Self-Hosted Enterprise Gateway
Self-Hosted Enterprise Gateway
The ThinkReview Enterprise Gateway runs AI code review and conversational review inside your network. Your source code, git credentials, and LLM traffic stay on your infrastructure. ThinkReview cloud handles licensing and review-engine bundle delivery only — not your patches or repo data.
Teams subscription required
Self-hosted Enterprise Gateway is available on the Teams plan only — it is not included on Free, Lite, or Professional plans.
After your Teams account is provisioned for enterprise gateway, you receive a license key and tenant ID to deploy. The full deploy wizard (copy-paste Docker Compose, .env, and Azure CLI) lives in the ThinkReview webapp → Enterprise Gateway portal.
Want to try it first? Contact support or email support@thinkreview.dev to request a Teams trial with Enterprise Gateway access.
What stays where
| Data | Location |
|---|---|
| Pull request diffs, git tool results | Your gateway + your LLM |
| LLM API key, git PAT | Your gateway (env vars or local secrets file) |
| Review prompts & tool engine bundles | Downloaded from ThinkReview cloud at startup (signed) |
| User accounts, billing, agents | ThinkReview cloud |
/reviewPatchCode_1_1, /getConversationalReview_1_1).Prerequisites
- Teams subscription (contact support to request a trial if you are not on Teams yet).
- Enterprise onboarding — license key + tenant ID from ThinkReview after your tenant is provisioned.
- A host that can run Docker or Azure Container Apps.
- Network egress to
https://us-central1-thinkgpt.cloudfunctions.net(license activation, heartbeat, bundle download). - An OpenAI-compatible LLM endpoint and API key.
Step 1 — Deploy the gateway image
ThinkReview publishes the gateway image to Azure Container Registry (anonymous pull — no login required):
thinkreviewgateway.azurecr.io/gateway:latest
Pin a version tag (e.g. :1.0.3) for controlled upgrades. The image is linux/amd64; on Apple Silicon Macs add --platform linux/amd64 when pulling or running.
Option A — Docker Compose (recommended for VMs)
~/thinkreview-gateway).docker-compose.yml and .env — copy the blocks from the Enterprise Gateway portal, or use the template below..env (see Minimum environment variables).bash
docker compose up -d
bash
curl http://localhost:8443/health
Expect "status":"ok" and "engineReady":true.
Docker Compose volumes: The default compose file mounts persistent volumes for downloaded bundles and for secrets written by webapp Apply. This survives container restarts on the same Docker host.
Option B — Azure Container Apps
Minimum deploy needs only license + tenant at setup. Example:
bash
az containerapp create \
-n thinkreview-gateway \
-g YOUR_RESOURCE_GROUP \
--environment YOUR_CONTAINERAPPS_ENV \
--image thinkreviewgateway.azurecr.io/gateway:latest \
--target-port 8080 \
--ingress external \
--min-replicas 1 \
--cpu 1 --memory 2Gi \
--secrets license-key="" \
--env-vars \
THINKREVIEW_TENANT_ID="" \
THINKREVIEW_LICENSE_KEY=secretref:license-key \
THINKREVIEW_LICENSE_URL="https://us-central1-thinkgpt.cloudfunctions.net" \
NODE_ENV=production \
PORT=8080 \
BUNDLE_CACHE_DIR=/var/thinkreview/bundles
Verify: curl https://
For ARM template and portal-based deploy, use the Azure tab in the Enterprise Gateway portal.
Minimum environment variables
These two are required before the gateway can activate its license and download review bundles:
| Variable | Description |
|---|---|
THINKREVIEW_LICENSE_KEY | From your ThinkReview onboarding email |
THINKREVIEW_TENANT_ID | Your enterprise tenant id (e.g. acme-corp) |
Step 2 — Configure LLM and git (webapp)
- Gateway URL — public URL of your gateway (e.g.
https://thinkreview-gateway.yourcompany.internal:8443 or your Azure Container Apps URL).- LLM — base URL, API style, model, timeout, and API key.
- Git (optional) — platform, base URL, and PAT for tool calling.
After apply, /health should show remoteConfigLoaded: true and secretsConfigured.llm: true (when the API key was applied).
LLM API styles
LLM_API_STYLE | Use for | Auth |
|---|---|---|
azure-openai | Azure OpenAI, Azure AI Foundry | api-key header |
openai | OpenAI, OpenRouter, vLLM, LiteLLM | Bearer token |
ollama | Local Ollama | Bearer (if set) |
LLM_BASE_URL=https://YOUR-RESOURCE.openai.azure.com/openai/deployments/YOUR-DEPLOYMENT
LLM_API_STYLE=azure-openai
LLM_MODEL=gpt-4o
OpenRouter example:
LLM_BASE_URL=https://openrouter.ai/api/v1
LLM_API_STYLE=openai
LLM_MODEL=anthropic/claude-sonnet-4
Step 3 — Configure the browser extension
- Local Docker:
http://localhost:8443- Azure:
https://thinkreview-gateway..azurecontainerapps.io - On-prem:
https://thinkreview-gateway.yourcompany.internal:8443/health and report the gateway is ready.Review and conversational calls go to your gateway. User sign-in, billing, and agents still use ThinkReview cloud.
Optional environment variables
Configure via .env, Container App env vars, or webapp Gateway settings (non-secret fields). Secrets (LLM_API_KEY, GIT_PAT) are never stored in ThinkReview cloud remote config — only on the gateway.
| Variable | Purpose |
|---|---|
LLM_BASE_URL | LLM endpoint |
LLM_API_KEY | LLM API key (persist as env/secret on Azure) |
LLM_API_STYLE | openai, azure-openai, or ollama |
LLM_MODEL | Model or deployment name |
LLM_TIMEOUT_MS | Request timeout (e.g. 540000 for slow Azure models) |
MAX_PATCH_SIZE | Max diff size sent to the LLM |
GIT_PAT | Git personal access token |
GIT_PLATFORM | github, gitlab, bitbucket, azureDevOps |
GIT_BASE_URL | Self-hosted git / Azure DevOps collection URL |
GATEWAY_AUTH_MODE | none (default) or extension |
EXTENSION_AUTH_TOKEN_PEPPER | Required when GATEWAY_AUTH_MODE=extension |
GATEWAY_CONFIG_MODE | merge (default), env, or remote |
LICENSE_HEARTBEAT_INTERVAL_MS | Bundle/config refresh interval (default 6 hours) |
bash
curl https://YOUR-GATEWAY-URL/health
Useful fields in the response:
| Field | Meaning |
|---|---|
engineReady | Gateway can serve reviews |
secretsConfigured.llm | LLM API key is present |
configVersion | Remote config version from webapp |
effectiveConfig.llm | Active LLM settings (no API key exposed) |
docker compose pull && docker compose up -d, or az containerapp update --image .... Restarting alone does not pull a new image.Troubleshooting
LLM HTTP 401 after it was working
If reviews fail with:
LLM HTTP 401: Access denied due to invalid subscription key or wrong API endpoint
and /health shows secretsConfigured.llm: false, the gateway has lost its API key. Common causes:
minReplicas is 0, the container sleeps when idle. Webapp Apply writes the key to ephemeral disk (/var/thinkreview/secrets.json), which is wiped on cold start. Fix:- Set
minReplicas: 1, and- Persist
LLM_API_KEY as a Container App secret referenced by env var (recommended), or re-apply from Gateway settings after each cold start.bash
az containerapp secret set \
--name thinkreview-gateway \
--resource-group YOUR_RESOURCE_GROUP \
--secrets llm-api-key=""az containerapp update \
--name thinkreview-gateway \
--resource-group YOUR_RESOURCE_GROUP \
--set-env-vars LLM_API_KEY=secretref:llm-api-key LLM_API_STYLE=azure-openai
LLM_BASE_URL and LLM_API_STYLE=azure-openai match your Azure resource region and deployment URL./health shows engineReady: false
THINKREVIEW_LICENSE_KEY and THINKREVIEW_TENANT_ID are set.us-central1-thinkgpt.cloudfunctions.net is allowed.Extension cannot reach gateway
http://localhost:8443 only on the same machine as the browser.GATEWAY_AUTH_MODE=extension, the extension must send a valid auth token and EXTENSION_AUTH_TOKEN_PEPPER must be set on the gateway.Git tools not fetching repo context
GIT_PAT with read access to code (and PRs where required).GIT_PLATFORM and GIT_BASE_URL for self-hosted git or Azure DevOps Server./health shows secretsConfigured.git: true.Related docs
For deployment copy-paste blocks (Compose, .env, Azure CLI, ARM template), use the Enterprise Gateway portal in the webapp.