Skip to main content

Admin authentication

Admin endpoints require a bearer token in the Authorization header.

Authorization: Bearer <api-key>

Scopesโ€‹

  • admin - full access
  • read_only - read-only access to admin endpoints

Primary credential: MASTER_KEYโ€‹

The primary admin credential is the MASTER_KEY. Run ferrogw init to generate one, then export it before starting the gateway:

export MASTER_KEY="ferro-..."   # generated by `ferrogw init`

Use the MASTER_KEY as the bearer token to access admin endpoints (full admin scope). From there you can issue scoped, persistent API keys via POST /admin/keys for admin or read_only access.

Deprecated: bootstrap keys

The legacy ADMIN_BOOTSTRAP_KEY / ADMIN_BOOTSTRAP_READ_ONLY_KEY env vars are deprecated and emit deprecation warnings at startup. They are honored only on first run while the API key store is empty and MASTER_KEY is unset:

export ADMIN_BOOTSTRAP_KEY=change-me
export ADMIN_BOOTSTRAP_READ_ONLY_KEY=change-me
export ADMIN_BOOTSTRAP_ENABLED=true

Use MASTER_KEY instead.