Hanzo

Hanzo PaaS

The platform.hanzo.ai control plane — deploy and operate applications, containers, and custom domains across your clusters, with IAM-native multi-org access.

Hanzo PaaS

API reference · Hanzo Platform API → — every endpoint, generated from the OpenAPI spec.

Hanzo PaaS (platform.hanzo.ai) is the control plane for shipping software on Hanzo infrastructure. You register an application, point it at a Docker image or Git repo, attach a domain, and the platform builds, deploys, and operates it on your clusters — with deployment history, rolling updates, and drift detection. Authentication is delegated to Hanzo IAM with per-organization isolation.

Studiohttps://platform.hanzo.ai
Canonical APIhttps://platform.hanzo.ai/v1
Build pipeline APIhttps://platform.hanzo.ai/api (tRPC + OpenAPI)
AuthHanzo IAM (interactive) · API key / service token (machine)
Sourcegithub.com/hanzoai/platform

The model

Hanzo PaaS organizes work into a simple hierarchy:

organization
  └── project
        └── environment            (e.g. production, staging)
              ├── application       (a Docker image or Git source → one workload)
              └── compose           (a multi-service docker-compose / stack unit)
ObjectWhat it is
projectA grouping of related services, owned by an organization
environmentAn isolated slice of a project (production, staging, preview)
applicationA single deployable unit. Its appName is the name of the live workload it drives. sourceType is one of docker, git, github, gitlab, bitbucket, gitea, or drop; deployTarget is local, cloud, or k8s
deploymentOne build/deploy run, with status and start/finish timestamps
domainA hostname mapped to an application or compose service, with automatic TLS

State is stored in Hanzo Base (embedded SQLite, replicated to object storage) — there is no external database to run.

Authentication

Two credential types, both retrieved from Hanzo KMS — never hard-coded:

CredentialHeaderUse
API keyx-api-key: <key>Machine access to the build-pipeline API (/api/*). Org-scoped; issued under Settings → API Keys
Service tokenAuthorization: Bearer <token>The canonical /v1 container surface (redeploy, observe)
IAM tokenAuthorization: Bearer <iam-jwt>Interactive / user access, via Hanzo IAM SSO

Deploy

From the Studio

  1. Sign in at platform.hanzo.ai with your Hanzo IAM account.
  2. Create a project and an environment.
  3. Add an application — choose a Docker image or connect a Git repository.
  4. Attach a domain and deploy.

Redeploy a running container (canonical /v1)

The canonical, machine-driven redeploy performs a zero-downtime rolling restart of the live workload — it re-pulls the image and recreates pods. It takes a service token and no body:

# Service token comes from KMS — never inline a real value
TOKEN=$(curl -sS -X POST https://kms.hanzo.ai/v1/kms/auth/login \
  -H 'Content-Type: application/json' \
  -d "{\"clientId\":\"$KMS_CLIENT_ID\",\"clientSecret\":\"$KMS_CLIENT_SECRET\"}" | jq -r .accessToken)
PAAS_TOKEN=$(curl -sS "https://kms.hanzo.ai/v1/kms/orgs/hanzo/secrets/paas/SERVICE_TOKEN?env=production" \
  -H "Authorization: Bearer $TOKEN" | jq -r .secret.value)

curl -fsS -X POST \
  "https://platform.hanzo.ai/v1/org/$ORG_ID/project/$PROJECT_ID/env/$ENV_ID/container/$APP_ID/redeploy" \
  -H "Authorization: Bearer $PAAS_TOKEN"
# → {"ok":true}

Build and deploy (pipeline /api)

To register a new app and run a build through the deployment pipeline, use the OpenAPI surface with an API key. Procedures are <router>.<procedure>:

# 1. Register the application (does not deploy)
curl -fsS -X POST https://platform.hanzo.ai/api/application.create \
  -H "x-api-key: $PLATFORM_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "name": "web", "environmentId": "'$ENV_ID'" }'

# 2. Attach a Docker image source, then deploy
curl -fsS -X POST https://platform.hanzo.ai/api/application.deploy \
  -H "x-api-key: $PLATFORM_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "applicationId": "'$APP_ID'" }'

# Rebuild an existing application
curl -fsS -X POST https://platform.hanzo.ai/api/application.redeploy \
  -H "x-api-key: $PLATFORM_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "applicationId": "'$APP_ID'", "title": "ship v1.3.0" }'

application.deploy and application.redeploy enqueue a build job; application.start, application.stop, and application.reload manage the running workload. See the Containers API for the full procedure set.

Observe & drift

The platform continuously reconciles three views of every app and computes drift:

TagMeaning
declaredThe version your operator/manifest declares
runningThe image actually live in the cluster
latestThe newest released version available
# List apps with drift, scoped to an org
curl -fsS "https://platform.hanzo.ai/v1/apps?org=hanzo&drift=true" \
  -H "Authorization: Bearer $PLATFORM_SERVICE_TOKEN"
{
  "apps": [
    { "org": "hanzo", "app": "docs", "env": "production",
      "declared_tag": "v1.4.0", "running_tag": "v1.3.0", "latest_tag": "v1.4.0",
      "health": "yellow", "drift": ["un-rolled"] }
  ],
  "summary": { "total": 1, "byDrift": { "un-rolled": 1 } }
}

Drift is never stored — it is recomputed from declared/running/latest each time. POST /v1/apps/sync refreshes the observed columns from the cluster and release feeds.

Custom domains & TLS

Attach a hostname to an application; TLS is provisioned automatically (Let's Encrypt) and a DNS record is created:

curl -fsS -X POST https://platform.hanzo.ai/api/domain.create \
  -H "x-api-key: $PLATFORM_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "applicationId": "'$APP_ID'",
    "host": "app.example.com",
    "https": true,
    "certificateType": "letsencrypt"
  }'

Point your DNS at the platform ingress IP shown on the project's Domains tab.

Self-hosting

git clone https://github.com/hanzoai/platform
cd platform
cp .env.example .env   # set IAM endpoint, service token, etc.
docker compose up -d

The platform runs as a Next.js application with an embedded SQLite database; for production it deploys to a cluster via the operator. It authenticates against Hanzo IAM using the hanzo-platform application.

API Reference

The /v1 control surface and the /api build pipeline

API keys, service tokens, and IAM tokens

Create, deploy, redeploy, and operate applications

Register and manage clusters and node pools

Identity and access management with multi-org SSO

Secrets and service tokens for deployments

The embedded data store behind the control plane

Object storage for build artifacts and backups

How is this guide?

Last updated on

On this page