Skip to content

Authentication

Fabricator includes a built-in single-operator login. It is enabled by default for both native and Docker installs.

On first boot, when no credential exists yet, Fabricator enters setup mode and redirects every dashboard route to /setup. Create the operator password there. Until setup completes, only the setup and auth-status endpoints are reachable.

The first password must be at least 8 characters. After setup, the browser session is logged in automatically.

Fabricator stores auth state in auth.json next to servers.json:

Install typePath
Native systemd/var/lib/fabricator/auth.json
Docker/data/auth.json

The file contains the hashed operator password and the session SECRET_KEY. Fabricator writes it with 0600 permissions where POSIX file modes are available.

Precedence is:

  • Password: FABRICATOR_AUTH_PASSWORD_HASH environment variable, then auth.json, then setup mode.
  • Session key: SECRET_KEY environment variable, then auth.json, then generated on first boot.

For automation, generate a password hash and place it in the environment before starting Fabricator.

Native install:

Terminal window
fabricator hash-password

Docker or source checkout:

Terminal window
python -m backend.auth hash

Then set:

FABRICATOR_AUTH_PASSWORD_HASH=<generated-hash>

When the password is env-managed, the dashboard cannot change it because the environment value always wins. Replace the env var and restart Fabricator to rotate it.

When the password is stored in auth.json, use Change password in the dashboard header. You must enter the current password.

If you are locked out, stop Fabricator, delete auth.json, and start it again. Fabricator returns to setup mode so you can create a new password. This resets only the login/session state; server data remains untouched.

Disable auth only if another trusted layer protects Fabricator, such as reverse-proxy SSO, VPN-only access, or a private firewall:

FABRICATOR_DISABLE_AUTH=1

For browser access through HTTPS, set the session cookie’s Secure flag:

FABRICATOR_SESSION_COOKIE_SECURE=1

Do this only when TLS is terminated in front of Fabricator; plain HTTP access will not receive Secure cookies.