Core concepts
Auth
Protect Nethera endpoints with public access or Nethera login.
Endpoint auth is configured per public service.
services: web: image: ghcr.io/acme/comfyui:latest nethera: public: 8188 auth: loginSupported values
auth: none
Anyone with the URL can access the endpoint.
auth: login
Users must log in with Nethera and belong to the workspace.
auth: token
API clients must authenticate with a Nethera endpoint token.
The default is auth: none.
Guidance
Use auth: login for browser-based tools such as ComfyUI, Open WebUI, dashboards, and admin panels.
Use auth: token for API-focused services such as Ollama and vLLM.
Use auth: none only when the app is meant to be public or provides its own authentication.
Who can access login-protected endpoints
auth: login requires two things:
- The visitor signs in with a Nethera account.
- That account belongs to the workspace that owns the endpoint.
If someone signs in but is not a workspace member, Nethera shows an access denied page with the signed-in email and the endpoint hostname. They can ask the workspace owner for an invite or sign in with a different account.
Inviting someone to the workspace gives them access to workspace-protected endpoints. It does not automatically make them an admin; their dashboard permissions depend on their workspace role.
How it works
- browser requests to protected endpoints redirect to Nethera login;
- API or non-browser requests receive
401; - WebSockets are checked before proxying;
- endpoint auth is enforced at the edge;
- protected endpoint sessions use short-lived signed tokens that cover valid endpoint hostnames.
Custom-domain auth is limited while custom domain support is still being built out.