Secure auth¶
Sign in with Google OAuth, GitHub OAuth, or local username/password. All API routes require a valid JWT. You can enable one or more providers and manage local users in the admin UI.
Auth providers¶
| Provider | Description |
|---|---|
| Google OAuth | Sign in with a Google account. Requires OAuth 2.0 credentials from Google Cloud Console |
| GitHub OAuth | Sign in with a GitHub account. Requires an OAuth App from GitHub Developer Settings |
| Local | Username and password stored in config. Passwords are bcrypt-hashed |
You can enable multiple providers; users choose which one to use at login.
JWT sessions¶
- Token expiry — JWTs expire after 24 hours. The frontend stores the token and uses it for API calls.
- Storage — Tokens are kept in memory (or localStorage, depending on frontend implementation). No server-side session store.
- Usage — Send the token as
Authorization: Bearer <token>or as?token=<token>for GET requests (e.g. preview links).
OAuth allowlist¶
Only addresses in oauth_admin_emails ∪ oauth_allowed_emails can complete OAuth sign-in, unless oauth_allow_all_users is enabled (any OAuth user with an email may sign in; use only in trusted environments). oauth_admin_emails grants admin access; oauth_allowed_emails grants regular access (Settings UI remains admin-only). If Google or GitHub is enabled but both lists are empty and allow-all is off, OAuth sign-in is denied (use local auth or add at least one email). The server logs a warning at startup in that case.
Admin access¶
Users listed in oauth_admin_emails (for OAuth) or with is_admin: true (for local users) can access the admin UI to manage auth providers and local users. A default_admin user can be bootstrapped on first run when no users exist.