> ## Documentation Index
> Fetch the complete documentation index at: https://docs.presenton.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Configure the single admin account and protect the browser, REST API, and MCP server.

Presenton uses one admin account per self-hosted instance. The stored password is hashed, and authentication state is kept in `/app_data/userConfig.json`.

## Create the admin account

Preseed credentials on first boot. The password must contain at least six characters; use a substantially longer password for any shared or remote deployment.

```bash theme={null}
docker run -it --name presenton \
  --publish 5001:80 \
  --env AUTH_USERNAME=admin \
  --env AUTH_PASSWORD=replace-with-a-long-password \
  --volume "./app_data:/app_data" \
  ghcr.io/presenton/presenton:v0.9.0-beta
```

Or place them in a protected `.env` file for Compose:

```dotenv theme={null}
AUTH_USERNAME=admin
AUTH_PASSWORD=replace-with-a-long-password
```

If an account already exists, the startup values are ignored unless you explicitly enable credential override.

## How each interface authenticates

| Interface        | Authentication                                          |
| ---------------- | ------------------------------------------------------- |
| Browser UI       | Admin sign-in session                                   |
| `/api/v1/*`      | HTTP Basic with the admin username and password         |
| `/api/v1/auth/*` | Authentication endpoints are exempt from API Basic auth |
| `/mcp`           | Bearer session token when authentication is configured  |

### REST API example

```bash theme={null}
curl --request GET \
  --url http://localhost:5001/api/v1/ppt/presentation/all \
  --user "$PRESENTON_USERNAME:$PRESENTON_PASSWORD"
```

### MCP token example

```bash theme={null}
curl --request POST \
  --url http://localhost:5001/api/v1/auth/login \
  --header 'Content-Type: application/json' \
  --data '{"username":"admin","password":"YOUR_PASSWORD"}'
```

Use the returned `access_token` as `Authorization: Bearer YOUR_ACCESS_TOKEN` on MCP requests.

## Rotate credentials

Set the new username and password together with `AUTH_OVERRIDE_FROM_ENV=true`, replace the container, and then remove the override setting.

```bash theme={null}
docker stop presenton
docker rm presenton

docker run -it --name presenton \
  --publish 5001:80 \
  --env AUTH_USERNAME=admin \
  --env AUTH_PASSWORD=replace-with-a-new-long-password \
  --env AUTH_OVERRIDE_FROM_ENV=true \
  --volume "./app_data:/app_data" \
  ghcr.io/presenton/presenton:v0.9.0-beta
```

<Warning>
  Credential override rotates the session signing secret and invalidates existing browser sessions and MCP bearer tokens. Remove `AUTH_OVERRIDE_FROM_ENV` after the one-time rotation so every restart does not rotate sessions again.
</Warning>

## Recover access

For one boot, start the instance with `RESET_AUTH=true`. Then stop the instance, unset the variable, and start it again with new credentials.

```bash theme={null}
docker stop presenton
docker rm presenton

docker run -it --name presenton \
  --publish 5001:80 \
  --env RESET_AUTH=true \
  --volume "./app_data:/app_data" \
  ghcr.io/presenton/presenton:v0.9.0-beta
```

As a manual recovery path, stop Presenton, back up `./app_data/userConfig.json`, then remove `AUTH_USERNAME`, `AUTH_PASSWORD_HASH`, and `AUTH_SECRET_KEY` from that file before restarting. Prefer `RESET_AUTH` when possible.

## Production safeguards

* Terminate HTTPS at a reverse proxy or load balancer.
* Keep the instance off the public internet unless remote access is required.
* Store passwords in a secret manager rather than command history.
* Limit filesystem access to `/app_data` and its backups.
* Rotate credentials after suspected exposure.
* Issue a new MCP token after credential rotation.

<Card title="Connect an MCP client" icon="plug" href="/open-source/v0.9.0-beta/tutorials/connect-mcp">
  Obtain a bearer token and configure compatible local or remote MCP clients.
</Card>
