokenshare-install-v0.5.5.tar.gz curl -fsSLO https://allotmentai.com/downloads/tokenshare-install-v0.5.5.tar.gz.sha256 sha256sum -c tokenshare-install-v0.5.5.tar.gz.sha256 3. Extract and run the installer: tar xzf tokenshare-install-v0.5.5.tar.gz cd tokenshare-install/install ./install.sh 4. The installer generates all secrets and asks me three questions: - a license key (3 months full & free at https://allotmentai.com/signup — or blank for free mode, I can add one later in the console) - the hostname for the console (or "localhost" to start; internal-only names need `tls internal` un-commented in the Caddyfile) - whether to load a sample org (yes = explore immediately) It then builds and starts six containers (Postgres, Redis, the console, a background worker, the AI gateway in mock mode, and an HTTPS proxy) and runs the database migrations. 5. When it finishes, confirm the console is up at https://MY-HOST/ and the license screen at https://MY-HOST/?screen=license Then remind me of the go-live step for later: add my OpenAI/Anthropic API keys to .env, run "docker compose exec console npm run lab:keys", set LAB_GATEWAY=litellm, and "docker compose up -d" — employee tools then use https://MY-HOST:8443 If anything fails, run "docker compose logs -f console", read the error, and help me fix it.
The gateway starts in mock mode — the console fully works, nothing real is spent. When you're ready to route your company's actual AI traffic (this is where enforcement and attribution happen), three steps from the install/ directory:
# 1 — your org's provider keys (kept on YOUR server only) nano .env # fill in: OPENAI_API_KEY=sk-… ANTHROPIC_API_KEY=sk-… docker compose up -d # 2 — mint per-user virtual keys (seat-holders only — employees never see raw provider keys) docker compose exec console npm run lab:keys # 3 — flip the gateway from mock to live nano .env # change: LAB_GATEWAY=mock → LAB_GATEWAY=litellm docker compose up -d
Employee tools (Claude Code, Codex…) then talk to https://YOUR-HOST:8443 with their own personal key — never a raw provider key. Set that URL once in Settings → Employee machine setup, and each person gets a one-click setup file from My Wallet (or push the env vars via GPO / Intune / Jamf — the exact vars are in the console).
/?screen=licenseYour org tree: explore with the sample org now; connecting your real directory (Microsoft Entra) is optional and can come later — you can also manage the tree manually.
The console tells the admin when a new version is out (License → Software updates, ordered by importance). From the install/ directory:
./update.sh # fetch the latest, verify checksum, rebuild, restart — your data survives ./update.sh --check # just show what's new — changes nothing ./update.sh v0.5.5 # offline: pre-download the bundle + .sha256 into install/ first
Your .env is never touched and the database lives in Docker volumes — an update only replaces the application.
For platform teams: ship it through your own pipeline — your registry, your cluster. The Helm chart lives in the bundle under deploy/helm; ready-to-edit CI and GitOps manifests under deploy/ci and deploy/cd. Three workloads: the console, the AI gateway (autoscaled), and the background worker.
kubectl & helm pointed at itmetrics-server (the gateway autoscaler needs it)Help me deploy Allotment AI — a self-hosted AI-credit management app — to my own Kubernetes cluster using its Helm chart. It runs entirely inside my cluster; the only outbound calls are the AI providers and a monthly license check (no employee data ever leaves). Confirm my kubectl context first, and ask me before anything destructive.
If you can run shell commands (kubectl, helm, docker), do the deploy step by step, pausing for anything you need from me. Otherwise give me exact copy-paste commands.
0. Check what I have: current kube context (kubectl config current-context), a container registry I can push to, an ingress controller + TLS, and metrics-server (needed for the gateway autoscaler). Tell me what's missing before continuing.
1. Get the bundle (it contains the Helm chart at deploy/helm/tokenshare and the image Dockerfile at install/Dockerfile.console):
curl -fsSLO https://allotmentai.com/downloads/tokenshare-install-v0.5.5.tar.gz
curl -fsSLO https://allotmentai.com/downloads/tokenshare-install-v0.5.5.tar.gz.sha256
sha256sum -c tokenshare-install-v0.5.5.tar.gz.sha256 && tar xzf tokenshare-install-v0.5.5.tar.gz && cd tokenshare-install
2. Build and push the console image to MY registry (replace MY-REGISTRY; keep the tag = the bundle version):
docker build -f install/Dockerfile.console -t MY-REGISTRY/allotment-console:0.5.5 .
docker push MY-REGISTRY/allotment-console:0.5.5
3. Create the namespace and the secret. A license is free for 3 months (full product) at https://allotmentai.com/signup (or leave TOKENSHARE_LICENSE blank for free mode). Ask me for each value:
kubectl create namespace allotment
kubectl create secret generic allotment-secrets -n allotment \
--from-literal=POSTGRES_PASSWORD=... --from-literal=REDIS_PASSWORD=... \
--from-literal=LITELLM_MASTER_KEY=sk-... --from-literal=TOKENSHARE_LICENSE=TS1.... \
--from-literal=OPENAI_API_KEY=... --from-literal=ANTHROPIC_API_KEY=...
4. Edit deploy/helm/example-values.yaml (set image.console.repository to MY-REGISTRY/allotment-console, the ingress host + TLS, gateway min/maxReplicas, worker.enabled, and postgresql.enabled), then deploy:
helm upgrade --install allotment deploy/helm/tokenshare -n allotment \
-f deploy/helm/example-values.yaml --set secrets.existingSecret=allotment-secrets --wait
5. Verify: kubectl get pods -n allotment shows console, gateway, worker, postgres and redis Ready; the ingress serves HTTPS; the console opens and /?screen=license shows my license. Prefer GitOps over step 4? use the manifests in deploy/cd (Argo CD or Flux).
If anything fails: kubectl logs / kubectl describe pod / helm status allotment -n allotment, read the error, and help me fix it.
curl -fsSLO https://allotmentai.com/downloads/tokenshare-install-v0.5.5.tar.gz curl -fsSLO https://allotmentai.com/downloads/tokenshare-install-v0.5.5.tar.gz.sha256 sha256sum -c tokenshare-install-v0.5.5.tar.gz.sha256 tar xzf tokenshare-install-v0.5.5.tar.gz && cd tokenshare-install
docker build -f install/Dockerfile.console -t MY-REGISTRY/allotment-console:0.5.5 . docker push MY-REGISTRY/allotment-console:0.5.5
kubectl create namespace allotment kubectl create secret generic allotment-secrets -n allotment \ --from-literal=POSTGRES_PASSWORD='<strong>' \ --from-literal=REDIS_PASSWORD='<strong>' \ --from-literal=LITELLM_MASTER_KEY='sk-<strong>' \ --from-literal=TOKENSHARE_LICENSE='TS1.<your-license>' \ --from-literal=OPENAI_API_KEY='' \ --from-literal=ANTHROPIC_API_KEY='' # license '' = free mode · provider keys '' = evaluate without the live gateway
deploy/helm/example-values.yaml, then deploySet four things in the file: image.console.repository = your registry image · the console ingress host + TLS · postgresql.enabled: true (or your managed DB URL) · and if employee laptops connect from outside the cluster, enable the gateway ingress with its own hostname (e.g. ai-gw.yourco.com).
helm upgrade --install allotment deploy/helm/tokenshare \ --namespace allotment -f deploy/helm/example-values.yaml \ --set secrets.existingSecret=allotment-secrets --wait
kubectl get pods -n allotment → console, gateway, worker, postgres, redis all Ready/?screen=license shows your plan (free mode is fine)Prefer GitOps for step 4? The same deploy as an Argo CD / Flux app is below — full files in deploy/cd/.
name: allotment-deploy
on: { push: { branches: [main] } }
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: docker/build-push-action@v6
with:
context: .
file: install/Dockerfile.console
push: true
tags: ghcr.io/your-org/allotment-console:${{ github.sha }}
- run: |
helm upgrade --install allotment deploy/helm/tokenshare -n allotment \
--set image.console.repository=ghcr.io/your-org/allotment-console \
--set image.console.tag=${{ github.sha }} \
--set secrets.existingSecret=allotment-secrets --waitFull workflow + a GitLab CI variant ship in deploy/ci/.
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata: { name: allotment, namespace: argocd }
spec:
source:
repoURL: https://git.your-org/allotment.git
path: deploy/helm/tokenshare
targetRevision: main
helm: { valueFiles: [../example-values.yaml] }
destination:
server: https://kubernetes.default.svc
namespace: allotment
syncPolicy: { automated: { prune: true, selfHeal: true } }A Flux HelmRelease variant ships in deploy/cd/.
The app + database run on your server. Outbound, only: the AI providers you enable (your own keys), allotmentai.com (bundle downloads + updates) and cp.allotmentai.com (monthly license check + update availability — sends your license key, an anonymous install id, a version and an aggregate user count; never names, emails or usage detail — the console shows you exactly what's sent). During the first build the server also pulls from Docker Hub, ghcr.io and registry.npmjs.org, and acme-v02.api.letsencrypt.org issues the HTTPS certificate for a public hostname. Nothing inbound is required except ports 80/443 if you want an automatic public certificate.
The console requires authentication. Recommended: company SSO — Microsoft Entra ID or any OpenID Connect provider (Okta, Auth0, Google Workspace). People sign in with their work account (authorization-code + PKCE, the ID token is verified); admins and finance are an explicit allowlist, everyone else is mapped from your directory. Set CONSOLE_OIDC_ISSUER, CONSOLE_OIDC_CLIENT_ID, CONSOLE_OIDC_CLIENT_SECRET and CONSOLE_OIDC_ADMIN_EMAILS in .env — the 5-minute Entra app-registration walkthrough is in docs/oidc-sso.md. A shared admin password (CONSOLE_ADMIN_SECRET) also works on its own, and stays as a break-glass login for when SSO is down. Defense in depth: still keep the console on your network / VPN.
Free (no license, or expired) = full credit management plus the AI gateway: managed per-user keys, hard budget enforcement (requests stop the moment a budget hits zero) and per-user attribution. A license adds the savings layer — response cache and smart routing, automatic return of idle credits, reconciliation against provider invoices, chargeback reports and insights. Signing up gets 3 months of everything free, once per company. Full comparison on the pricing page.
Yes, anytime — paste it in the console (/?screen=license → Apply). No reinstall, takes effect immediately.
The license verifies offline (signed), and updates can be applied offline (./update.sh vX.Y.Z with a pre-downloaded bundle). Ask us for a long-dated offline license: support@aisite.co.il.
Run docker compose logs -f console from the install/ folder and read the error — or paste it into the AI prompt above and let your assistant fix it. Ports 80/443 already taken by another web server is the most common hiccup — free them or use a different host. Once installed, bugs go straight to us from the console: License → Report a problem.