Self-Hosted Enterprise Gateway

Self-Hosted Enterprise Gateway

The ThinkReview Enterprise Gateway runs AI code review and conversational review inside your network. Your source code, git credentials, and LLM traffic stay on your infrastructure. ThinkReview cloud handles licensing and review-engine bundle delivery only — not your patches or repo data.

Teams subscription required

Self-hosted Enterprise Gateway is available on the Teams plan only — it is not included on Free, Lite, or Professional plans.

After your Teams account is provisioned for enterprise gateway, you receive a license key and tenant ID to deploy. The full deploy wizard (copy-paste Docker Compose, .env, and Azure CLI) lives in the ThinkReview webapp → Enterprise Gateway portal.

Want to try it first? Contact support or email support@thinkreview.dev to request a Teams trial with Enterprise Gateway access.

What stays where

DataLocation
Pull request diffs, git tool resultsYour gateway + your LLM
LLM API key, git PATYour gateway (env vars or local secrets file)
Review prompts & tool engine bundlesDownloaded from ThinkReview cloud at startup (signed)
User accounts, billing, agentsThinkReview cloud
## Architecture (high level)

  • Gateway container — HTTP server that exposes the same review endpoints as ThinkReview cloud (/reviewPatchCode_1_1, /getConversationalReview_1_1).

  • Your LLM — OpenAI-compatible endpoint (Azure OpenAI, OpenAI, OpenRouter, Ollama, etc.).

  • Optional git PAT — Enables repo-context tool calling during reviews (diff-only reviews work without it).

  • Browser extension — Routes review traffic to your gateway URL when configured.
  • Prerequisites

    • Teams subscription (contact support to request a trial if you are not on Teams yet).

    • Enterprise onboarding — license key + tenant ID from ThinkReview after your tenant is provisioned.

    • A host that can run Docker or Azure Container Apps.

    • Network egress to https://us-central1-thinkgpt.cloudfunctions.net (license activation, heartbeat, bundle download).

    • An OpenAI-compatible LLM endpoint and API key.
    • Step 1 — Deploy the gateway image

      ThinkReview publishes the gateway image to Azure Container Registry (anonymous pull — no login required):


      thinkreviewgateway.azurecr.io/gateway:latest

      Pin a version tag (e.g. :1.0.3) for controlled upgrades. The image is linux/amd64; on Apple Silicon Macs add --platform linux/amd64 when pulling or running.

      Option A — Docker Compose (recommended for VMs)

    • Create a folder (e.g. ~/thinkreview-gateway).

    • Add docker-compose.yml and .env — copy the blocks from the Enterprise Gateway portal, or use the template below.

    • Set the two required variables in .env (see Minimum environment variables).

    • Start:
    • bash
      docker compose up -d

    • Verify:
    • bash
      curl http://localhost:8443/health

      Expect "status":"ok" and "engineReady":true.

      Docker Compose volumes: The default compose file mounts persistent volumes for downloaded bundles and for secrets written by webapp Apply. This survives container restarts on the same Docker host.

      Option B — Azure Container Apps

      Minimum deploy needs only license + tenant at setup. Example:

      bash
      az containerapp create \
      -n thinkreview-gateway \
      -g YOUR_RESOURCE_GROUP \
      --environment YOUR_CONTAINERAPPS_ENV \
      --image thinkreviewgateway.azurecr.io/gateway:latest \
      --target-port 8080 \
      --ingress external \
      --min-replicas 1 \
      --cpu 1 --memory 2Gi \
      --secrets license-key="" \
      --env-vars \
      THINKREVIEW_TENANT_ID="" \
      THINKREVIEW_LICENSE_KEY=secretref:license-key \
      THINKREVIEW_LICENSE_URL="https://us-central1-thinkgpt.cloudfunctions.net" \
      NODE_ENV=production \
      PORT=8080 \
      BUNDLE_CACHE_DIR=/var/thinkreview/bundles

      Verify: curl https://.azurecontainerapps.io/health

      For ARM template and portal-based deploy, use the Azure tab in the Enterprise Gateway portal.

      Minimum environment variables

      These two are required before the gateway can activate its license and download review bundles:

      VariableDescription
      THINKREVIEW_LICENSE_KEYFrom your ThinkReview onboarding email
      THINKREVIEW_TENANT_IDYour enterprise tenant id (e.g. acme-corp)
      Everything else — LLM URL, model, API key, git PAT, sampling parameters — can be configured after deploy via the webapp (recommended) or as optional environment variables.

      Step 2 — Configure LLM and git (webapp)

    • Sign in to the ThinkReview webapp with your Teams account.

    • Open Enterprise GatewayGateway settings.

    • Set:

    • - Gateway URL — public URL of your gateway (e.g. https://thinkreview-gateway.yourcompany.internal:8443 or your Azure Container Apps URL).
      - LLM — base URL, API style, model, timeout, and API key.
      - Git (optional) — platform, base URL, and PAT for tool calling.
    • Click Save (stores config in ThinkReview cloud).

    • Click Apply to gateway (pushes settings to the running gateway).
    • After apply, /health should show remoteConfigLoaded: true and secretsConfigured.llm: true (when the API key was applied).

      LLM API styles

      LLM_API_STYLEUse forAuth
      azure-openaiAzure OpenAI, Azure AI Foundryapi-key header
      openaiOpenAI, OpenRouter, vLLM, LiteLLMBearer token
      ollamaLocal OllamaBearer (if set)
      Azure OpenAI example:


      LLM_BASE_URL=https://YOUR-RESOURCE.openai.azure.com/openai/deployments/YOUR-DEPLOYMENT
      LLM_API_STYLE=azure-openai
      LLM_MODEL=gpt-4o

      OpenRouter example:


      LLM_BASE_URL=https://openrouter.ai/api/v1
      LLM_API_STYLE=openai
      LLM_MODEL=anthropic/claude-sonnet-4

      Step 3 — Configure the browser extension

    • Open the ThinkReview extension popup.

    • Go to Enterprise Gateway (or Gateway settings).

    • Set Gateway URL to your gateway base URL (no trailing slash), e.g.:

    • - Local Docker: http://localhost:8443
      - Azure: https://thinkreview-gateway..azurecontainerapps.io
      - On-prem: https://thinkreview-gateway.yourcompany.internal:8443
    • Use Test connection — it should reach /health and report the gateway is ready.

    • Run a review on a pull request or merge request as usual.
    • Review and conversational calls go to your gateway. User sign-in, billing, and agents still use ThinkReview cloud.

      Optional environment variables

      Configure via .env, Container App env vars, or webapp Gateway settings (non-secret fields). Secrets (LLM_API_KEY, GIT_PAT) are never stored in ThinkReview cloud remote config — only on the gateway.

      VariablePurpose
      LLM_BASE_URLLLM endpoint
      LLM_API_KEYLLM API key (persist as env/secret on Azure)
      LLM_API_STYLEopenai, azure-openai, or ollama
      LLM_MODELModel or deployment name
      LLM_TIMEOUT_MSRequest timeout (e.g. 540000 for slow Azure models)
      MAX_PATCH_SIZEMax diff size sent to the LLM
      GIT_PATGit personal access token
      GIT_PLATFORMgithub, gitlab, bitbucket, azureDevOps
      GIT_BASE_URLSelf-hosted git / Azure DevOps collection URL
      GATEWAY_AUTH_MODEnone (default) or extension
      EXTENSION_AUTH_TOKEN_PEPPERRequired when GATEWAY_AUTH_MODE=extension
      GATEWAY_CONFIG_MODEmerge (default), env, or remote
      LICENSE_HEARTBEAT_INTERVAL_MSBundle/config refresh interval (default 6 hours)
      ## Health check

      bash
      curl https://YOUR-GATEWAY-URL/health

      Useful fields in the response:

      FieldMeaning
      engineReadyGateway can serve reviews
      secretsConfigured.llmLLM API key is present
      configVersionRemote config version from webapp
      effectiveConfig.llmActive LLM settings (no API key exposed)
      ## Updates and heartbeat

    • The gateway heartbeat (default every 6 hours) refreshes remote config and review-engine bundles from ThinkReview cloud.

    • Heartbeat does not send or reset your LLM API key.

    • To upgrade the gateway image, redeploy with a new tag — docker compose pull && docker compose up -d, or az containerapp update --image .... Restarting alone does not pull a new image.
    • Troubleshooting

      LLM HTTP 401 after it was working

      If reviews fail with:


      LLM HTTP 401: Access denied due to invalid subscription key or wrong API endpoint

      and /health shows secretsConfigured.llm: false, the gateway has lost its API key. Common causes:

    • Azure Container Apps scale-to-zero — If minReplicas is 0, the container sleeps when idle. Webapp Apply writes the key to ephemeral disk (/var/thinkreview/secrets.json), which is wiped on cold start. Fix:

    • - Set minReplicas: 1, and
      - Persist LLM_API_KEY as a Container App secret referenced by env var (recommended), or re-apply from Gateway settings after each cold start.

      bash
      az containerapp secret set \
      --name thinkreview-gateway \
      --resource-group YOUR_RESOURCE_GROUP \
      --secrets llm-api-key=""

      az containerapp update \
      --name thinkreview-gateway \
      --resource-group YOUR_RESOURCE_GROUP \
      --set-env-vars LLM_API_KEY=secretref:llm-api-key LLM_API_STYLE=azure-openai

    • Wrong Azure endpoint — Confirm LLM_BASE_URL and LLM_API_STYLE=azure-openai match your Azure resource region and deployment URL.
    • Expired or rotated key — Update the key in Gateway settings → Apply, or update the Container App secret.
    • /health shows engineReady: false

    • Check THINKREVIEW_LICENSE_KEY and THINKREVIEW_TENANT_ID are set.

    • Ensure outbound HTTPS to us-central1-thinkgpt.cloudfunctions.net is allowed.

    • Check container logs for license activation or bundle download errors.
    • Extension cannot reach gateway

    • Confirm the gateway URL is reachable from the browser (HTTPS, valid certificate for production).

    • For local Docker, use http://localhost:8443 only on the same machine as the browser.

    • If GATEWAY_AUTH_MODE=extension, the extension must send a valid auth token and EXTENSION_AUTH_TOKEN_PEPPER must be set on the gateway.
    • Git tools not fetching repo context

    • Set GIT_PAT with read access to code (and PRs where required).

    • Set GIT_PLATFORM and GIT_BASE_URL for self-hosted git or Azure DevOps Server.

    • Apply settings from the webapp or set env vars, then verify /health shows secretsConfigured.git: true.
    • Related docs

    • Azure DevOps On-Premise — PAT and collection URL for on-prem ADO

    • GitHub Enterprise Server — custom GHES domains

    • Troubleshooting — extension and platform issues

    For deployment copy-paste blocks (Compose, .env, Azure CLI, ARM template), use the Enterprise Gateway portal in the webapp.