Openinary uses Better Auth v1.5 with a SQLite backend. The API supports two authentication methods: session-based login for the web dashboard and API key authentication for programmatic access.Documentation Index
Fetch the complete documentation index at: https://docs.openinary.dev/llms.txt
Use this file to discover all available pages before exploring further.
Database
All auth data is stored in a single SQLite file at/data/auth.db (configurable via DB_PATH).
On startup, scripts/secure-db.sh automatically sets the file permissions to 600 (owner read/write only).
| Table | Contents |
|---|---|
user | Accounts — passwords bcrypt-hashed |
session | Web sessions |
apiKey | API keys — hashed before storage |
account | OAuth providers |
verification | Email/phone verification tokens |
API keys
Getting your first key
- Fullstack mode (default)
- API-only mode
- Visit
/setupto create your admin account. - Go to
/api-keysin the dashboard to create your first key.
Using a key
Pass it in theAuthorization header:
Best practices
- Store keys in environment variables, never in source code.
- Create a separate key per service or environment.
- Set an expiration when creating keys (
expiresInin seconds). - Rotate keys regularly; disable unused ones promptly.
API routes and rate limiting
For the full list of routes and their auth requirements, see the API Reference. Rate limiting defaults and configuration options are also documented there.Docker security
- Containers run as the
nodeuser (non-root) to limit blast radius. - The
/datavolume should be mounted with appropriate host permissions.
Incident response
Compromised API key
Compromised API key
Database integrity check
Database integrity check
ok. If it reports errors, restore from your most recent backup and restart.Additional resources
Better Auth
Official Better Auth documentation.
API Key Plugin
Better Auth API Key plugin reference.