⚡ self-hosted · no-KYC · crypto · Tor-native

Deploy any app to your own VPS — by AI, by CLI, or by API.

Impreza Host is managed infrastructure for the apps you already trust. Install catalog apps (WordPress, PrestaShop, n8n, Nextcloud, Vaultwarden, Matrix, Gitea, SearXNG, …) with one click, or ship your own code as a Docker image, a Dockerfile, or a git repository (public or private). Every deployment gets automatic HTTPS via Let’s Encrypt and an optional .onion mirror via Tor.

🤖 I’m using an AI tool Claude Code, Cursor, Codex, Continue, Zed — install impreza-mcp + talk normally. ⌨ I prefer the terminal impreza deploy packages your cwd + ships it in one command. 🛍 Show me the catalog Browse and 1-click install pre-packaged apps from the My Apps panel.

What is Impreza Host #

Impreza Host runs your apps on dedicated VPSes you own — not shared multi-tenant hosting and not opaque managed-cloud. You get:

A real VPS with root access. Use it for the apps Impreza deploys + anything else.
A daemon (the agent) we install on your VPS that takes app-deploy commands from the control plane.
A REST API + CLI + MCP server for issuing those commands from your laptop, your CI, or your favorite AI.
Automatic HTTPS via Let’s Encrypt + optional Tor v3 hidden services for any deployment.
No KYC, crypto payment accepted, decentralized infrastructure across every continent we can reach — offshore and non-offshore jurisdictions side by side.

Quickstart (60 seconds) #

Path A — From an AI tool (Claude Code, Cursor, Codex, Continue, Zed)

Generate an API key + secret in the Impreza clientarea. Whitelist your laptop’s public IP on the key.

Get the MCP config snippet for your AI tool:

npx -y impreza-mcp setup --tool claude-code
# or: cursor | continue | zed | codex-cli

Paste the printed JSON into your AI tool’s MCP config, fill in IMPREZA_API_KEY and IMPREZA_API_SECRET, restart the tool. Then in chat:

You: "Deploy this project to my Impreza VPS, expose via .onion."
AI: → calls impreza_deploy_custom → tarballs cwd → uploads →
       creates a deployment → prints the URL.

Path B — From the terminal

# One-time setup
npm i -g impreza-mcp     # or use directly via npx
# (the CLI ships as a single static binary — see GitHub Releases of impreza-devkit)
impreza login            # prompts for API key + secret, verifies against /v1/account

# Per-project
cd ~/my-app              # any directory with a Dockerfile
impreza deploy --agent agt_xxxxxxxxxxxx --follow
# → Packaging → Uploading → Deploying → ✓ Deployed at https://my-app-3f7c9a.imprezaapps.com

Don’t have an agent yet? Three steps in order: Get a VPS → Install the agent (10-min token from My Apps → + Add another server) → Generate API keys + whitelist your IPs. ~5 minutes total.

Got “no servers on your account” from the AI? It means you have a VPS but the agent isn’t installed yet. Open My Apps, click + Add another server, copy the curl one-liner, run it on the VPS within 10 minutes (full flow here). The token expires after 10 min — regenerate if you miss the window.

Concepts #

Term	Means
VPS / server	A virtual machine you own (rented from Impreza, or your own external box). Has a public IP + root access.
Agent	A small Go daemon installed on the VPS. Polls the Impreza control plane for deploy commands + reports back. ID format `agt_xxxxxxxxxxxx`.
Catalog	A curated set of apps we’ve packaged + verified — WordPress, PrestaShop, n8n, OpenClaw, Vaultwarden, Nextcloud, Matrix, Gitea, SearXNG, Memos, Uptime Kuma, Activepieces, Jellyfin, PhotoPrism, MinIO, Mattermost, Ollama, Open WebUI, RustDesk, …
Network mode	How a deployment is reached. `http` (default) → URL with HTTPS via Caddy + Let’s Encrypt; this is every app except the ones in the next two modes. `host_ports` → raw TCP/UDP on fixed ports (RustDesk, future game/VPN/DNS); the deployment carries `connection_info: {ip, ports, public_key}` and clients connect to `IP:port`. `hybrid` → both at once (raw protocol ports AND an HTTP admin UI on a subdomain).
Custom deploy	An app that’s not in the catalog — your own code, an arbitrary public image, or a manifest you wrote.
Deployment	One running instance of an app on one agent. ID format `dpl_xxxxxxxxxxxx`. Tracks its container(s), routes, status.
Source mode	How a custom deploy gets its code: `image` (public registry URL), `dockerfile` (local Dockerfile uploaded as a tarball, OR a git URL — public or private), or `manifest` (full docker-compose YAML).
Route / domain	The public hostname the app responds on. Auto-allocated under `imprezaapps.com` if you don’t bring your own (shared namespace — names are first-come-first-served, released on uninstall).
Onion / .onion	Optional Tor v3 hidden service published alongside any deployment. Set `onion: true`.

1. Get a server #

Impreza apps need a server to run on. Three ways to get one:

Buy a VPS from Impreza

Provisioned in ~3 minutes via the Proxmox panel. Multiple continents available — pick offshore or non-offshore based on your needs. See plans →

Buy a dedicated server from Impreza

Bare-metal hardware in our datacenters. Provisioning is manual (24–48h while we rack the box). Our team installs the Impreza agent on your behalf — when the server arrives in your client area, it’s ready to deploy to from My Apps. Dedicated servers → · Offshore dedicated →

Bring your own (BYO)

Already have a server elsewhere? Any Debian / Ubuntu / RHEL / Alpine works. Install the agent (next section) and we treat it like any other.

At checkout: pick what to install

When you order a VPS or a dedicated server from Impreza, the cart shows a tile picker. Pick whichever matches your intent — all three options install the Impreza agent; the difference is what (if anything) gets installed alongside it:

Impreza Agent (recommended for power users): just the agent. Use this if you plan to deploy your own apps later — your own Docker images, git repos, manifests, or anything from the catalog via the panel / CLI / API.
Agent + MCP for AI tools (recommended for AI-first workflows): same as above, but the post-provision email includes a 3-step MCP quickstart so Claude / Cursor / Codex / Continue / Zed can deploy directly to your server via tool calls.
One of the catalog apps (WordPress, PrestaShop, n8n, Nextcloud, OpenClaw, Vaultwarden, Gitea, RustDesk, …): agent plus that specific app, auto-installed. HTTP apps land at a free imprezaapps.com subdomain with HTTPS; non-HTTP apps like RustDesk (self-hosted remote desktop) land at IP:port with the connection info (including the auto-captured public key) shown on the My Apps card. Fastest path if you know exactly which app you want.
No app: bare server, agent not installed. You can install it later from My Apps → click the Custom App tile (which only appears when you have no agent yet).

For dedicated servers the same picker shows the same options; the only difference is timing — our team installs whatever you picked manually after the hardware is racked, then the agent shows up in your My Apps panel as if it were a VPS.

2. Install the agent #

Every Impreza deployment runs on an agent — a small daemon installed on the VPS that takes commands from the control plane and runs them locally via docker compose. Without an agent, nothing can be installed — the AI, the CLI, and the REST API will all return “no server found on this account”.

When do I need this?

You bought a VPS from Impreza and did not opt into auto-install during checkout.
You brought your own server from another provider (BYO).
You reinstalled an Impreza VPS and the previous agent was wiped.

If you bought a VPS from Impreza and selected auto-install, the agent is already on the VPS by the time you reach the panel — skip to step 3 (API keys).

The 4-step install flow

Sign in to portal.imprezahost.com and open My Apps.
Click + Add another server. The panel generates a one-time bootstrap token (valid for 10 minutes) and prints a one-liner that looks like this:
```
curl -fsSL https://raw.githubusercontent.com/imprezahost/agent-public/main/install.sh \
  | IMPREZA_BOOTSTRAP=<token-from-panel> sh
```
Run that command on the VPS as root (or via sudo). Two paths:
- You do it: SSH into the VPS, paste, hit enter.
- The AI does it: grant the AI assistant SSH access (give it the hostname / IP / port / user / credentials) and paste the one-liner into the chat. The AI runs it on your behalf.
Within ~10 seconds the agent appears in My Apps with status: online. You’re ready to deploy.

The bootstrap token expires in 10 minutes. If you can’t get to the VPS shell in that window, the curl command will fail with BOOTSTRAP_EXPIRED. Just click + Add another server again to generate a fresh one.

What the install script does on your VPS:

Detects OS + architecture (amd64 / arm64).
Installs Docker engine if missing (the agent uses docker compose for every deployment).
Installs git if missing (used for git-URL deploys).
Downloads the agent binary to /usr/local/bin/impreza-agent.
Installs the systemd unit + hardening (ProtectHome=yes, NoNewPrivileges, …).
Consumes the bootstrap token, receives the agent’s permanent credentials, persists them to /etc/impreza-agent/credentials.toml (mode 0600).
Starts the impreza-agent.service systemd unit.

3. Generate API keys (+ IP whitelist) #

The AI assistant, the CLI, and any custom integration all authenticate to Impreza with an API key + secret. The agent uses a different credential issued at bootstrap (above) — these steps are for customer-realm calls (the ones your laptop, your AI, your CI make).

Generate the key

Sign in to portal.imprezahost.com and open Impreza API.
Type a label (something like laptop, ci, or claude) and click Generate New Key.
Copy the secret immediately. The full secret is shown once — if you close the modal you can’t retrieve it again, you’ll have to delete + recreate. The imp_… key prefix stays visible.

Whitelist the IPs that will call the API

Required. Without this the API rejects every call with 403 IP_NOT_WHITELISTED. From the Impreza API page, open the IP Whitelist tab and add:

Your laptop’s public IP — needed if you’ll run the impreza CLI locally, or the impreza-mcp MCP server inside Claude Desktop / Cursor / Continue / Zed (those tools spawn the MCP server on your machine, not on your VPS).
Your VPS’s public IP — needed if you’ll curl the API from the VPS itself, or run anything API-calling there (an Impreza CLI on the server, a CI runner, …). You don’t need this for the agent itself — the agent has its own credential.
Your AI provider’s outbound IP (rare) — only when the AI invokes the API directly from its own infrastructure rather than via an MCP server running on your machine. Most modern AI tools (Claude Code, Cursor, Codex CLI) use the local-MCP path, so this row is usually not needed.

Quick check: curl https://api.ipify.org from any machine prints the public IP that machine uses for outbound traffic — paste that into the whitelist row.

Why per-IP whitelist (and not just per-key)?

Two layers of defense. A leaked API secret alone doesn’t let an attacker call the API — they also need to be sending requests from an IP you explicitly added. Pair that with rotation (generate a fresh key in seconds + delete the old one) and a compromised credential is recoverable without losing data.

4. Deploy apps #

Four ways to get code running:

Catalog (1-click)

Browse the curated app catalog in the My Apps panel and click Install. Pick a server, pick a domain (or use a free imprezaapps.com subdomain), confirm. Done in ~30 seconds.

Same operation via API:

curl -X POST https://api.imprezahost.com/v1/platform/deployments \
  -H "X-API-Key: imp_..." -H "X-API-Secret: ..." \
  -H "Content-Type: application/json" \
  -d '{
    "app_name": "vaultwarden",
    "agent_id": "agt_xxxxxxxxxxxx",
    "domain": "vault.example.com",
    "onion": true,
    "vars": {"signups_allowed": "true"}
  }'

Deploy the same app multiple times on one server — Impreza assigns each instance its own host port automatically, so they run side by side without conflict. (Fixed-protocol apps like RustDesk are the exception — one per server.)

Public Docker image

Run any image from a public registry (Docker Hub, ghcr.io public, quay.io, …):

curl -X POST https://api.imprezahost.com/v1/platform/deployments/custom \
  -H "X-API-Key: imp_..." -H "X-API-Secret: ..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "my-nginx",
    "agent_id": "agt_xxxxxxxxxxxx",
    "image": "nginx:alpine",
    "target_port": 80,
    "domain": "static.example.com",
    "cpus": 0.5,
    "memory_mb": 256
  }'

Local Dockerfile (upload from your machine)

For code that lives on your laptop. The CLI tars the project directory, uploads it, and asks the agent to docker build it locally on your VPS:

cd ~/my-app                    # directory with a Dockerfile
impreza deploy \
  --agent agt_xxxxxxxxxxxx \
  --name my-app \
  --cpus 1.0 --memory-mb 512 \
  --follow

Same operation via API (two-step: upload context, then deploy):

# 1. Upload the project as a gzip tarball
tar czf - . | curl -X POST https://api.imprezahost.com/v1/platform/deployments/custom/contexts \
  -H "X-API-Key: imp_..." -H "X-API-Secret: ..." \
  -H "Content-Type: application/gzip" \
  --data-binary @-
# → returns {context_id, sha256, expires_at}

# 2. Reference that context_id in a deploy
curl -X POST https://api.imprezahost.com/v1/platform/deployments/custom \
  -H "X-API-Key: imp_..." -H "X-API-Secret: ..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "my-app",
    "agent_id": "agt_xxxxxxxxxxxx",
    "context_id": "ctx_xxxxxxxxxxxx",
    "dockerfile_path": "Dockerfile",
    "target_port": 8080,
    "cpus": 1.0,
    "memory_mb": 512
  }'

Git repository (public or private)

Point at a git URL — the agent does a shallow clone (git clone --depth=1 --branch=<ref>) and builds the Dockerfile from the cloned tree. No local upload needed. Public repos need no auth; for private repos set git_auth_method (see the note below):

curl -X POST https://api.imprezahost.com/v1/platform/deployments/custom \
  -H "X-API-Key: imp_..." -H "X-API-Secret: ..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "my-app",
    "agent_id": "agt_xxxxxxxxxxxx",
    "git_url": "https://github.com/your-user/your-repo",
    "git_ref": "main",
    "dockerfile_path": "Dockerfile",
    "target_port": 8080,
    "cpus": 1.0,
    "memory_mb": 512
  }'

Private repositories are supported — set git_auth_method:

deploy_key — use an SSH URL (git@host:owner/repo.git). The create response returns a generated git_auth.public_key; add it to your repository as a read-only Deploy Key (GitHub / GitLab / Gitea) or Access Key (Bitbucket), and the agent clones over SSH. Works with any host that supports SSH deploy keys — GitHub, GitLab, Bitbucket, Gitea or self-hosted.
pat — keep the https URL and pass git_pat (a repo-scoped read token: a GitHub fine-grained PAT or a GitLab access token). The agent clones over HTTPS. Supported for GitHub and GitLab; for Bitbucket, use a deploy key instead.

The credential is encrypted at rest and never returned again. Public repos on any host need no auth (git_auth_method defaults to none).

Auto-deploy on git push

Once a deployment is created with git_url, you can connect its repo’s push webhook so every commit to the watched branch redeploys the app automatically — no extra command, no polling. It works with any provider (GitHub, GitLab, Bitbucket, Gitea, self-hosted, even a CI job) against a single per-deployment secret. Enable it from the My Apps panel (Advanced view → 🔗 Connect git for auto-deploy), an AI assistant (impreza_git_webhook_connect / _status / _disconnect), or the REST API.

GitHub — one-click. Paste a Fine-grained GitHub PAT and we install the webhook for you:

curl -X POST https://api.imprezahost.com/v1/platform/deployments/custom/dpl_xxxxxxxxxxxx/git-webhook/connect \
  -H "X-API-Key: imp_..." -H "X-API-Secret: ..." \
  -H "Content-Type: application/json" \
  -d '{"github_pat": "github_pat_..."}'

GitLab, Bitbucket, Gitea, self-hosted, CI — manual. Connect with no token; we return a payload_url and a webhook_token. Add a push webhook in your repo to that URL, sending the token as the GitLab Secret token, or as the X-Impreza-Token header / ?token=… query param for everything else:

curl -X POST https://api.imprezahost.com/v1/platform/deployments/custom/dpl_xxxxxxxxxxxx/git-webhook/connect \
  -H "X-API-Key: imp_..." -H "X-API-Secret: ..." \
  -H "Content-Type: application/json" -d '{}'
# → { "payload_url": "https://api.imprezahost.com/v1/webhooks/git/dpl_xxxxxxxxxxxx",
#     "webhook_token": "…" }   ← add both to your provider's webhook settings

Generate the PAT at github.com/settings/personal-access-tokens/new with scope Repository → Webhooks: Read and write on the target repo (and nothing else). We validate the token, install the webhook, then discard it — we only keep the webhook id (to delete later) and a fresh per-deployment HMAC secret (to verify incoming push payloads). Pushes get redeployed via the same smart-replace path used by every redeploy: re-clone at the new HEAD, rebuild, restart in place.

Disconnect works the same way — with a PAT supplied we also delete the hook from your repo on GitHub’s side; without it, we only flip our local switch and pushes 200-noop on our receiver. GitHub eventually marks the hook as failing in its UI either way.

AI tools (MCP) #

impreza-mcp is the Model Context Protocol server that lets AI tools call Impreza Host directly — no copy-pasting URLs, no leaving the chat. Loaded once into your AI tool, the AI gains 13 tools it can call autonomously:

Tool	Does
`impreza_list_servers`	List the customer’s VPSes + agents
`impreza_list_apps`	Browse the catalog
`impreza_list_deployments`	What’s currently running
`impreza_deploy_custom`	Deploy code from cwd (image / dockerfile / manifest)
`impreza_deploy_catalog_app`	Install a catalog app
`impreza_uninstall_deployment`	Tear down a deployment
`impreza_restart_deployment`	Restart a deployment’s containers
`impreza_get_logs`	Tail the last N lines of container logs
`impreza_change_domain`	Re-route a running deployment to a new hostname
`impreza_add_onion`	Provision a Tor mirror for an existing deployment
`impreza_git_webhook_status`	Inspect the auto-deploy connection of a git-backed deployment
`impreza_git_webhook_connect`	Install a GitHub push webhook so every commit auto-redeploys
`impreza_git_webhook_disconnect`	Disable auto-deploy (optionally also delete the hook on GitHub)

Setup (one command)

npx -y impreza-mcp setup --tool claude-code
# also supported: cursor | continue | zed | codex-cli

The wizard prints the ready-to-paste JSON config block + the exact file path for the target tool (e.g. ~/Library/Application Support/Claude/claude_desktop_config.json on macOS). Paste, fill in IMPREZA_API_KEY + IMPREZA_API_SECRET, restart the AI tool.

Manual config (Claude Code shown — same shape for Cursor and Codex CLI)

{
  "mcpServers": {
    "impreza": {
      "command": "npx",
      "args": ["-y", "impreza-mcp"],
      "env": {
        "IMPREZA_API_KEY": "imp_...",
        "IMPREZA_API_SECRET": "..."
      }
    }
  }
}

Source: github.com/imprezahost/impreza-mcp · npm: impreza-mcp

CLI `impreza` #

Single static binary in Go. Mac (amd64/arm64), Linux (amd64/arm64), Windows (amd64).

# Setup (one-time)
impreza login

# Deploy your project (Dockerfile in cwd)
impreza deploy --agent agt_xxxxxxxxxxxx --follow

# Re-deploy with the same name (uninstalls old + creates new)
impreza deploy --agent agt_xxxxxxxxxxxx --name my-app --follow --force

# Browse + manage
impreza platform servers list
impreza platform apps list
impreza platform deployments list
impreza platform deployments show dpl_xxxxxxxxxxxx
impreza platform deployments logs dpl_xxxxxxxxxxxx
impreza platform deploy vaultwarden --agent agt_... --domain vault.example.com

# Multiple accounts? Named contexts.
impreza context create work --key imp_... --secret ...
impreza context use work

Source: github.com/imprezahost/impreza-devkit (cli-go/). Releases publish prebuilt binaries.

REST API #

Every Impreza Host operation has a REST endpoint. Use it directly with curl, the SDK Go, or the official Python impreza-sdk.

Base URL: https://api.imprezahost.com
Auth: X-API-Key + X-API-Secret headers (rotate via clientarea → API keys)
IP whitelist: every key has an allow-list; whitelist the caller’s public IP before use
Envelope: {success, data, error, meta: {request_id, timestamp}}
Rate limits: 60 req/min/key default — raise per-key in clientarea

Full reference: api.html (interactive Swagger UI over the OpenAPI 3.1 spec) · machine-readable: openapi.yaml

Endpoint surface (high-level)

Path prefix	What it covers
`/v1/platform/servers`	Managed servers + agent bootstrap tokens
`/v1/platform/apps`	Curated app catalog
`/v1/platform/deployments`	Catalog deployments (create, list, show, uninstall, restart, logs, change-domain, add-onion)
`/v1/platform/deployments/custom`	Custom deployments (image / dockerfile / git / manifest) + context upload
`/v1/agent/*`	Used by the agent daemon — bootstrap, poll, report, deploy-result, logs, DNS-01 challenge proxy
`/v1/account, /v1/domains, /v1/email, /v1/vps, /v1/dedicated, /v1/orders, /v1/invoices, /v1/webhooks`	The rest of the customer surface — managing the products you buy from Impreza

SDK Go #

The official Go SDK — used by the CLI + the agent + the MCP server. Same source repo as the CLI: github.com/imprezahost/impreza-devkit (sdk-go/).

import sdkclient "github.com/imprezahost/impreza-devkit/sdk-go/client"

c, _ := sdkclient.New(sdkclient.Context{
    Key: "imp_...", Secret: "...",
})
servers, _ := c.PlatformListServers(context.Background())
for _, s := range servers.Servers {
    fmt.Println(s.AgentID, s.Hostname, s.Status)
}

A Python SDK (impreza-sdk) exists with the same surface — see pypi.org/project/impreza-sdk.

Tor (.onion) #

Every deployment can publish a Tor v3 hidden service alongside its clearnet URL — just pass onion: true. The agent runs a Tor sidecar container, provisions a fresh ed25519 keypair (persists it under the deployment’s state dir), and emits the .onion address back via the deploy result.

Pure-onion deploys (no clearnet) are supported — set onion: true and omit domain. The agent will back-fill DOMAIN + DOMAIN_URL in the container env with the published .onion so apps that need to know their own URL get the right value.

Authentication #

Customer ↔ API: X-API-Key (imp_…) + X-API-Secret headers. Generate in clientarea → API Keys. Whitelist your IP.
Agent ↔ API: X-Agent-Id (agt_…) + X-Agent-Secret headers, issued once at bootstrap and persisted to /etc/impreza-agent/credentials.toml.

Limits + abuse #

Cgroups: every custom deploy gets --cpus + --memory applied at container start. Defaults are 1 CPU / 512 MB if you don’t specify. Override via cpus + memory_mb in the deploy body, clamped against the VPS’s reported memory.
Build context size: tarball uploads cap at 100 MB per context. Pack a leaner build context (use a .dockerignore on your end) — the CLI bakes in the usual exclusions (.git, node_modules, __pycache__, …).
API rate limit: 60 req/min/key default. Raise per-key in clientarea.
Trust model: we trust the customer — the VPS is yours, the agent runs your code, cgroup ceilings prevent runaway containers. We do not currently scan images or Dockerfiles.

Open source #

Repository	What it is	License
impreza-devkit	SDK Go + CLI + agent source + Caddy DNS provider	—
impreza-mcp	MCP server (Node TypeScript) — npm: `impreza-mcp`	MIT
agent-public	Public agent installer + prebuilt binaries (amd64 / arm64)	—

Help #

Clientarea — billing, services, API keys, app management
support@imprezahost.com — support
imprezahost.com — main site

For AI tools: a structured index at /llms.txt and a single-file dump of all docs at /llms-full.txt — paste either into your AI’s context to brief it on the whole platform in one shot.