Skillibary
Submit

Self-hosting

You can run your own Skillibary instance in about an hour. The stack is Supabase (Postgres + pgvector + auth) and Vercel (Next.js web app). The MCP server is optional and runs anywhere Node does.

This page covers the moving parts. For the exact command-by-command walkthrough, see docs/DEPLOY.md in the repo, which is kept in sync with the source.

Prerequisites

  • Node.js 18 or newer, pnpm 9+
  • A Supabase project (the free tier works to start)
  • A Vercel account (free tier is fine)
  • A GitHub OAuth app for user login
  • API keys: Anthropic (verification) and Voyage AI (embeddings)

Apply migrations in order

Paste each migration into the Supabase SQL editor and run it. Order matters: the auth policies in 002 reference tables created in 001, and 003 assumes the schema is in place.

text
migrations/001_init.sql      # tables, pgvector, match_skills RPC
migrations/002_auth.sql      # RLS policies for GitHub OAuth users
migrations/003_perf_indexes.sql  # indexes + atomic use-count RPC

Configure environment variables

Six values live in web/.env.local for local development and in Vercel project settings for production:

.env.local
NEXT_PUBLIC_SUPABASE_URL=https://<ref>.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=<anon key>
SUPABASE_SERVICE_KEY=<service_role>
ANTHROPIC_API_KEY=sk-ant-...
VOYAGE_API_KEY=pa-...
ADMIN_SECRET=<long random string>

ADMIN_SECRET is the password for the moderator panel at /admin. Generate one:

bash
openssl rand -hex 32

The web app never ships the secret to the browser. It is used to sign a short-lived HMAC token that the cookie carries; the secret itself stays server-side.

Connect GitHub OAuth

In Supabase, Authentication → Providers → GitHub, paste your OAuth app's client id and secret. On the GitHub side, the callback URL is:

text
https://<project-ref>.supabase.co/auth/v1/callback

After the first Vercel deploy, also add your production domain to Authentication → URL Configuration → Site URL and to the allowed redirect list. Without that, OAuth callbacks fail with redirect not allowed.

Health checks

After deploying, sanity-check the pieces:

  • GET / returns the landing page
  • POST /api/admin/login with the secret returns { ok: true }
  • GET /api/skills/by-name/<name> returns 404 until your first verified skill exists, then 200 with the body
  • /skills/<id> renders for verified skills, 404s for pending or rejected ones

The MCP server

If you want clients to be able to install your registry via npx skillibary-mcp with their own credentials, the MCP server in src/ needs no changes. Build it, npm publish with a name you control, and document the config in your own copy of Install in your agent.