Skip to main content
OSSAlt

How to Self-Host Papermark in 2026

·OSSAlt Team
papermarkdocsendself-hosteddocument-sharinganalytics
Share:

Papermark has quietly become the default open source answer to DocSend. It hit 8.1K+ stars on GitHub, ships under AGPL-3.0, and is still actively pushed to main as of today. If you send pitch decks, investor updates, or sales collateral and want control over links, analytics, and retention, self-hosting Papermark is the most defensible path.

This guide walks through a realistic production setup, plus the gotchas you hit once real recipients start opening your documents.

Why Papermark is worth self-hosting

Papermark handles the core DocSend workflow: upload a PDF or deck, generate a secure link, require email capture, watermark downloads, and track page-by-page viewing. Running it yourself gives you:

  • Full ownership of who viewed what, without a SaaS vendor holding the analytics.
  • Custom domains for every link (useful for deal rooms and due diligence).
  • Predictable cost: one small server plus object storage, regardless of view volume.
  • Compliance-friendly deployment inside your VPC if that matters to legal.

The trade-off is the usual AGPL reality: if you wrap Papermark inside a hosted product you resell, read the license carefully.

Who should and should not self-host it

Self-hosting fits well if you have:

  • A VC, legal, sales, or finance team that sends confidential documents weekly.
  • An internal ops person who is comfortable with Docker and Postgres basics.
  • A reason to keep analytics out of a third-party SaaS.

Skip it if you only send a handful of decks a year, or if your team has no one who can handle a failed migration at 9pm. Papermark's hosted plan is reasonable for light users.

Architecture and required services

Papermark is a Next.js app backed by:

  • PostgreSQL via Prisma for metadata, views, and links.
  • Object storage (S3-compatible) for documents and rendered previews.
  • A background worker for PDF processing and thumbnail generation.
  • Optional Redis if you enable queued jobs or rate limiting at scale.

A single small VPS (2 vCPU, 4GB RAM) is enough for most teams. For storage, use S3, Cloudflare R2, Backblaze B2, or self-hosted MinIO.

Docker Compose example

A minimal production-shaped Compose stack looks like this:

services:
  papermark:
    image: ghcr.io/mfts/papermark:latest
    env_file: .env.papermark
    ports:
      - "3000:3000"
    depends_on:
      - postgres
    restart: unless-stopped

  postgres:
    image: postgres:16
    environment:
      POSTGRES_USER: papermark
      POSTGRES_PASSWORD: changeme
      POSTGRES_DB: papermark
    volumes:
      - pg-data:/var/lib/postgresql/data
    restart: unless-stopped

volumes:
  pg-data:

Put this behind a reverse proxy (Caddy or Traefik) and terminate TLS there.

Environment variables and storage options

The variables that matter most in production:

  • DATABASE_URL pointing at your Postgres instance.
  • NEXTAUTH_SECRET and NEXTAUTH_URL for auth.
  • NEXT_PUBLIC_BASE_URL matching your public domain.
  • STORAGE_* or the S3-compatible keys (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_S3_BUCKET, custom endpoint for R2/MinIO).
  • Email provider keys (Resend, Postmark, or SMTP) for link notifications and magic-link login.

Rule of thumb: never use local disk for documents in production. Switch to S3/R2 from day one so your container is stateless and rebuilds are safe.

Reverse proxy and custom domain setup

Put Papermark behind Caddy or Traefik so you get automatic TLS. Two domains are typical:

  • app.yourcompany.com for the Papermark dashboard.
  • docs.yourcompany.com (or a client-facing domain) for the viewer links.

Make sure NEXT_PUBLIC_BASE_URL matches the viewer domain, otherwise tracking pixels and webhooks can end up pointed at the wrong host.

Operations: backups, analytics, upgrades

A few rules that save pain later:

  • Backups: snapshot Postgres daily (pg_dump to S3) and version your object storage bucket. Analytics lives in Postgres, documents live in storage; you need both.
  • Analytics caveats: view tracking depends on recipients loading tracking pixels and JavaScript. Hardened email clients and corporate proxies can suppress events, so treat the numbers as directional, not forensic.
  • Upgrades: pin image tags, read release notes for Prisma migrations, and always back up before docker compose pull.
  • Secrets: rotate NEXTAUTH_SECRET only when you're ready to invalidate sessions.

For the broader operational baseline, pair this with the self-hosting security checklist and the self-hosting backup guide.

Common issues and final recommendation

The problems that show up most often:

  • PDFs upload but previews fail: usually a storage permissions or CORS issue on the bucket.
  • Magic link emails never arrive: SPF/DKIM not configured on your sending domain.
  • View events look inflated: preview bots and link scanners hit the viewer before the recipient. Filter by unique viewer or confirmed email when reporting.
  • Slow deck loads: enable a CDN in front of the storage bucket.

If you send confidential documents regularly and can commit to basic Postgres hygiene, Papermark is the cleanest open source DocSend replacement you can run today. Start with a small VPS, S3-compatible storage, and one custom domain, then harden from there. For alternatives if Papermark doesn't fit, see our open source DocSend alternatives roundup.

Explore this tool

Find papermarkalternatives on OSSAlt →

The SaaS-to-Self-Hosted Migration Guide (Free PDF)

Step-by-step: infrastructure setup, data migration, backups, and security for 15+ common SaaS replacements. Used by 300+ developers.

Join 300+ self-hosters. Unsubscribe in one click.