DocsGetting StartedAuthentication

Authentication

Netleaf supports two modes: unauthenticated local mode for development, and bearer token auth for production.

Local mode

When LOCAL_MODE=true is set in apps/api/.env, all API key checks are skipped. Every request is treated as authenticated. Ideal for personal use on a private network.

bash
# apps/api/.env
LOCAL_MODE=true

Warning: Never expose local mode to the public internet. Use API keys for any externally accessible deployment.

Enabling auth

Set LOCAL_MODE=false to require a valid API key on every request. The web dashboard requires sign-in via email/password by default. Google OAuth is optional — set AUTH_GOOGLE_ID and AUTH_GOOGLE_SECRET to enable it.

bash
# apps/api/.env
LOCAL_MODE=false

# Restart after changing
docker compose restart api

API keys

Create keys from the dashboard at /dashboard/api-keys or via the management endpoint:

bash
curl -X POST http://localhost:3000/v1/keys \
  -H "Authorization: Bearer nl_existing_key" \
  -H "Content-Type: application/json" \
  -d '{"name": "production"}'

Note: The raw key (prefixed nl_) is shown only once at creation. Netleaf stores only the SHA-256 hash — save it somewhere safe immediately.

Using keys

Pass the key as a standard HTTP Bearer token on every request:

bash
curl -X POST http://localhost:3000/v1/scrape \
  -H "Authorization: Bearer nl_abc123..." \
  -H "Content-Type: application/json" \
  -d '{"url": "https://example.com"}'

Missing or invalid keys return 401 Unauthorized.