🚀 Feature: Bootstrap Admin API Key #126

New Issue

AtHeartEngineer · 2025-07-08T08:40:32-04:00

AtHeartEngineer commented

2025-07-08 08:40:32 -04:00

Originally created by @nicholascioli on 5/29/2025

Feature description

Externally managing Pocket ID (either through terraform, ansible, and the like) can be difficult without manually bootstrapping an admin user, a passkey for the admin user, and then an API key for accessing the management API. This can be overkill, especially in cases where Pocket ID will be entirely managed externally. It would be nice if there existed a configuration option for a static and always valid API token that an external system could use to manage all aspects of Pocket ID.

Pitch

External management of core infrastructure is typically handled through infrastructure-as-code resources using tooling like ansible or kubernetes operators. These external managers usually replace the need for a dedicated admin user and allow for tighter control over configuration and access control. Needing to bootstrap an admin user complicates this process and introduces more avenues for error. Other software that implements something similar to this are listed below:

Consul supports a bootstrap token for its ACL system
Garage allows specifying the admin token
Rauthy allows setting the bootstrap admin user / pass (there are no direct hyperlinks, so look for BOOTSTRAP_ADMIN_EMAIL and BOOTSTRAP_ADMIN_PASSWORD_ARGON2ID)

I saw that there exists a way to generate one time passcodes for accounts, which would definitely help in the bootstrap process. The only issue is that the user needs to exist first, so it doesn't work with bootstrapping an admin API token since the admin user isn't created until later.

*Originally created by @nicholascioli on 5/29/2025* ### Feature description Externally managing Pocket ID (either through terraform, ansible, and the like) can be difficult without manually bootstrapping an admin user, a passkey for the admin user, and then an API key for accessing the management API. This can be overkill, especially in cases where Pocket ID will be entirely managed externally. It would be nice if there existed a configuration option for a static and always valid API token that an external system could use to manage all aspects of Pocket ID. ### Pitch External management of core infrastructure is typically handled through infrastructure-as-code resources using tooling like ansible or kubernetes operators. These external managers usually replace the need for a dedicated admin user and allow for tighter control over configuration and access control. Needing to bootstrap an admin user complicates this process and introduces more avenues for error. Other software that implements something similar to this are listed below: - Consul supports a [bootstrap token for its ACL system](https://developer.hashicorp.com/consul/docs/reference/agent/configuration-file/acl#acl_tokens_initial_management) - Garage allows [specifying the admin token](https://garagehq.deuxfleurs.fr/documentation/reference-manual/configuration/#admin_token) - Rauthy allows setting the [bootstrap admin user / pass](https://sebadob.github.io/rauthy/config/config.html) (there are no direct hyperlinks, so look for `BOOTSTRAP_ADMIN_EMAIL` and `BOOTSTRAP_ADMIN_PASSWORD_ARGON2ID`) I saw that there exists a way to generate one time passcodes for accounts, which would definitely help in the bootstrap process. The only issue is that the user needs to exist first, so it doesn't work with bootstrapping an admin API token since the admin user isn't created until later.

AtHeartEngineer closed this issue

2025-07-08 08:40:32 -04:00

AtHeartEngineer added the feature feature feature feature feature feature feature feature feature feature feature feature feature feature labels 2025-07-08 08:40:33 -04:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/pocket-id#126