Admin Password
By default, the Admin UI and Admin API are open — anyone who can reach port 8081 can view and modify your entire configuration. Setting an admin password adds authentication to all admin endpoints.
Enabling authentication
Add adminPassword to the server section of your config.yaml:
server:
host: 0.0.0.0
port: 8080
adminPort: 8081
adminPassword: ${MAGEC_ADMIN_PASSWORD}
Then set the environment variable before starting Magec:
export MAGEC_ADMIN_PASSWORD="your-strong-password"
magec --config config.yaml
When the password is set, every request to /api/ endpoints requires a Authorization: Bearer <password> header. The Admin UI handles this automatically — it shows a login screen on first load and sends the header on every subsequent request.
How it works
| Aspect | Detail |
|---|---|
| Header | Authorization: Bearer <password> on all /api/ requests |
| Comparison | Constant-time (crypto/subtle) — immune to timing attacks |
| Rate limiting | 5 failed attempts per minute per IP address |
| Static files | The Admin UI itself (HTML, CSS, JS) is always accessible — only API calls require auth |
| CORS preflight | OPTIONS requests bypass authentication |
| Auth check | GET /api/v1/admin/auth/check — returns 200 if the password is correct, 401 otherwise |
Login screen
When authentication is enabled, the Admin UI shows a password prompt before anything else:
- The password is stored in memory only — closing the browser tab requires re-authentication
- No cookies, no
localStorage, no session tokens - The UI calls
/api/v1/admin/auth/checkon load to determine if authentication is needed
Docker and Kubernetes
Pass the password as an environment variable — never hardcode it in config.yaml:
Docker Compose
services:
magec:
image: ghcr.io/achetronic/magec:latest
environment:
MAGEC_ADMIN_PASSWORD: "${MAGEC_ADMIN_PASSWORD}"
Kubernetes
env:
- name: MAGEC_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: magec-secrets
key: admin-password
What happens without a password
If adminPassword is not set (or is empty), the server starts normally with a warning in the logs:
WARN Admin API is unprotected — set adminPassword in config.yaml
All admin endpoints work without authentication. This is fine for local development but should never be used in production or anywhere the admin port is network-accessible.
Secrets encryption
The admin password also serves as the encryption key for Secrets. When a password is set, secret values are encrypted at rest using AES-256-GCM with a PBKDF2-derived key. Without a password, secrets are stored in plain text and a warning is logged.