Skip to main content
Openinary uses Better Auth v1.5 with a SQLite backend. The API supports two authentication methods: session-based login for the web dashboard and API key authentication for programmatic access.

Database

All auth data is stored in a single SQLite file at /data/auth.db (configurable via DB_PATH). On startup, scripts/secure-db.sh automatically sets the file permissions to 600 (owner read/write only).
TableContents
userAccounts — passwords bcrypt-hashed
sessionWeb sessions
apiKeyAPI keys — hashed before storage
accountOAuth providers
verificationEmail/phone verification tokens

API keys

Getting your first key

  1. Visit /setup to create your admin account.
  2. Go to /api-keys in the dashboard to create your first key.

Using a key

Pass it in the Authorization header: 
curl -H "Authorization: Bearer sk_your_key_here" \
  http://localhost:3000/upload

Best practices

  • Store keys in environment variables, never in source code.
  • Create a separate key per service or environment.
  • Set an expiration when creating keys (expiresIn in seconds).
  • Rotate keys regularly; disable unused ones promptly.

API routes

MethodRouteAuth
GET/Public
GET/healthPublic
GET/t/*Public
GET/download/*Public
GET/authenticated/*Public (signature-verified)
GET/video-status/*Public
GET/video-status/*/sizePublic
GET/video-status/statsPublic
GET/queue/eventsPublic
GET/health/databaseProtected
POST/uploadProtected
GET/storageProtected
GET/storage/*/metadataProtected
DELETE/storage/*Protected
DELETE/invalidate/*Protected
POST/api-keys/createProtected
GET/api-keys/listProtected
DELETE/api-keys/:keyIdProtected
PATCH/api-keys/:keyIdProtected
GET/queue/statsProtected
GET/queue/jobsProtected
POST/queue/jobs/:id/retryProtected
POST/queue/jobs/:id/cancelProtected
DELETE/queue/jobs/:idProtected
GET/queue/worker/statsProtected
Protected routes require Authorization: Bearer <API_KEY>.

Rate limiting

Public routes (/t/*, /health, etc.) are rate-limited to 100 requests per 60-second window per IP by default. Adjust with PUBLIC_RATE_LIMIT_MAX and PUBLIC_RATE_LIMIT_WINDOW_MS.

Docker security

  • Containers run as the node user (non-root) to limit blast radius.
  • The /data volume should be mounted with appropriate host permissions.

Incident response

1

Disable the key

Go to /api-keys in the dashboard and disable or delete the key immediately.
2

Review logs

docker logs openinary_api | grep "api_key.success"
3

Issue a replacement

Create a new key and update all services that used the compromised one.
docker exec openinary_api sqlite3 /app/data/auth.db "PRAGMA integrity_check;"
A healthy database returns ok. If it reports errors, restore from your most recent backup and restart.

Additional resources

Better Auth

Official Better Auth documentation.

API Key Plugin

Better Auth API Key plugin reference.