Access & Authentication

LinkPeek ships with a single admin credential out of the box. Harden authentication immediately after deployment and monitor the audit log for changes.

Rotate the default password

Log in with the bootstrap credential defined in LINKPEEK_ADMIN_PASSWORD (defaults to admin when the variable is not set).
Open Access → Credentials.
Choose Rotate password, enter the new secret, and add an audit note describing the change.
Store the updated credential in your team password manager.

The rotation updates both the UI and API authentication state in one step. All active sessions remain valid until they expire or you revoke them manually.

Session management

LinkPeek issues signed session cookies scoped to the / path.
Use Access → Sessions to view active logins by IP, user agent, and last activity.
Revoke a session to force a logout and invalidate any associated API tokens.

Environment variables

Variable	Description
`LINKPEEK_ADMIN_PASSWORD`	Bootstrap credential; required on first boot.
`LINKPEEK_SESSION_TTL`	Session lifetime in minutes. Defaults to `4320` (3 days).
`LINKPEEK_RATE_LIMIT_LOGIN`	Limits login attempts per minute to slow brute-force attacks.
`LINKPEEK_IP_ALLOWLIST`	Optional CIDR list that restricts dashboard access.

External identity providers

While LinkPeek does not yet ship with SSO, you can front the dashboard with a reverse proxy that enforces OAuth, SAML, or OIDC. Common patterns:

Cloudflare Access: Require identity provider login before requests reach LinkPeek. Pair with LINKPEEK_IP_ALLOWLIST to accept only Cloudflare egress IPs.
Traefik ForwardAuth: Delegate authentication to an external microservice and pass the authenticated header to LinkPeek.

Ensure the proxy preserves WebSocket upgrades so realtime dashboards continue to function.

Audit logging

Every credential change, session revoke, and rate-limit trigger appears in the log.event stream. Subscribe to this topic or export the audit log regularly to maintain compliance evidence.