Skip to main content
Presenton uses one admin account per self-hosted instance. The stored password is hashed, and authentication state is kept in /app_data/userConfig.json.

Create the admin account

Preseed credentials on first boot. The password must contain at least six characters; use a substantially longer password for any shared or remote deployment.
Or place them in a protected .env file for Compose:
If an account already exists, the startup values are ignored unless you explicitly enable credential override.

How each interface authenticates

REST API example

MCP token example

Use the returned access_token as Authorization: Bearer YOUR_ACCESS_TOKEN on MCP requests.

Rotate credentials

Set the new username and password together with AUTH_OVERRIDE_FROM_ENV=true, replace the container, and then remove the override setting.
Credential override rotates the session signing secret and invalidates existing browser sessions and MCP bearer tokens. Remove AUTH_OVERRIDE_FROM_ENV after the one-time rotation so every restart does not rotate sessions again.

Recover access

For one boot, start the instance with RESET_AUTH=true. Then stop the instance, unset the variable, and start it again with new credentials.
As a manual recovery path, stop Presenton, back up ./app_data/userConfig.json, then remove AUTH_USERNAME, AUTH_PASSWORD_HASH, and AUTH_SECRET_KEY from that file before restarting. Prefer RESET_AUTH when possible.

Production safeguards

  • Terminate HTTPS at a reverse proxy or load balancer.
  • Keep the instance off the public internet unless remote access is required.
  • Store passwords in a secret manager rather than command history.
  • Limit filesystem access to /app_data and its backups.
  • Rotate credentials after suspected exposure.
  • Issue a new MCP token after credential rotation.

Connect an MCP client

Obtain a bearer token and configure compatible local or remote MCP clients.