Authentication
MikroPlan uses MikroAuth for passwordless magic-link sign-in when API auth is enabled.
Auth is disabled by default. Local mode does not need accounts or sign-in.
When auth is disabled, the API reports local mode through /config.json and magic-link requests return a local-mode message without sending email.
Access Model
Section titled “Access Model”When auth is enabled, MikroPlan uses a single collaborator role. Anyone whose email matches auth.allowedEmails or auth.allowedDomains can sign in and read or write the whole shared workspace.
There are no per-board roles, private boards, or read-only users in the current collaboration API.
Enable Auth
Section titled “Enable Auth”Copy the example config:
cp mikroplan.config.json.example mikroplan.config.jsonThe server reads this file through MikroConf, with environment variables and CLI flags available for deployment-specific overrides.
Set auth.enabled to true, replace auth.jwtSecret with a secret of at least 32 characters, and configure SMTP under email.
{ "auth": { "enabled": true, "allowedDomains": ["example.com"], "jwtSecret": "replace-with-a-long-secret", "magicLinkExpirySeconds": 900, "jwtExpirySeconds": 3600, "maxActiveSessions": 3, "refreshTokenExpirySeconds": 604800 }, "email": { "emailSubject": "Sign in to MikroPlan", "host": "smtp.example.com", "password": "smtp-password", "port": 465, "secure": true, "maxRetries": 2, "debug": false }}Keep mikroplan.config.json local. It can contain SMTP credentials and auth secrets.
Leave either allowedEmails or allowedDomains empty if you do not need that matching mode, but at least one must contain a value when auth is enabled.
Startup Validation
Section titled “Startup Validation”When auth is enabled, MikroPlan refuses to start unless:
- an email or domain allowlist is configured
auth.jwtSecretis changed and long enough- SMTP host, user, password, subject, and port are configured
- auth expiry settings and max sessions are valid
This keeps test-mode email from accidentally becoming production auth.
Environment Overrides
Section titled “Environment Overrides”Use environment variables for deployment secrets:
MIKROPLAN_AUTH_ENABLEDMIKROPLAN_AUTH_ALLOWED_EMAILSMIKROPLAN_AUTH_ALLOWED_DOMAINSMIKROPLAN_AUTH_JWT_SECRETMIKROPLAN_AUTH_MAGIC_LINK_EXPIRYMIKROPLAN_AUTH_JWT_EXPIRYMIKROPLAN_AUTH_REFRESH_EXPIRYMIKROPLAN_AUTH_MAX_SESSIONSMIKROPLAN_EMAIL_SUBJECTMIKROPLAN_EMAIL_HOSTMIKROPLAN_EMAIL_USERMIKROPLAN_EMAIL_PASSWORDMIKROPLAN_EMAIL_PORTMIKROPLAN_EMAIL_SECURE
Sessions
Section titled “Sessions”MikroAuth magic-link and session state is stored in the same SQLite database as the workspace. Server restarts do not invalidate active sessions.
After verification, the API sets an HttpOnly mikroplan_access_token cookie. The browser app uses that cookie for workspace requests and Server-Sent Events, so tokens are not stored in local storage or placed in query strings.
Use /api/auth/me to check whether the current browser has a valid session.
Use /api/auth/logout to clear the cookie.