Skip to main content
Before deploying PocketBase to production, you need to configure several settings and follow best practices to ensure security, reliability, and performance.

Pre-deployment checklist

1

Enable encryption

Set an encryption key to protect sensitive settings like SMTP passwords and S3 secrets.
export PB_ENCRYPTION_KEY="your-random-32-character-key"
Generate a secure key:
openssl rand -hex 16
Store this encryption key securely. If you lose it, you won’t be able to decrypt your settings.
2

Configure HTTPS

Never run PocketBase in production without HTTPS. Use a reverse proxy like nginx or Caddy to handle SSL/TLS termination.PocketBase also has built-in autocert support:
./pocketbase serve --https="example.com:443"
This automatically obtains and renews Let’s Encrypt certificates.
3

Set up automated backups

Configure automatic backups using the cron expression in your settings:
{
  "backups": {
    "cron": "0 2 * * *",
    "cronMaxKeep": 7
  }
}
This runs backups daily at 2 AM and keeps the last 7 backups.See the backups documentation for more details.
4

Configure trusted proxy

If running behind a reverse proxy, configure the trusted proxy settings to correctly identify client IPs:
{
  "trustedProxy": {
    "headers": ["X-Forwarded-For", "X-Real-IP"],
    "ips": ["127.0.0.1", "192.168.1.0/24"]
  }
}
5

Enable rate limiting

Configure rate limits to protect against abuse:
{
  "rateLimits": {
    "enabled": true,
    "rules": [
      {
        "label": "auth:signin",
        "maxRequests": 10,
        "duration": 60
      }
    ]
  }
}
6

Set up monitoring

Enable request logging to monitor your application:
{
  "logs": {
    "maxDays": 7,
    "minLevel": "info"
  }
}
Logs are stored in pb_data/logs.db.

Security considerations

Change default admin credentials

After first deployment, immediately:
  1. Log in to the admin UI at /_/
  2. Create a new superuser account
  3. Delete or disable the default account

Restrict API access

Use collection rules to control data access: 
// List rule - only authenticated users
@request.auth.id != ""

// View rule - owner only
@request.auth.id = id

// Create rule - authenticated users with email verification
@request.auth.id != "" && @request.auth.verified = true

Secure file uploads

Configure file upload restrictions: 
{
  "maxSize": 5242880,
  "mimeTypes": ["image/jpeg", "image/png", "image/gif"],
  "thumbs": ["100x100"]
}

Environment-specific settings

Never commit sensitive values to version control. Use environment variables: 
# .env file (add to .gitignore)
export PB_ENCRYPTION_KEY="..."
export SMTP_PASSWORD="..."
export S3_SECRET="..."

Performance optimization

Database optimization

PocketBase uses SQLite with WAL (Write-Ahead Logging) mode enabled by default for better concurrency. For high-traffic applications:
  1. Ensure adequate disk I/O: Use SSDs for better performance
  2. Monitor database size: Large databases (>100GB) may benefit from external storage solutions
  3. Use indexes: Add indexes to frequently queried fields

File storage

For production applications with many file uploads, consider using S3-compatible storage: 
{
  "s3": {
    "enabled": true,
    "bucket": "my-app-files",
    "region": "us-east-1",
    "endpoint": "s3.amazonaws.com",
    "accessKey": "...",
    "secret": "...",
    "forcePathStyle": false
  }
}
When using S3 for collection files, backups don’t include S3 files. You must back up S3 separately using your cloud provider’s backup tools.

Connection limits

PocketBase handles concurrent connections efficiently. For very high traffic:
  1. Use a reverse proxy with connection pooling
  2. Deploy multiple PocketBase instances behind a load balancer (read-only replicas)
  3. Use CDN for static assets

Scaling strategies

Vertical scaling

PocketBase scales well vertically:
  • Small apps: 1 CPU, 512MB RAM
  • Medium apps: 2 CPUs, 2GB RAM
  • Large apps: 4+ CPUs, 4GB+ RAM

Horizontal scaling

For read-heavy workloads, you can set up read replicas:
  1. Run a primary PocketBase instance for writes
  2. Replicate the database to read-only instances
  3. Route read traffic to replicas
PocketBase doesn’t have built-in cluster support. Horizontal scaling requires custom replication setup.

Monitoring and maintenance

Health checks

Implement health check endpoints: 
curl -f http://localhost:8090/api/health || exit 1

Log monitoring

Query logs programmatically: 
const logs = await pb.logs.getList(1, 50, {
  filter: 'level >= 400',
  sort: '-created'
});

Backup verification

Regularly test backup restoration:
  1. Download a recent backup
  2. Restore to a test environment
  3. Verify data integrity
  4. Test critical functionality

Update strategy

1

Review changelog

Check the PocketBase release notes for breaking changes.
2

Test in staging

Deploy the new version to a staging environment first.
3

Create backup

Always create a backup before updating.
./pocketbase backup
4

Update binary

Replace the PocketBase executable with the new version.
wget https://github.com/pocketbase/pocketbase/releases/download/v0.x.x/pocketbase_0.x.x_linux_amd64.zip
unzip pocketbase_0.x.x_linux_amd64.zip
chmod +x pocketbase
5

Run migrations

PocketBase automatically runs migrations on startup.
./pocketbase serve
6

Verify deployment

Test critical functionality after the update.

Disaster recovery

Backup strategy

Implement a 3-2-1 backup strategy:
  • 3 copies of your data
  • 2 different storage media
  • 1 off-site backup
Example:
  1. Live data in pb_data
  2. Local backups in pb_data/backups
  3. Remote backups in S3

Recovery procedures

Document and test your recovery procedures: 
# 1. Stop PocketBase
sudo systemctl stop pocketbase

# 2. Backup current state (if corrupted)
mv pb_data pb_data.corrupted

# 3. Restore from backup
./pocketbase backup restore backup_name.zip

# 4. Restart PocketBase
sudo systemctl start pocketbase
The restore operation requires a Unix-based system (Linux or macOS). It’s not supported on Windows.

Next steps

Backups

Learn how to configure and manage backups

Migrations

Understand the migration system for schema changes