Problem
The current admin authentication uses a session token derived from HMAC(internal_token, admin_password). The internal_token is regenerated on every gateway restart, so the derived admin_token is ephemeral — it cannot be used for stable programmatic access to the admin API.
To interact with admin endpoints (e.g. from scripts or CI), callers must first POST /admin/api/login with the password to obtain a session token, and that token becomes invalid after a restart.
Proposal
Add a separate, persistent admin API token for programmatic access to /admin/api/* endpoints:
- Configured via
server.admin_api_token in config.jsonc (supports ${ENV_VAR} substitution)
- Distinct from the web login password — the password protects the browser UI, the API token enables automation
- Passed via
X-Admin-Token header (same header, auth hook checks both the session token and the persistent token)
- Survives gateway restarts (stored in config, not derived at runtime)
- Optionally manageable from the Settings popup in the admin UI
Considerations
- Should the token be rotatable from the admin UI?
- Should there be multiple tokens with labels (like gateway API keys)?
- Rate limiting / audit logging for API token usage
Problem
The current admin authentication uses a session token derived from
HMAC(internal_token, admin_password). Theinternal_tokenis regenerated on every gateway restart, so the derivedadmin_tokenis ephemeral — it cannot be used for stable programmatic access to the admin API.To interact with admin endpoints (e.g. from scripts or CI), callers must first
POST /admin/api/loginwith the password to obtain a session token, and that token becomes invalid after a restart.Proposal
Add a separate, persistent admin API token for programmatic access to
/admin/api/*endpoints:server.admin_api_tokeninconfig.jsonc(supports${ENV_VAR}substitution)X-Admin-Tokenheader (same header, auth hook checks both the session token and the persistent token)Considerations