Local users
Local username and password. Use `password` (plaintext or bcrypt; plaintext hashed on first run).
Social Authentication
Use Google or Github as OAuth providers.
Authentication¶
Filetree supports Google OAuth, GitHub OAuth, and local username/password. Protected routes require a valid JWT.
Local users¶
Local auth uses username and password stored in the config file. No OAuth or external provider is required. Filetree stores the password in a bcrypt hash format. On success, a JWT is issued and the frontend stores it for subsequent requests.
Both default_admin and local_users use a single password field. Use plaintext (e.g. changeme) — on first startup, Filetree hashes it and replaces it in-place. You can also provide a bcrypt hash (e.g. from htpasswd -nbB user pass).
auth:
jwt_secret: your-secret-here
local_auth_enabled: true
oauth_redirect_url: ""
users:
default_admin:
username: admin
password: changeme
local_users:
- username: heapoftrash
password: changeme
is_admin: false
{
"auth": {
"jwt_secret": "your-secret-here",
"local_auth_enabled": true,
"oauth_redirect_url": ""
},
"users": {
"default_admin": {
"username": "admin",
"password": "changeme"
},
"local_users": [
{
"username": "heapoftrash",
"password": "changeme",
"is_admin": false
}
]
}
}
Google OAuth¶
Setup Google as OAuth provider
auth:
jwt_secret: your-secret-here
oauth_redirect_url: https://your-domain.com/api/auth/google/callback
providers:
google:
enabled: true
client_id: xxx.apps.googleusercontent.com
client_secret: xxx
users:
oauth_admin_emails: [admin@example.com]
{
"auth": {
"jwt_secret": "your-secret-here",
"oauth_redirect_url": "https://your-domain.com/api/auth/google/callback",
"providers": {
"google": {
"enabled": true,
"client_id": "xxx.apps.googleusercontent.com",
"client_secret": "xxx"
}
}
},
"users": {
"oauth_admin_emails": [
"admin@example.com"
]
}
}
GitHub OAuth¶
Setup Google as OAuth provider
auth:
jwt_secret: your-secret-here
oauth_redirect_url: https://your-domain.com/api/auth/github/callback
providers:
github:
enabled: true
client_id: xxx
client_secret: xxx
users:
oauth_admin_emails: [admin@example.com]
{
"auth": {
"jwt_secret": "your-secret-here",
"oauth_redirect_url": "https://your-domain.com/api/auth/github/callback",
"providers": {
"github": {
"enabled": true,
"client_id": "xxx",
"client_secret": "xxx"
}
}
},
"users": {
"oauth_admin_emails": [
"admin@example.com"
]
}
}
Config snippet¶
An example config of all authentication methods
auth:
jwt_secret: your-secret-here
oauth_redirect_url: https://your-domain.com/api/auth/google/callback
local_auth_enabled: true
providers:
google:
enabled: true
client_id: xxx.apps.googleusercontent.com
client_secret: xxx
github:
enabled: true
client_id: xxx
client_secret: xxx
users:
oauth_admin_emails: [admin@example.com]
local_users:
- username: bob
password: changeme # plaintext hashed on first run, or use bcrypt hash
is_admin: false
default_admin:
username: admin
password: changeme
{
"auth": {
"jwt_secret": "your-secret-here",
"oauth_redirect_url": "https://your-domain.com/api/auth/google/callback",
"local_auth_enabled": true,
"providers": {
"google": {
"enabled": true,
"client_id": "xxx.apps.googleusercontent.com",
"client_secret": "xxx"
},
"github": {
"enabled": true,
"client_id": "xxx",
"client_secret": "xxx"
}
}
},
"users": {
"oauth_admin_emails": [
"admin@example.com"
],
"local_users": [
{
"username": "bob",
"password": "changeme",
"is_admin": false
}
],
"default_admin": {
"username": "admin",
"password": "changeme"
}
}
}
Password bootstrap
default_admin and local_users use a single password field. Plaintext is hashed on first startup and replaced in-place. You can also provide a bcrypt hash directly.
OAuth admins
oauth_admin_emails applies only to OAuth users (Google/GitHub). For local users, set is_admin: true per user in local_users.
OAuth allowlist
oauth_allowed_emails lists non-admin OAuth users who may sign in. The allowlist is oauth_admin_emails ∪ oauth_allowed_emails. If OAuth is enabled and both are empty, OAuth sign-in is blocked unless oauth_allow_all_users is true (open sign-in; trusted environments only).
OAuth redirect URL
-
oauth_redirect_urlmust containhttps://your-domain.com/api/auth/Filetree replace the path withhttps://your-domain.com/api/auth/{provider}/callback. -
callback_urlcan also be set explicitely for a Oauth provider
| Config | Purpose |
|---|---|
auth.oauth_redirect_url |
Base callback URL; used to derive provider-specific URLs when provider callback_url is not set |
auth.providers.google.callback_url |
Optional; full callback URL for Google. If empty, derived from oauth_redirect_url |
auth.providers.github.callback_url |
Optional; full callback URL for GitHub. If empty, derived from oauth_redirect_url |
auth:
oauth_redirect_url: https://myapp.com/api/auth/google/callback
providers:
google:
enabled: true
client_id: xxx
client_secret: xxx
github:
enabled: true
client_id: xxx
client_secret: xxx
auth:
providers:
google:
enabled: true
client_id: xxx
client_secret: xxx
callback_url: https://myapp.com/api/auth/google/callback
github:
enabled: true
client_id: xxx
client_secret: xxx
callback_url: https://myapp.com/auth/github/callback