/app_data/userConfig.json.
Create the admin account
Preseed credentials on first boot. The password must contain at least six characters; use a substantially longer password for any shared or remote deployment..env file for Compose:
How each interface authenticates
REST API example
MCP token example
access_token as Authorization: Bearer YOUR_ACCESS_TOKEN on MCP requests.
Rotate credentials
Set the new username and password together withAUTH_OVERRIDE_FROM_ENV=true, replace the container, and then remove the override setting.
Recover access
For one boot, start the instance withRESET_AUTH=true. Then stop the instance, unset the variable, and start it again with new credentials.
./app_data/userConfig.json, then remove AUTH_USERNAME, AUTH_PASSWORD_HASH, and AUTH_SECRET_KEY from that file before restarting. Prefer RESET_AUTH when possible.
Production safeguards
- Terminate HTTPS at a reverse proxy or load balancer.
- Keep the instance off the public internet unless remote access is required.
- Store passwords in a secret manager rather than command history.
- Limit filesystem access to
/app_dataand its backups. - Rotate credentials after suspected exposure.
- Issue a new MCP token after credential rotation.
Connect an MCP client
Obtain a bearer token and configure compatible local or remote MCP clients.