Authsome can run as a small shared internal service: one daemon, one vault, multiple developer machines pointed at it. This page covers when that shape is appropriate, how to configure it, and what’s still missing before it should be treated as production-grade.Documentation Index
Fetch the complete documentation index at: https://authsome.agentr.dev/docs/llms.txt
Use this file to discover all available pages before exploring further.
When hosted mode is appropriate
Approved only when all of these are true:- The daemon lives on a trusted private network (VPC, VPN, overlay network, or a dedicated subnet).
- One shared vault for the team is acceptable. There is no per-user tenant isolation in v1.
- Operators understand that the network is the primary access-control boundary.
- The deployment is internal. Not internet-facing.
Configuration
Two environment variables drive hosted deployments. Each is set on a different side.| Variable | Set on | Value | Purpose |
|---|---|---|---|
AUTHSOME_SERVER_BASE_URL | Daemon host | The canonical external URL the daemon advertises. | Browser-facing URLs and OAuth callbacks are built from this. |
AUTHSOME_DAEMON_URL | Client (CLI, proxy) | Full URL of the hosted daemon. | Points the CLI at a non-local daemon. Suppresses the auto-start of a local one. |
AUTHSOME_HOME | Daemon host (often) | Path to the shared ~/.authsome/ directory. | Persistent disk. The vault, master key, providers, and audit log all live here. |
On the daemon host
On client machines
AUTHSOME_DAEMON_URL points at a non-local host. Client machines do not need AUTHSOME_SERVER_BASE_URL.
OAuth callback URL
For PKCE flows in hosted mode, the OAuth callback URL is the daemon-side URL with the/auth/callback/oauth path:
http://127.0.0.1:7998/auth/callback/oauth) does not apply to hosted deployments.
Trust model in hosted mode
Hosted mode widens the trust boundary from “the local machine” to “the private network the daemon sits on”. Two consequences: 1. Filesystem access to the daemon host matters as much as network access. A host that can read both the encrypted SQLite store andmaster.key can effectively access the vault. Anyone who can SSH onto the daemon host, become the daemon user, and read both files, has the equivalent of full credential access.
2. There is no per-user authentication inside authsome yet.
Any client that can reach the daemon URL can call every route. Restrict ingress at the network layer:
- Place the daemon behind a private IP, VPN, or overlay network.
- Restrict ingress to known operator and client machines.
- Terminate TLS at a private reverse proxy if you need a stable HTTPS URL.
Operational checklist
| Reason | |
|---|---|
AUTHSOME_HOME is on a persistent disk | The vault and master key must survive daemon restarts. |
Snapshots or backups of AUTHSOME_HOME are configured | Disk loss = credential loss. Encrypted records cannot be recovered without master.key. |
Backups treat master.key and store.db with the same care | Together they decrypt records. Same security posture as raw credentials. |
| The daemon is reachable only from approved CIDRs or VPN | Network is the access-control boundary. |
| OAuth callback URLs in every provider are updated | Local-mode callback URLs do not work in hosted mode. |
| The daemon user has minimal privileges | The daemon does not need to be root. |
| Logs are forwarded off-host | Audit events live in audit.log under AUTHSOME_HOME. |
What’s still missing
Hosted v1 deliberately keeps the trust model simple. Before hosted authsome should be treated as an internet-facing or multi-tenant service, the following must land:- Real per-user authentication inside the daemon.
- Tenant separation between users sharing the same daemon.
- Persistent browser-session storage (today, sessions are in-memory and lost on restart).
- A built-in admin secret or bearer token gate.
- Browser-form session hardening (CSRF, replay protection).
What’s next
The local daemon
The daemon’s lifecycle and routes.
Daemon trust boundary
What the v1 model protects against, and what it doesn’t.
Environment variables
Every variable authsome reads, writes, or injects.
Daemon issues
Port conflicts, lost sessions, and restart behavior.