nethera

Core concepts

Auth

Protect Nethera endpoints with public access or Nethera login.

Endpoint auth is configured per public service.

nethera.yml
services:
web:
image: ghcr.io/acme/comfyui:latest
nethera:
public: 8188
auth: login

Supported values

auth: none

Anyone with the URL can access the endpoint.

auth: login

Users must log in with Nethera and belong to the workspace.

auth: token

API clients must authenticate with a Nethera endpoint token.

The default is auth: none.

Guidance

Use auth: login for browser-based tools such as ComfyUI, Open WebUI, dashboards, and admin panels.

Use auth: token for API-focused services such as Ollama and vLLM.

Use auth: none only when the app is meant to be public or provides its own authentication.

Who can access login-protected endpoints

auth: login requires two things:

  1. The visitor signs in with a Nethera account.
  2. That account belongs to the workspace that owns the endpoint.

If someone signs in but is not a workspace member, Nethera shows an access denied page with the signed-in email and the endpoint hostname. They can ask the workspace owner for an invite or sign in with a different account.

Inviting someone to the workspace gives them access to workspace-protected endpoints. It does not automatically make them an admin; their dashboard permissions depend on their workspace role.

How it works

  • browser requests to protected endpoints redirect to Nethera login;
  • API or non-browser requests receive 401;
  • WebSockets are checked before proxying;
  • endpoint auth is enforced at the edge;
  • protected endpoint sessions use short-lived signed tokens that cover valid endpoint hostnames.

Custom-domain auth is limited while custom domain support is still being built out.