⚡ self-hosted · no-KYC · crypto · Tor-native

Deploy any app to your own VPS — by AI, by CLI, or by API.

Impreza Host is managed infrastructure for the apps you already trust. Install catalog apps (Vaultwarden, n8n, Nextcloud, Matrix, SearXNG, Gitea, …) with one click, or ship your own code as a Docker image, a Dockerfile, or a public git repository. Every deployment gets automatic HTTPS via Let’s Encrypt and an optional .onion mirror via Tor.

🤖 I’m using an AI tool Claude Code, Cursor, Codex, Continue, Zed — install impreza-mcp + talk normally. ⌨ I prefer the terminal impreza deploy packages your cwd + ships it in one command. 🛍 Show me the catalog Browse and 1-click install pre-packaged apps from the My Apps panel.

What is Impreza Host #

Impreza Host runs your apps on dedicated VPSes you own — not shared multi-tenant hosting and not opaque managed-cloud. You get:

A real VPS with root access. Use it for the apps Impreza deploys + anything else.
A daemon (the agent) we install on your VPS that takes app-deploy commands from the control plane.
A REST API + CLI + MCP server for issuing those commands from your laptop, your CI, or your favorite AI.
Automatic HTTPS via Let’s Encrypt + optional Tor v3 hidden services for any deployment.
No KYC, crypto payment accepted, decentralized infrastructure across every continent we can reach — offshore and non-offshore jurisdictions side by side.

Quickstart (60 seconds) #

Path A — From an AI tool (Claude Code, Cursor, Codex, Continue, Zed)

Generate an API key + secret in the Impreza clientarea. Whitelist your laptop’s public IP on the key.

Get the MCP config snippet for your AI tool:

npx -y impreza-mcp setup --tool claude-code
# or: cursor | continue | zed | codex-cli

Paste the printed JSON into your AI tool’s MCP config, fill in IMPREZA_API_KEY and IMPREZA_API_SECRET, restart the tool. Then in chat:

You: "Deploy this project to my Impreza VPS, expose via .onion."
AI: → calls impreza_deploy_custom → tarballs cwd → uploads →
       creates a deployment → prints the URL.

Path B — From the terminal

# One-time setup
npm i -g impreza-mcp     # or use directly via npx
# (the CLI ships as a single static binary — see GitHub Releases of impreza-devkit)
impreza login            # prompts for API key + secret, verifies against /v1/account

# Per-project
cd ~/my-app              # any directory with a Dockerfile
impreza deploy --agent agt_xxxxxxxxxxxx --follow
# → Packaging → Uploading → Deploying → ✓ Deployed at https://my-app-3f7c9a.imprezaapps.com

Don’t have an agent yet? Three steps in order: Get a VPS → Install the agent (10-min token from My Apps → + Add another server) → Generate API keys + whitelist your IPs. ~5 minutes total.

Got “no servers on your account” from the AI? It means you have a VPS but the agent isn’t installed yet. Open My Apps, click + Add another server, copy the curl one-liner, run it on the VPS within 10 minutes (full flow here). The token expires after 10 min — regenerate if you miss the window.

Concepts #

Term	Means
VPS / server	A virtual machine you own (rented from Impreza, or your own external box). Has a public IP + root access.
Agent	A small Go daemon installed on the VPS. Polls the Impreza control plane for deploy commands + reports back. ID format `agt_xxxxxxxxxxxx`.
Catalog	A curated set of apps we’ve packaged + verified — Vaultwarden, n8n, Nextcloud, Matrix, Gitea, SearXNG, Memos, Uptime Kuma, OpenClaw, Activepieces, …
Custom deploy	An app that’s not in the catalog — your own code, an arbitrary public image, or a manifest you wrote.
Deployment	One running instance of an app on one agent. ID format `dpl_xxxxxxxxxxxx`. Tracks its container(s), routes, status.
Source mode	How a custom deploy gets its code: `image` (public registry URL), `dockerfile` (local Dockerfile uploaded as a tarball, OR public git URL), or `manifest` (full docker-compose YAML).
Route / domain	The public hostname the app responds on. Auto-allocated under `imprezaapps.com` if you don’t bring your own (shared namespace — names are first-come-first-served, released on uninstall).
Onion / .onion	Optional Tor v3 hidden service published alongside any deployment. Set `onion: true`.

1. Get a VPS #

Impreza apps need a server to run on. Three ways to get one:

Buy a VPS from Impreza

Provisioned in ~3 minutes via the Proxmox panel. Multiple continents available — pick offshore or non-offshore based on your needs. See plans →

Bring your own (BYO)

Already have a server elsewhere? Any Debian / Ubuntu / RHEL / Alpine works. Install the agent (next section) and we treat it like any other.

2. Install the agent #

Every Impreza deployment runs on an agent — a small daemon installed on the VPS that takes commands from the control plane and runs them locally via docker compose. Without an agent, nothing can be installed — the AI, the CLI, and the REST API will all return “no server found on this account”.

When do I need this?

You bought a VPS from Impreza and did not opt into auto-install during checkout.
You brought your own server from another provider (BYO).
You reinstalled an Impreza VPS and the previous agent was wiped.

If you bought a VPS from Impreza and selected auto-install, the agent is already on the VPS by the time you reach the panel — skip to step 3 (API keys).

The 4-step install flow

Sign in to portal.imprezahost.com and open My Apps.
Click + Add another server. The panel generates a one-time bootstrap token (valid for 10 minutes) and prints a one-liner that looks like this:
```
curl -fsSL https://raw.githubusercontent.com/imprezahost/agent-public/main/install.sh \
  | IMPREZA_BOOTSTRAP=<token-from-panel> sh
```
Run that command on the VPS as root (or via sudo). Two paths:
- You do it: SSH into the VPS, paste, hit enter.
- The AI does it: grant the AI assistant SSH access (give it the hostname / IP / port / user / credentials) and paste the one-liner into the chat. The AI runs it on your behalf.
Within ~10 seconds the agent appears in My Apps with status: online. You’re ready to deploy.

The bootstrap token expires in 10 minutes. If you can’t get to the VPS shell in that window, the curl command will fail with BOOTSTRAP_EXPIRED. Just click + Add another server again to generate a fresh one.

What the install script does on your VPS:

Detects OS + architecture (amd64 / arm64).
Installs Docker engine if missing (the agent uses docker compose for every deployment).
Installs git if missing (used for git-URL deploys).
Downloads the agent binary to /usr/local/bin/impreza-agent.
Installs the systemd unit + hardening (ProtectHome=yes, NoNewPrivileges, …).
Consumes the bootstrap token, receives the agent’s permanent credentials, persists them to /etc/impreza-agent/credentials.toml (mode 0600).
Starts the impreza-agent.service systemd unit.

3. Generate API keys (+ IP whitelist) #

The AI assistant, the CLI, and any custom integration all authenticate to Impreza with an API key + secret. The agent uses a different credential issued at bootstrap (above) — these steps are for customer-realm calls (the ones your laptop, your AI, your CI make).

Generate the key

Sign in to portal.imprezahost.com and open Impreza API.
Type a label (something like laptop, ci, or claude) and click Generate New Key.
Copy the secret immediately. The full secret is shown once — if you close the modal you can’t retrieve it again, you’ll have to delete + recreate. The imp_… key prefix stays visible.

Whitelist the IPs that will call the API

Required. Without this the API rejects every call with 403 IP_NOT_WHITELISTED. From the Impreza API page, open the IP Whitelist tab and add:

Your laptop’s public IP — needed if you’ll run the impreza CLI locally, or the impreza-mcp MCP server inside Claude Desktop / Cursor / Continue / Zed (those tools spawn the MCP server on your machine, not on your VPS).
Your VPS’s public IP — needed if you’ll curl the API from the VPS itself, or run anything API-calling there (an Impreza CLI on the server, a CI runner, …). You don’t need this for the agent itself — the agent has its own credential.
Your AI provider’s outbound IP (rare) — only when the AI invokes the API directly from its own infrastructure rather than via an MCP server running on your machine. Most modern AI tools (Claude Code, Cursor, Codex CLI) use the local-MCP path, so this row is usually not needed.

Quick check: curl https://api.ipify.org from any machine prints the public IP that machine uses for outbound traffic — paste that into the whitelist row.

Why per-IP whitelist (and not just per-key)?

Two layers of defense. A leaked API secret alone doesn’t let an attacker call the API — they also need to be sending requests from an IP you explicitly added. Pair that with rotation (generate a fresh key in seconds + delete the old one) and a compromised credential is recoverable without losing data.

4. Deploy apps #

Four ways to get code running:

Catalog (1-click)

Browse the curated app catalog in the My Apps panel and click Install. Pick a server, pick a domain (or use a free imprezaapps.com subdomain), confirm. Done in ~30 seconds.

Same operation via API:

curl -X POST https://api.imprezahost.com/v1/platform/deployments \
  -H "X-API-Key: imp_..." -H "X-API-Secret: ..." \
  -H "Content-Type: application/json" \
  -d '{
    "app_name": "vaultwarden",
    "agent_id": "agt_xxxxxxxxxxxx",
    "domain": "vault.example.com",
    "onion": true,
    "vars": {"signups_allowed": "true"}
  }'

Public Docker image

Run any image from a public registry (Docker Hub, ghcr.io public, quay.io, …):

curl -X POST https://api.imprezahost.com/v1/platform/deployments/custom \
  -H "X-API-Key: imp_..." -H "X-API-Secret: ..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "my-nginx",
    "agent_id": "agt_xxxxxxxxxxxx",
    "image": "nginx:alpine",
    "target_port": 80,
    "domain": "static.example.com",
    "cpus": 0.5,
    "memory_mb": 256
  }'

Local Dockerfile (upload from your machine)

For code that lives on your laptop. The CLI tars the project directory, uploads it, and asks the agent to docker build it locally on your VPS:

cd ~/my-app                    # directory with a Dockerfile
impreza deploy \
  --agent agt_xxxxxxxxxxxx \
  --name my-app \
  --cpus 1.0 --memory-mb 512 \
  --follow

Same operation via API (two-step: upload context, then deploy):

# 1. Upload the project as a gzip tarball
tar czf - . | curl -X POST https://api.imprezahost.com/v1/platform/deployments/custom/contexts \
  -H "X-API-Key: imp_..." -H "X-API-Secret: ..." \
  -H "Content-Type: application/gzip" \
  --data-binary @-
# → returns {context_id, sha256, expires_at}

# 2. Reference that context_id in a deploy
curl -X POST https://api.imprezahost.com/v1/platform/deployments/custom \
  -H "X-API-Key: imp_..." -H "X-API-Secret: ..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "my-app",
    "agent_id": "agt_xxxxxxxxxxxx",
    "context_id": "ctx_xxxxxxxxxxxx",
    "dockerfile_path": "Dockerfile",
    "target_port": 8080,
    "cpus": 1.0,
    "memory_mb": 512
  }'

Public git repository

Point at a public https git URL — the agent does a shallow clone (git clone --depth=1 --branch=<ref>) and builds the Dockerfile from the cloned tree. No local upload needed:

curl -X POST https://api.imprezahost.com/v1/platform/deployments/custom \
  -H "X-API-Key: imp_..." -H "X-API-Secret: ..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "my-app",
    "agent_id": "agt_xxxxxxxxxxxx",
    "git_url": "https://github.com/your-user/your-repo",
    "git_ref": "main",
    "dockerfile_path": "Dockerfile",
    "target_port": 8080,
    "cpus": 1.0,
    "memory_mb": 512
  }'

Public repositories only in this version. Private repos (deploy keys / OAuth tokens) are on the roadmap — for now, either make the repo public or upload via the local-Dockerfile path above.

Auto-deploy on git push

Once a deployment is created with git_url, you can connect its repo’s push webhook so every commit to the watched branch redeploys the app automatically — no extra command, no polling. Three ways to enable it:

From the My Apps panel (Advanced view): expand 🔗 Connect GitHub for auto-deploy on the deployment card, paste a Fine-grained GitHub PAT, confirm. Done.
From an AI assistant: the MCP tools impreza_git_webhook_connect, impreza_git_webhook_status, and impreza_git_webhook_disconnect cover the full lifecycle.

From the REST API:

curl -X POST https://api.imprezahost.com/v1/platform/deployments/custom/dpl_xxxxxxxxxxxx/git-webhook/connect \
  -H "X-API-Key: imp_..." -H "X-API-Secret: ..." \
  -H "Content-Type: application/json" \
  -d '{"github_pat": "github_pat_..."}'

Generate the PAT at github.com/settings/personal-access-tokens/new with scope Repository → Webhooks: Read and write on the target repo (and nothing else). We validate the token, install the webhook, then discard it — we only keep the webhook id (to delete later) and a fresh per-deployment HMAC secret (to verify incoming push payloads). Pushes get redeployed via the same smart-replace path used by every redeploy: re-clone at the new HEAD, rebuild, restart in place.

Disconnect works the same way — with a PAT supplied we also delete the hook from your repo on GitHub’s side; without it, we only flip our local switch and pushes 200-noop on our receiver. GitHub eventually marks the hook as failing in its UI either way.

AI tools (MCP) #

impreza-mcp is the Model Context Protocol server that lets AI tools call Impreza Host directly — no copy-pasting URLs, no leaving the chat. Loaded once into your AI tool, the AI gains 13 tools it can call autonomously:

Tool	Does
`impreza_list_servers`	List the customer’s VPSes + agents
`impreza_list_apps`	Browse the catalog
`impreza_list_deployments`	What’s currently running
`impreza_deploy_custom`	Deploy code from cwd (image / dockerfile / manifest)
`impreza_deploy_catalog_app`	Install a catalog app
`impreza_uninstall_deployment`	Tear down a deployment
`impreza_restart_deployment`	Restart a deployment’s containers
`impreza_get_logs`	Tail the last N lines of container logs
`impreza_change_domain`	Re-route a running deployment to a new hostname
`impreza_add_onion`	Provision a Tor mirror for an existing deployment
`impreza_git_webhook_status`	Inspect the auto-deploy connection of a git-backed deployment
`impreza_git_webhook_connect`	Install a GitHub push webhook so every commit auto-redeploys
`impreza_git_webhook_disconnect`	Disable auto-deploy (optionally also delete the hook on GitHub)

Setup (one command)

npx -y impreza-mcp setup --tool claude-code
# also supported: cursor | continue | zed | codex-cli

The wizard prints the ready-to-paste JSON config block + the exact file path for the target tool (e.g. ~/Library/Application Support/Claude/claude_desktop_config.json on macOS). Paste, fill in IMPREZA_API_KEY + IMPREZA_API_SECRET, restart the AI tool.

Manual config (Claude Code shown — same shape for Cursor and Codex CLI)

{
  "mcpServers": {
    "impreza": {
      "command": "npx",
      "args": ["-y", "impreza-mcp"],
      "env": {
        "IMPREZA_API_KEY": "imp_...",
        "IMPREZA_API_SECRET": "..."
      }
    }
  }
}

Source: github.com/imprezahost/impreza-mcp · npm: impreza-mcp

CLI `impreza` #

Single static binary in Go. Mac (amd64/arm64), Linux (amd64/arm64), Windows (amd64).

# Setup (one-time)
impreza login

# Deploy your project (Dockerfile in cwd)
impreza deploy --agent agt_xxxxxxxxxxxx --follow

# Re-deploy with the same name (uninstalls old + creates new)
impreza deploy --agent agt_xxxxxxxxxxxx --name my-app --follow --force

# Browse + manage
impreza platform servers list
impreza platform apps list
impreza platform deployments list
impreza platform deployments show dpl_xxxxxxxxxxxx
impreza platform deployments logs dpl_xxxxxxxxxxxx
impreza platform deploy vaultwarden --agent agt_... --domain vault.example.com

# Multiple accounts? Named contexts.
impreza context create work --key imp_... --secret ...
impreza context use work

Source: github.com/imprezahost/impreza-devkit (cli-go/). Releases publish prebuilt binaries.

REST API #

Every Impreza Host operation has a REST endpoint. Use it directly with curl, the SDK Go, or the official Python impreza-sdk.

Base URL: https://api.imprezahost.com
Auth: X-API-Key + X-API-Secret headers (rotate via clientarea → API keys)
IP whitelist: every key has an allow-list; whitelist the caller’s public IP before use
Envelope: {success, data, error, meta: {request_id, timestamp}}
Rate limits: 60 req/min/key default — raise per-key in clientarea

Full reference: api.html (interactive Swagger UI over the OpenAPI 3.1 spec) · machine-readable: openapi.yaml

Endpoint surface (high-level)

Path prefix	What it covers
`/v1/platform/servers`	Managed servers + agent bootstrap tokens
`/v1/platform/apps`	Curated app catalog
`/v1/platform/deployments`	Catalog deployments (create, list, show, uninstall, restart, logs, change-domain, add-onion)
`/v1/platform/deployments/custom`	Custom deployments (image / dockerfile / git / manifest) + context upload
`/v1/agent/*`	Used by the agent daemon — bootstrap, poll, report, deploy-result, logs, DNS-01 challenge proxy
`/v1/account, /v1/domains, /v1/email, /v1/vps, /v1/dedicated, /v1/orders, /v1/invoices, /v1/webhooks`	The rest of the customer surface — managing the products you buy from Impreza

SDK Go #

The official Go SDK — used by the CLI + the agent + the MCP server. Same source repo as the CLI: github.com/imprezahost/impreza-devkit (sdk-go/).

import sdkclient "github.com/imprezahost/impreza-devkit/sdk-go/client"

c, _ := sdkclient.New(sdkclient.Context{
    Key: "imp_...", Secret: "...",
})
servers, _ := c.PlatformListServers(context.Background())
for _, s := range servers.Servers {
    fmt.Println(s.AgentID, s.Hostname, s.Status)
}

A Python SDK (impreza-sdk) exists with the same surface — see pypi.org/project/impreza-sdk.

Tor (.onion) #

Every deployment can publish a Tor v3 hidden service alongside its clearnet URL — just pass onion: true. The agent runs a Tor sidecar container, provisions a fresh ed25519 keypair (persists it under the deployment’s state dir), and emits the .onion address back via the deploy result.

Pure-onion deploys (no clearnet) are supported — set onion: true and omit domain. The agent will back-fill DOMAIN + DOMAIN_URL in the container env with the published .onion so apps that need to know their own URL get the right value.

Authentication #

Customer ↔ API: X-API-Key (imp_…) + X-API-Secret headers. Generate in clientarea → API Keys. Whitelist your IP.
Agent ↔ API: X-Agent-Id (agt_…) + X-Agent-Secret headers, issued once at bootstrap and persisted to /etc/impreza-agent/credentials.toml.

Limits + abuse #

Cgroups: every custom deploy gets --cpus + --memory applied at container start. Defaults are 1 CPU / 512 MB if you don’t specify. Override via cpus + memory_mb in the deploy body, clamped against the VPS’s reported memory.
Build context size: tarball uploads cap at 100 MB per context. Pack a leaner build context (use a .dockerignore on your end) — the CLI bakes in the usual exclusions (.git, node_modules, __pycache__, …).
API rate limit: 60 req/min/key default. Raise per-key in clientarea.
Trust model: we trust the customer — the VPS is yours, the agent runs your code, cgroup ceilings prevent runaway containers. We do not currently scan images or Dockerfiles.

Open source #

Repository	What it is	License
impreza-devkit	SDK Go + CLI + agent source + Caddy DNS provider	—
impreza-mcp	MCP server (Node TypeScript) — npm: `impreza-mcp`	MIT
agent-public	Public agent installer + prebuilt binaries (amd64 / arm64)	—

Help #

Clientarea — billing, services, API keys, app management
support@imprezahost.com — support
imprezahost.com — main site

For AI tools: a structured index at /llms.txt and a single-file dump of all docs at /llms-full.txt — paste either into your AI’s context to brief it on the whole platform in one shot.