Setup¶

Copy config.example.yaml to config.yaml and set CONFIG_FILE=./config.yaml.

Local users¶

Config fileEnvironment variables

Enable local auth and add users:

auth:
  jwt_secret: change-me-in-production
  local_auth_enabled: true
  oauth_redirect_url: ""   # omit for local-only

users:
  default_admin:
    username: admin
    password: changeme   # hashed on first run
  local_users: []       # or add {username, password, is_admin} — password hashed on first run

Variable	Purpose
`JWT_SECRET`	Secret for signing JWTs (required)
`CONFIG_FILE`	Path to config file

export JWT_SECRET="your-long-random-secret"
export CONFIG_FILE=./config.yaml

OAuth (Google / GitHub)¶

Config fileEnvironment variables

auth:
  jwt_secret: change-me-in-production
  oauth_redirect_url: https://your-domain.com/api/auth/google/callback
  providers:
    google:
      enabled: true
      client_id: xxx.apps.googleusercontent.com
      client_secret: xxx
    github:
      enabled: true
      client_id: xxx
      client_secret: xxx

Variable	Overrides	Purpose
`JWT_SECRET`	`auth.jwt_secret`	Sign JWTs
`OAUTH_REDIRECT_URL`	`auth.oauth_redirect_url`	OAuth callback URL
`GOOGLE_CLIENT_ID`	`auth.providers.google.client_id`	Google client ID
`GOOGLE_CLIENT_SECRET`	`auth.providers.google.client_secret`	Google secret
`GITHUB_CLIENT_ID`	`auth.providers.github.client_id`	GitHub client ID
`GITHUB_CLIENT_SECRET`	`auth.providers.github.client_secret`	GitHub secret

export JWT_SECRET="your-secret"
export OAUTH_REDIRECT_URL="https://your-domain.com/api/auth/google/callback"
export GOOGLE_CLIENT_ID="xxx.apps.googleusercontent.com"
export GOOGLE_CLIENT_SECRET="xxx"
export GITHUB_CLIENT_ID="xxx"
export GITHUB_CLIENT_SECRET="xxx"

Admin users¶

OAuth admins only

oauth_admin_emails applies only to OAuth users (Google/GitHub). For local users, use is_admin: true in local_users.

OAuth who may sign in

oauth_allowed_emails lists OAuth users who may sign in without admin. Together with oauth_admin_emails, they form the OAuth allowlist. If OAuth is enabled and both lists are empty, no OAuth sign-in is allowed.

Config fileEnvironment variables

OAuth admins (by email):

users:
  oauth_admin_emails:
    - admin@example.com
    - other-admin@example.com
  oauth_allowed_emails:
    - user@example.com

Local admins (per-user):

users:
  local_users:
    - username: admin
      password: $2a$10$...
      is_admin: true

Variable	Overrides	Purpose
`OAUTH_ADMIN_EMAILS`	`users.oauth_admin_emails`	Comma-separated OAuth admin emails
`OAUTH_ALLOWED_EMAILS`	`users.oauth_allowed_emails`	Comma-separated OAuth non-admin allowed emails
`OAUTH_ALLOW_ALL_USERS`	`users.oauth_allow_all_users`	`true`/`1`/`yes`/`on` to allow any OAuth user to sign in

export OAUTH_ADMIN_EMAILS="admin@example.com,other@example.com"
export OAUTH_ALLOWED_EMAILS="user@example.com"
# export OAUTH_ALLOW_ALL_USERS=true   # optional: open OAuth sign-in (trusted env only)

Local admins must use is_admin: true in config; no env override.

Frontend (CORS / dev)¶

Config fileEnvironment variables

frontend:
  url: http://localhost:5173   # dev; use https://your-domain.com in prod

Variable	Overrides	Purpose
`FRONTEND_URL`	`frontend.url`	Frontend base URL for CORS/OAuth

export FRONTEND_URL="http://localhost:5173"

First run¶

Open http://localhost:8080 (or http://localhost:5173 in development)
If auth is enabled, you'll be redirected to /login
Use the default admin (admin / changeme) or OAuth to sign in
Admins can add users and manage auth from the Settings page