The journey end-to-end
{subdomain}.engine.openlegion.ai runs the full OpenLegion engine — the same software available to self-hosted users.
1. Sign up
Sign in at app.openlegion.ai/signin with Google, GitHub, or Discord (whichever your operator has enabled). There is no email / password option, no magic link, no anonymous mode. The first OAuth callback creates your account; subsequent sign-ins reuse it. Sessions use a stateless JWT strategy — there is no server-side session revocation.2. Pick a plan
Four self-serve tiers are available; Enterprise is contact-sales only.| Plan | Monthly | Yearly | Agents | Browsers | Projects |
|---|---|---|---|---|---|
| Basic | $19/mo | $170/yr | 1 | 1 | 0 |
| Growth | $59/mo | $530/yr | 5 | 5 | 2 |
| Pro | $149/mo | $1,340/yr | 15 | 10 | 5 |
| Pro Max | $279/mo | $2,510/yr | 30 | 30 | 10 |
No free trial. Your card is charged at checkout. Payments are processed by Polar (the checkout, webhooks, and billing portal are Polar-hosted). For higher limits, dedicated infra, or a custom contract, email admin@openlegion.ai.
3. Choose a subdomain
After checkout you land on the setup wizard. Pick a subdomain — this becomes your permanent fleet URL:api, admin, dashboard, app, auth, www, etc.) are blocked. The page live-checks availability as you type (500ms debounce). Subdomains held by deprovisioned or failed instances are released back into the pool.
4. Provisioning
Your dedicated server is being set up. The setup page polls every 10s and shows live progress through four stages:- Creating your dedicated server — a Hetzner Cloud VPS is provisioned. ARM is preferred (cax11/cax21/cax31/cax41) with x86 fallback (cpx21/cpx31/ccx23/ccx43). Provisioner tries the fallback chain up to 3 times with 30s / 120s / 300s backoff.
- Installing OpenLegion — cloud-init installs the ufw firewall, hardens SSH, installs Docker (GPG-verified), Caddy (auto-SSL via Let’s Encrypt), and a tiny Python auth-gate sidecar on
127.0.0.1:9401. The engine repo is cloned and the systemdopenlegionservice is enabled (but not yet started). - Configuring your instance — your selected LLM API keys (11 allowlisted providers, 256-char per value) are written, the auth-gate’s access token is provisioned, and the engine starts.
- Go live — DNS (Cloudflare A record, TTL 60s,
dns_only=True) propagates, Caddy issues your TLS cert, and the engine becomes reachable on your subdomain.
running the app polls /api/instance/ready for up to 5 minutes waiting for the public URL.
Every configured managed instance is provisioned with OpenLegion’s credit-backed proxy as the default model (openlegion/openai/gpt-5.4). You don’t need to bring your own API key to start chatting; BYOK keys you supply at configure time overlay on top of the credit proxy.
If provisioning fails
The setup wizard renders an error card with a Retry button. Three failure modes:failed(generic) — full VPS cleanup, retry runs from scratchbootstrap_failed— SSH never came up or cloud-init failed — VPS is cleaned upconfiguration_failed— VPS is healthy but the configure step failed — the VPS is kept and retry just re-runs/configure
queued / provisioning / bootstrapping → failed; >10 min in configuring → configuration_failed; >45 min in deprovisioning → deprovisioned.
5. Open Dashboard (SSO into the engine)
Once your instance isrunning, the app dashboard surfaces an Open Dashboard button. This is the only way to enter the engine from the app — direct navigation to your subdomain requires an active engine session.
Click it and:
- The app calls
/api/auth/engine-login?subdomain=...(rate-limited 10/60s). - The app decrypts your stored access token (AES-256-GCM) and signs a short-lived token:
{expiry}.HMAC-SHA256(raw_token, "{subdomain}:{expiry}")with a 5-minute TTL. - Your browser is 302-redirected to
https://{subdomain}.engine.openlegion.ai/__auth/callback?token=.... - The auth-gate sidecar (running on the VPS, separate from the engine) verifies the HMAC, enforces TTL, rejects replays, and sets an
ol_sessioncookie (HttpOnly, Secure, SameSite=Lax, 24h max-age). - You’re redirected to your engine root.
forward_auth checking that cookie. The cookie auto-renews if its remaining life is below half the max age.
6. The engine dashboard
You land on the engine SPA at{subdomain}.engine.openlegion.ai. Four top-nav tabs:
| Tab | What you do here |
|---|---|
| Chat | Multi-agent chat. Your primary conversation surface. |
| Work | Kanban (Pending / Working / Blocked / Done), “Needs You” panel, activity feed with pinned blockers, recently delivered previews. |
| Team | Agent grid. Inspect, edit, and manage individual agents. |
| Settings | 11 sub-tabs: Activity, Costs, Automation, Integrations, API Keys, Wallet, Network, Storage, Operator, Browser, Settings. |
/ws/events WebSocket (50 event types, 500-event ring buffer).
What you get with every plan
- Dedicated single-tenant VPS — one VPS per subscription. No shared engine processes between users.
- Custom subdomain —
{your-name}.engine.openlegion.ai - Container-isolated agent execution — each agent in its own Docker container with private memory, tools, schedule, and budget
- OpenLegion-managed LLM credits — every instance ships with the credit-backed
openlegion/openai/gpt-5.4default model. BYOK keys overlay on top to add more providers. - 100+ LLM providers via LiteLLM
- Multi-channel support — Telegram, Discord, Slack, WhatsApp, and Webhook
- Real-time monitoring dashboard with cost tracking and budgets
- Browser automation — plan-dependent concurrent browsers (1, 5, 10, or 30)
- Automatic health monitoring — provisioner pings every 5 minutes and auto-restarts unhealthy instances up to 3 times
Self-hosting vs managed
| Managed Hosting | Self-Hosted | |
|---|---|---|
| Setup | Sign up and go live in ~5-12 minutes | Clone repo, install dependencies, configure |
| Infrastructure | Hetzner Cloud VPS provisioned + maintained by us | You manage the server |
| Updates | Pushed by the OpenLegion team; no user action required | You pull and restart |
| Monitoring | Built-in health checks + auto-recovery | You set up monitoring |
| LLM credits | OpenLegion credit proxy included; BYOK overlays | BYOK only |
| Cost | 279/mo + your LLM API costs (or use managed credits) | Your VPS + LLM API costs |
| Control | Full engine via SSO; some operations user-gated (see below) | Full source + filesystem access |
What the app dashboard does NOT do
The app atapp.openlegion.ai is intentionally narrow. It handles signup, billing, provisioning, and SSO — it does not offer:
- User-initiated pause / resume (pause happens automatically after 3 days past-due)
- Region picker (server location chosen by provisioner fallback chain)
- “Rotate access token” UI
- Re-configure-API-keys UI (configure is fire-once; change keys from the engine’s Settings → API Keys tab)
- Multi-instance support (one VPS per subscription)
- Log streaming or per-agent metrics dashboards
Billing problems
If a payment fails, your subscription enters past_due and a banner appears on the app dashboard. You keep service for a 3-day grace period to update your payment method. After 3 days the instance is paused (systemctl stop); after 14 days without payment the VPS is permanently deprovisioned (and all data with it). See Plans & Billing for details.
Get Started
Sign up and launch your fleet in roughly 5-12 minutes.
