will/flynn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: align gateway auth docs with config schema

Browse Source
This commit is contained in:
William Valentin
2026-02-15 11:22:59 -08:00
parent e159476d31
commit 4e28ca7c8f
3 changed files with 28 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/api/PROTOCOL.md
+3 -3
View File
@@ -115,7 +115,7 @@ Common close codes:
### Bearer Token Auth ### Bearer Token Auth
If `gateway.auth.token` is configured, all WebSocket connections must provide authentication: If `server.token` is configured, all WebSocket connections must provide authentication:
```javascript ```javascript
const ws = new WebSocket('ws://localhost:18800', { const ws = new WebSocket('ws://localhost:18800', {
@@ -127,7 +127,7 @@ const ws = new WebSocket('ws://localhost:18800', {
### Tailscale Identity ### Tailscale Identity
If `gateway.auth.trustTailscaleIdentity` is enabled, connections from Tailscale are trusted based on the `Tailscale-User-Login` header. If `server.tailscale_identity` is enabled, connections from Tailscale are trusted based on the `Tailscale-User-Login` header.
```javascript ```javascript
// Automatic when connecting via Tailscale // Automatic when connecting via Tailscale
@@ -136,7 +136,7 @@ If `gateway.auth.trustTailscaleIdentity` is enabled, connections from Tailscale
### HTTP Auth ### HTTP Auth
If `gateway.auth.applyToHttp` is `true` (default when token is set), HTTP requests also require bearer token: If `server.auth_http` is `true` (default: true), HTTP requests also require bearer token when `server.token` is set:
```javascript ```javascript
fetch('http://localhost:18800/api/health', { fetch('http://localhost:18800/api/health', {
docs/deployment/PRODUCTION.md
+20 -6
View File
@@ -289,12 +289,11 @@ rm /tmp/anthropic_key.txt
```yaml ```yaml
# config/production.yaml # config/production.yaml
gateway: server:
enabled: true token: 'your-random-token-here' # Generate with: openssl rand -hex 32
auth: tailscale_identity: true
token: 'your-random-token-here' # Generate with: openssl rand -hex 32 auth_http: true
trustTailscaleIdentity: true lock: false
applyToHttp: true
``` ```
Generate a secure token: Generate a secure token:
@@ -302,6 +301,21 @@ Generate a secure token:
openssl rand -hex 32 openssl rand -hex 32
``` ```
#### Safe Defaults (Recommended)
These defaults align with `docs/security/SAFE_PERSONAL_AGENT.md`:
```yaml
pairing:
enabled: true
tools:
profile: messaging
sandbox:
enabled: true
```
#### Channel Whitelists #### Channel Whitelists
Restrict who can interact with Flynn: Restrict who can interact with Flynn:
docs/plans/state.json
+5
View File
@@ -14,6 +14,11 @@
"date": "2026-02-15", "date": "2026-02-15",
"summary": "Added docs/architecture/GATEWAY_SESSIONS_AND_QUEUE.md to document how gateway connectionIds map to durable sessionIds, how per-session FIFO lane queueing works, and how agent.cancel behaves." "summary": "Added docs/architecture/GATEWAY_SESSIONS_AND_QUEUE.md to document how gateway connectionIds map to durable sessionIds, how per-session FIFO lane queueing works, and how agent.cancel behaves."
}, },
"docs-gateway-auth-config-keys": {
"status": "completed",
"date": "2026-02-15",
"summary": "Docs fix: updated docs/api/PROTOCOL.md and docs/deployment/PRODUCTION.md to use the current config schema keys for gateway auth (server.token/server.tailscale_identity/server.auth_http) and added a short safe-defaults snippet (pairing/tools.profile/sandbox)."
},
"openclaw-gap-roadmap": { "openclaw-gap-roadmap": {
"file": "2026-02-15-openclaw-gap-roadmap.md", "file": "2026-02-15-openclaw-gap-roadmap.md",
"status": "planned", "status": "planned",