openreader/docs-site/docs/configure/auth.md
Richard R 3a21f2a5f5 refactor(config): migrate compute and runtime env vars to new naming scheme
- Replace `OPENREADER_COMPUTE_MODE` and related variables with `COMPUTE_MODE`
- Replace `OPENREADER_*` PDF/Whisper model URLs with `PDF_LAYOUT_MODEL_BASE_URL` and `WHISPER_MODEL_BASE_URL`
- Remove legacy `NEXT_PUBLIC_*` runtime config seeds in favor of `RUNTIME_SEED_*`
- Update documentation, code, and environment references to match new variable names
- Remove deprecated `scripts/fetch-models.mjs` and related npm script
- Update runtime config SSR injection from `window.__OPENREADER_RUNTIME_CONFIG__` to `window.__RUNTIME_CONFIG__`
- Adjust Next.js config to use new compute mode env var and optimize output file tracing for ONNX dependencies

BREAKING CHANGE: Environment variable names for compute mode, model URLs, and runtime config seeding have changed. Update `.env` files and deployment configs to use `COMPUTE_MODE`, `PDF_LAYOUT_MODEL_BASE_URL`, `WHISPER_MODEL_BASE_URL`, and `RUNTIME_SEED_*` as appropriate. Legacy `OPENREADER_*` and `NEXT_PUBLIC_*` variables are no longer supported.
2026-05-19 13:27:07 -06:00

3.1 KiB

title
Auth

This page covers application-level configuration for provider access and authentication.

Auth behavior

  • Auth is enabled only when both BASE_URL and AUTH_SECRET are set.
  • Remove either value to disable auth.
  • Keep AUTH_TRUSTED_ORIGINS empty to trust only BASE_URL.
  • Anonymous auth sessions are disabled by default.
  • Set USE_ANONYMOUS_AUTH_SESSIONS=true to enable anonymous session flows.

Runtime modes

OpenReader effectively has three common runtime modes:

  • Auth disabled (BASE_URL or AUTH_SECRET unset): no admin panel. Shared providers can still exist via first-boot seeding (API_KEY/API_BASE), but you cannot manage them in-app.
  • Auth enabled, non-admin user: user account/session features are available, but no admin controls.
  • Auth enabled, admin user: full Settings → Admin access (shared providers + site features).

Admin role

When auth is enabled, you can designate one or more users as admins via the ADMIN_EMAILS env var:

ADMIN_EMAILS=alice@example.com,bob@example.com

Admins see a new Admin tab in Settings with two sub-tabs:

  • Shared TTS providers — server-managed TTS provider instances with encrypted keys, visible to all users.
  • Site features — runtime overrides for what were previously build-time public env flags (including account signup availability, default TTS provider, audiobook export, etc.).

Admin assignment is reconciled on every session resolution, so removing an email from ADMIN_EMAILS demotes the user on next login without a restart. See Admin Panel for the full reference.

Route behavior

  • / is a public landing/onboarding page and remains indexable.
  • /app is the protected app home (document list and uploader UI).
  • If auth is enabled and a valid session exists (including anonymous), visiting / redirects to /app.
  • Protected app routes continue to require auth; when anonymous sessions are disabled and no session exists, users are redirected to /signin.

Sync notes

Auth enabled

  • Settings and reading progress are saved to the server.
  • Updates are not instant push-based sync; they use normal client polling/refresh behavior.
  • If two devices change the same item around the same time, the newest update wins.

Auth disabled

  • Settings and reading progress stay local in the browser (Dexie/IndexedDB).
  • This avoids no-auth cross-browser conflicts, but there is no cross-device sync.

Claim modal note

  • You may still see old anonymous settings/progress available to claim from older deployments.