DockLogDockLog

Permissions & Client Access

DockLog separates who can see a container from who can act on it. Both checks must pass before an action is allowed.

Visibility

Controlled by each user's allowed_containers patterns. Admins see everything. Staff members only see containers that match at least one assigned pattern.

Actions

Auth mode requires both a server ALLOW_* flag and the matching database can_* flag for every account, including admin. No-auth mode uses only the ALLOW_* environment variables.

Sessions & API access

Login returns an access token (24 hours) and a refresh token (30 days). Native clients can call POST /api/token/refresh with refresh_token to rotate both without re-entering credentials.

Login attempts are rate-limited to 10 failures per IP every 15 minutes. The public GET /api/config endpoint exposes auth mode and current ALLOW_* flags without a token.

WebSocket auth accepts either an Authorization: Bearer header or the browser subprotocol Sec-WebSocket-Protocol: docklog-auth, <token>.

Edit or suggest changes on GitHub.