Skip to content
TruthVouch Docs

Compatibility Matrix

This page documents version compatibility between the self-hosted Governance Gateway and TruthVouch cloud services, system requirements, and supported architectures.

Gateway and SaaS Compatibility

The self-hosted gateway communicates with TruthVouch cloud for configuration sync, policy updates, and optional audit telemetry. Each gateway version requires a minimum SaaS API version.

Gateway VersionMin SaaS API VersionSync ProtocolSDK Compatibility
1.0.xv1v1Python SDK 1.0+, TypeScript SDK 1.0+, .NET SDK 1.0+

Notes:

  • The sync agent negotiates protocol versions with the cloud API automatically. If your gateway version is too old for the current cloud API, the sync agent logs a clear error with the required minimum version.
  • SDK compatibility refers to the TruthVouch client SDKs used by your application to call the gateway. SDKs are backward-compatible within a major version.

System Requirements

Hardware

ComponentMinimumRecommendedNotes
CPU4 cores8 coresAI engine benefits from additional cores for NLI inference
RAM8 GB16 GBThe AI engine loads NLI and embedding models into memory
Disk20 GB50 GBIncludes database storage, Redis cache, and container images

Software

DependencyMinimum VersionRecommended
Docker Engine24+Latest stable
Docker Composev2.0+Latest stable

The stack provisions its own PostgreSQL 16 and Redis 7 containers — you do not need to install these separately unless you prefer to use external instances.

Supported Architectures

All TruthVouch container images are built as multi-architecture images supporting:

ArchitecturePlatformStatus
linux/amd64x86_64 servers, AWS EC2 (Intel/AMD), GCP, AzureSupported
linux/arm64AWS Graviton, Apple Silicon (via Docker Desktop), ARM serversSupported

Docker automatically pulls the correct architecture for your host. No configuration is needed.

Network Requirements

Outbound Connectivity

The self-hosted stack requires outbound HTTPS access to the following endpoints:

DestinationPortPurposeRequired?
api.truthvouch.com443 (HTTPS)Sync agent — pulls config, policies, JWKS keysYes
OpenAI API (api.openai.com)443 (HTTPS)AI engine — embedding generation, NLI inferenceYes
ghcr.io443 (HTTPS)Pull container images during install/upgradeDuring install/upgrade only

If you use a different LLM provider (e.g., Azure OpenAI), substitute the OpenAI endpoint with your provider’s API endpoint.

Internal Ports

The following ports are used for inter-container communication within the Docker network. You only need to expose them to the host if your application connects from outside the Docker network:

PortServiceProtocolExpose to Host?
50052Governance Gateway (gRPC)gRPC/HTTP2Yes — your application calls this
8090Governance Gateway (REST/health)HTTPOptional — for health monitoring
5010Gateway APIHTTPOptional — for knowledge base management
8091Sync Agent (health)HTTPOptional — for health monitoring
50051AI Engine (gRPC)gRPC/HTTP2No — internal only
5432PostgreSQLTCPNo — internal only (unless using external DB tools)
6379RedisTCPNo — internal only

Firewall Rules

If your infrastructure uses egress filtering, allow outbound HTTPS (port 443) to:

  • api.truthvouch.com
  • Your LLM provider’s API endpoint
  • ghcr.io and *.githubusercontent.com (for image pulls)

No inbound ports need to be open to the public internet. The gateway only needs to be reachable by your internal applications.

Resource Scaling Guidelines

The default configuration handles moderate traffic. For higher throughput, consider these adjustments:

ScenarioCPURAMDiskNotes
Low traffic (<100 req/min)4 cores8 GB20 GBDefault configuration
Medium traffic (100–1,000 req/min)8 cores16 GB50 GBIncrease GATEWAY_WORKERS in .env
High traffic (>1,000 req/min)16+ cores32+ GB100+ GBConsider Kubernetes deployment with horizontal scaling

Database disk usage depends on audit retention settings. At the default 90-day retention (AUDIT_RETENTION_DAYS=90), expect approximately 1 GB of database growth per 1 million scanned requests.

Next Steps