Backend Infrastructure Startups

PocketBase for Startups: Why We Chose It for Exponanta

Your backend shouldn't cost $500/month before you have a single paying customer. PocketBase is a complete backend in one binary file — authentication, database, file storage, real-time, and admin UI included. Here's why we use it at Exponanta and exactly how to set it up in production.

Exponanta

Mar 21, 2026 · 12 min read

Why PocketBase is a great fit for startups

Early-stage startups face a brutal infrastructure dilemma. Firebase is expensive at scale and creates vendor lock-in. Supabase is excellent but complex to self-host. Building your own backend from scratch takes months. And managed services like AWS Amplify or Heroku erode your runway before you've validated anything.

PocketBase sits in a different category entirely. It's a single executable file — no Docker, no Kubernetes, no external dependencies. You drop it on a $6/month server and you have a production-grade backend running in under 10 minutes.

⚡

Zero dependencies, truly portable

No Node.js runtime, no database server, no Redis, no message queue. One binary, one folder. Copy it to any Linux server and it runs. This means your deployment story is rsync and systemctl start.

🗄️

SQLite — fast enough for most startups

SQLite handles thousands of requests per second on a single-core VPS. You won't need Postgres until you're well past product-market fit. And when you do, PocketBase's architecture makes migration straightforward.

🔐

Auth, files, realtime — all included

Email/password auth, OAuth2, JWT tokens, file uploads with S3-compatible storage, real-time subscriptions via SSE — all built in. You're not stitching together five services from day one.

🧩

Admin UI out of the box

The built-in dashboard lets non-technical co-founders manage data, configure collections, and see logs without touching the terminal. This matters more than most engineers expect.

💸

$6/month total infrastructure cost

A DigitalOcean Basic droplet at $6/month runs PocketBase comfortably for hundreds of concurrent users. Compare that to a typical Firebase bill at the same traffic, or the cost of a managed Postgres instance plus auth service plus storage.

🔓

Open source, no vendor lock-in

MIT licensed. Your data lives in a SQLite file you own completely. If PocketBase disappears tomorrow, you have your data and a standard database format. No export fees, no migration hell.

🏗️

"Exponanta runs its entire backend on PocketBase — user auth, participant directories, event data, and scheduling — on a single $6/month droplet. We went from zero to production HTTPS in under an hour."

— Exponanta engineering team, March 2026

Production setup: step by step

The following is exactly how Exponanta deployed PocketBase to production at pb.exponanta.com. This runs on Ubuntu 24.04 LTS on a DigitalOcean Basic droplet ($6/month). Every command is copy-pasteable.

Provision a server

Create a new Ubuntu 24.04 LTS droplet on DigitalOcean (or any VPS provider). During setup, add your SSH public key so you can connect without a password.

Get your public key on Windows:

type $env:USERPROFILE\.ssh\id_ed25519.pub

If you don't have an SSH key yet, generate one first:

ssh-keygen -t ed25519 -C "you@example.com"

Once the droplet is running, connect via the DigitalOcean browser console or SSH. Update the system first:

apt update && apt upgrade -y

Download and install PocketBase

PocketBase needs only unzip and curl. That's it.

apt install -y unzip curl

mkdir -p /root/pb/pb_migrations /root/pb/pb_hooks
cd /root/pb

curl -L https://github.com/pocketbase/pocketbase/releases/download/v0.26.6/pocketbase_0.26.6_linux_amd64.zip \
  -o pocketbase.zip

unzip pocketbase.zip
rm pocketbase.zip
chmod +x pocketbase

Check the PocketBase releases page for the latest version and update the URL accordingly.

Create a systemd service

Running PocketBase as a systemd service means it starts automatically on boot, restarts on crash, and runs in the background without you needing to stay connected.

cat > /lib/systemd/system/pocketbase.service << 'EOF'
[Unit]
Description=pocketbase

[Service]
Type=simple
User=root
Group=root
LimitNOFILE=4096
Restart=always
RestartSec=5s
StandardOutput=append:/root/pb/std.log
StandardError=append:/root/pb/std.log
WorkingDirectory=/root/pb
ExecStart=/root/pb/pocketbase serve --http=0.0.0.0:8090

[Install]
WantedBy=multi-user.target
EOF

Enable and start the service:

systemctl enable pocketbase.service
systemctl start pocketbase
systemctl status pocketbase

You should see Active: active (running). PocketBase is now live on port 8090.

Create your superuser account

/root/pb/pocketbase superuser create your@email.com yourpassword

Set up NGINX as a reverse proxy

PocketBase runs on port 8090 internally. NGINX sits in front of it on port 80 (and later 443 for HTTPS), handling SSL termination and giving you a clean URL.

apt install -y nginx

cat > /etc/nginx/sites-available/pocketbase << 'EOF'
server {
    listen 80;
    server_name pb.yourdomain.com;
    client_max_body_size 10M;

    location / {
        proxy_set_header Connection '';
        proxy_http_version 1.1;
        proxy_read_timeout 360s;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://127.0.0.1:8090;
    }
}
EOF

ln -s /etc/nginx/sites-available/pocketbase /etc/nginx/sites-enabled/
rm /etc/nginx/sites-enabled/default
nginx -t
systemctl restart nginx
ufw allow 80
ufw allow 22
ufw enable

Point your domain and enable HTTPS

Add an A record in your DNS provider pointing your subdomain to the server IP:

Type	Name	Value	TTL
`A`	`pb`	`YOUR_SERVER_IP`	3600

Once DNS propagates (verify with ping pb.yourdomain.com), install Certbot and get a free Let's Encrypt certificate:

apt install -y certbot python3-certbot-nginx
certbot --nginx -d pb.yourdomain.com

Certbot will ask for your email, accept terms, then automatically configure NGINX for HTTPS and set up auto-renewal.

ufw allow 443

Your PocketBase admin UI is now at https://pb.yourdomain.com/_/

Configure transactional email with Mailgun

PocketBase sends emails for verification, password reset, and auth alerts. By default it uses the server's sendmail — which will be marked as spam by every major mail provider. Set up Mailgun SMTP instead.

⚠️ DigitalOcean gotcha

DigitalOcean blocks outbound SMTP on ports 25, 465, and 587 on new accounts to prevent spam. The workaround is port 2525 — Mailgun supports it and DigitalOcean doesn't block it. This took us an hour to figure out.

In the PocketBase dashboard, go to Settings → Mail settings and fill in:

Field	Value
Sender name	Your App Name
Sender address	noreply@yourdomain.com
SMTP host	smtp.mailgun.org
Port	2525
Username	Your Mailgun SMTP username
Password	Your Mailgun SMTP password
TLS	Auto (StartTLS)

Click Send test email to verify delivery before going live.

Enable rate limiting

Go to Settings → Application and enable rate limiting. The defaults are sensible and protect against brute-force auth attacks immediately:

Rule	Max requests	Interval	Protects against
`*:auth`	2	3s	Brute force login
`*:create`	20	5s	Spam signups
`/api/batch`	3	1s	Batch API abuse
`/api/`	300	10s	General scraping

Day-to-day commands

Once running, you rarely need to touch the server. These are the commands you'll use:

# Check if PocketBase is running
systemctl status pocketbase

# Restart after config changes
systemctl restart pocketbase

# Watch live logs
tail -f /root/pb/std.log

# Restart NGINX
systemctl restart nginx

The 3 things that will trip you up

We hit all three of these. Save yourself the time.

🔒

Certbot fails if NGINX server_name is an IP

If you initially set up NGINX with your server IP in server_name and then try to run Certbot, it will issue the certificate but fail to install it. Make sure server_name is your actual domain name before running Certbot. Fix: sed -i 's/server_name YOUR_IP;/server_name pb.yourdomain.com;/' /etc/nginx/sites-available/pocketbase then certbot install --cert-name pb.yourdomain.com --nginx.

📧

DigitalOcean blocks SMTP — use port 2525

Ports 25, 465, and 587 are blocked by default on all new DigitalOcean accounts. DO will not unblock them for new accounts. The solution is Mailgun's alternative port 2525, which works identically to 587 with STARTTLS. No ticket needed, no waiting — just change the port.

🖥️

VS Code Remote SSH is unreliable for server setup

VS Code's Remote SSH extension drops connections, corrupts its own server process, and can leave your droplet in a state where SSH itself stops responding. For server administration, use the DigitalOcean browser console directly — it always works, requires no local configuration, and doesn't add a fragile layer between you and the server.

What you get at the end

✅ PocketBase running as a systemd service — auto-restarts on crash, survives reboots

✅ NGINX reverse proxy on port 80/443

✅ HTTPS with auto-renewing Let's Encrypt certificate

✅ Transactional email via Mailgun (verification, password reset, auth alerts)

✅ Rate limiting enabled against brute force and abuse

✅ Admin UI at https://pb.yourdomain.com/_/

Total monthly cost: $6 (droplet) + $0 Mailgun free tier = $6/month

For Exponanta, PocketBase handles everything from participant auth to the event scheduling data powering our Demo Day 1:1 dashboard. It's not a toy — it's a serious backend that scales far beyond where most startups need it, at a cost that preserves runway for what actually matters.