Configuration
Beyond the flags in Running the server, a few areas deserve their own explanation.
Server URL and token audience
-server-url (or OPENSECRET_SERVER_URL) is required because it's woven into every session token's audience. A token minted for https://vault.example.com is rejected by an instance configured with a different URL, so a token leaked from one deployment can't be replayed against another. Set it to the exact public URL clients use.
It is independent of the listen port (-addr, default :8080): the public URL is just the token audience, and in production a reverse proxy fronts it and forwards to -addr. See Running the server for the full breakdown of why the two differ.
CORS
Browser clients are cross-origin to the API, so the server maintains an allow-list of origins:
Default (no
-cors/OPENSECRET_CORS): the local Vite dev origins (http://localhost:5173,http://localhost:4173, and their127.0.0.1equivalents).In production, set
-corsto your web app's origin(s), comma-separated:-cors=https://vault.example.com,https://app.example.com
chrome-extension://, moz-extension://, and safari-web-extension:// origins are accepted regardless of the CORS list, the browser extension couldn't function otherwise. The bearer token, not the origin, is the real authorization boundary.
Audit log
The server records security-relevant events (signups and other sensitive operations) to a separate SQLite database:
- On by default, written to
audit.dbnext to your main DB. Override the path with-audit-db/OPENSECRET_AUDIT_DB. - Disable only for dev/test with
-disable-audit(it logs a warning at boot so a disabled audit log in production is visible). - The schema is documented for SIEM ingestion, see the audit schema notes in the backend docs if you forward it to a security pipeline.
The audit log records that events happened and who/which device, not secret material. Like the rest of the system, it never holds plaintext.
Signups and the first admin
- The first account created on a fresh instance is automatically the admin.
- Whether further signups are open is reported by the public instance config (clients read it to show or hide the sign-up screen).
Observability
The server logs structured events (slog) and propagates a request correlation id, so you can trace a single request across log lines. It never logs private keys, AEAD keys, challenge bodies, or plaintext.