Boot Urbit for the first time and you land in a dojo prompt with a name like ~mastec-litzod, watching messages roll in about "neighbors" joining your network. It feels like you accidentally started something much bigger than a dev server. That feeling is not wrong. You did.
The confusion starts immediately because Urbit doesn't map to anything you already know. It's not a framework, not a database, not a cloud provider. It's a personal computer that runs inside your computer, with its own OS, filesystem, language, and network identity. The dojo prompt is the terminal into that machine. You're inside it now.
What You Actually Booted
That ./urbit -c mycomet command didn't just start a process. It created a deterministic computing environment with a full stack: Arvo as the OS kernel, Clay as the filesystem, Eyre as the HTTP server, and Ames as the peer-to-peer networking layer. Your comet name is your identity on a live network. Those "neighbor" messages are real ships on the Urbit network noticing you come online.
Hoon, the language you'd use to write apps, uses prefix notation. Instead of 2 + 3 you write (add 2 3). Instead of a string returning a greeting, the dojo just echoes the value back, because it's a REPL, not a chatbot. This trips everyone up in the first ten minutes.
Gall is the app framework. A Gall agent is a state machine that handles pokes (writes), peeks (reads), and subscriptions. Every Urbit app is one of these. The learning curve to writing a real one is steep, but the model is consistent once it clicks.
The Two Ways to Build on Urbit
You can go deep and write native Hoon agents, or you can treat Urbit as a backend and talk to it over HTTP from whatever stack you already know. The second path is dramatically underrated for POC work. Urbit exposes an HTTP API through Eyre, and the @urbit/http-api JS library wraps it cleanly. Your React app pokes and peeks the ship, and the ship stores state. You never touch Hoon.
const api = new Urbit('http://your-ship:8080', 'your-code');
await api.poke({ app: 'your-agent', mark: 'noun', json: data });
const result = await api.scry({ app: 'your-agent', path: '/data' });The native path is the right one if Urbit's networking or identity model is core to your product. The HTTP path is the right one if you want persistent user-owned state and don't want to spend three weeks on Hoon before writing a single feature.
The Privacy Argument, and Where It Actually Holds
Here's where most people get confused, because Urbit's marketing leans on "privacy" in a way that doesn't mean what you think it means.
If you host a user's Urbit ship on Red Horizon, on AWS, on DigitalOcean, or anywhere else, you still have administrative access to that ship. The data is architecturally isolated — each user gets their own pier, their own state, their own environment. But you can walk in. Red Horizon can walk in. The cloud provider can walk in. Nothing in Urbit's design prevents that.
The architecture makes data separation the default. It doesn't make unauthorized access impossible.
The isolation is real and valuable. Running a traditional multi-tenant app means one misconfigured query can leak User A's data to User B. With separate ships, that class of bug doesn't exist architecturally. But this is a different claim than "nobody can access your data." One is a structural guarantee. The other is a contractual and legal question, same as it always was.
If you want true technical prevention of data access, the answer is end-to-end encryption where you hold no keys. Signal does this. ProtonMail does this. Urbit does not do this out of the box. The data on a ship you host is readable by you. Full stop.
The Censorship Resistance Argument, and Where It Breaks
Censorship resistance is the stronger claim, and it also has a gap most people don't ask about.
If a user runs their ship on a VPS, the VPS provider can terminate the instance. If they run it on AWS, AWS can shut it down. If they run it on Red Horizon, Red Horizon can pull the plug. The censorship chain doesn't disappear. It just gets different names in each link.
If you're enjoying this post, consider subscribing to get future articles delivered straight to your inbox.
SubscribeThe only setup where censorship resistance is real is a user running their own ship on hardware they physically own, in their home, on their own connection. Even then, the ISP can block traffic. A government can knock on their door. Urbit has a company called Native Planet selling purpose-built home servers for exactly this use case. Plug it in, your ship runs on your hardware, nobody touches it.
Today's world:
Your data → Google's servers
Your identity → Facebook's servers
Your compute → Amazon's servers
Urbit's vision:
Your data → box in your home
Your identity → Ethereum (you own the keys)
Your compute → box in your homeThe vision is coherent. The adoption path is brutal. Most users will host on a VPS because managing home server infrastructure is not something most people will do. And the moment they do that, the censorship resistance argument partially collapses back into trust and contracts.
What Urbit Actually Solves
Strip away the marketing and three things stand up.
First, identity ownership. Your Urbit planet is an NFT on Ethereum's Azimuth contract. Twitter can deplatform you. Facebook can delete your account. Nobody can take your Urbit identity because you hold the keys on chain. For anyone building social or community products where deplatforming is a real threat, this is a genuine differentiator.
Second, permissionless distribution. You publish your app from your ship. Users install it on their ship. There's no app store that can reject you, no AWS terms of service that can kill your product, no platform that can revoke access. Once the code is out, it's out.
Third, the cost model at true scale. If every user runs their own ship, your infrastructure costs are nearly flat no matter how many users you have. You're not paying for their compute. They are. This is the model that makes Tlon and Red Horizon viable businesses: they charge users for hosting ships, and their own server costs don't scale linearly with users the way traditional backends do.
When Urbit Makes Sense for a POC
The common mistake is reaching for Urbit because you want "privacy" and someone told you Urbit is private. If what you actually need is row-level security and encrypted storage, Supabase gets you there in an afternoon. Urbit is not the right answer to that problem.
Urbit makes sense when one of these is true: the censorship resistance of user-owned ships is core to your product's value proposition, your target users are the kind who will actually self-host (which means they're in a regulated industry, a privacy-conscious niche, or they've been burned by deplatforming), or you're building a P2P product where the "no central server" architecture genuinely changes what's possible.
For a practical POC the right path is usually: run one ship on a cheap VPS (Hetzner's CX11 at four euros a month is fine), build your app logic as a Gall agent or use the HTTP API from a frontend you already know, and validate whether your users care about the sovereignty story before investing in the full decentralized architecture. When you're ready to go deeper, port the ship to a home server. Changing the URL in your config is all it takes.
Urbit is building infrastructure for a user who is just starting to exist at scale: someone who has learned, through repeated experience, that free platforms extract more than they give. That user is growing. The ecosystem is not production-ready for most enterprises today, but the direction is right, and the primitives are genuinely novel.
The next question worth asking is not "how do I make Urbit more private" but "what does it mean to build software when the user owns the runtime." That question changes the architecture of everything.