Authentication
Netleaf supports two modes: unauthenticated local mode for development, and bearer token auth for production.
Local mode
When LOCAL_MODE=true is set in apps/api/.env, all API key checks are skipped. Every request is treated as authenticated. Ideal for personal use on a private network.
# apps/api/.env LOCAL_MODE=true
Warning: Never expose local mode to the public internet. Use API keys for any externally accessible deployment.
Enabling auth
Set LOCAL_MODE=false to require a valid API key on every request. The web dashboard requires sign-in via email/password by default. Google OAuth is optional — set AUTH_GOOGLE_ID and AUTH_GOOGLE_SECRET to enable it.
# apps/api/.env LOCAL_MODE=false # Restart after changing docker compose restart api
API keys
Create keys from the dashboard at /dashboard/api-keys or via the management endpoint:
curl -X POST http://localhost:3000/v1/keys \
-H "Authorization: Bearer nl_existing_key" \
-H "Content-Type: application/json" \
-d '{"name": "production"}'Note: The raw key (prefixed nl_) is shown only once at creation. Netleaf stores only the SHA-256 hash — save it somewhere safe immediately.
Using keys
Pass the key as a standard HTTP Bearer token on every request:
curl -X POST http://localhost:3000/v1/scrape \
-H "Authorization: Bearer nl_abc123..." \
-H "Content-Type: application/json" \
-d '{"url": "https://example.com"}'Missing or invalid keys return 401 Unauthorized.