Skip to main content
phoss SMP has two authentication surfaces:
  1. Management UI — session-based login at /secure/.
  2. REST API — HTTP request-level authentication on all write endpoints (PUT, DELETE).

​
REST API authentication

All write operations on the REST API require credentials. Two schemes are supported:

​
Which endpoints require authentication?

MethodPathAuth required
GET/{ServiceGroupId}No
PUT/{ServiceGroupId}Yes
DELETE/{ServiceGroupId}Yes
GET/{ServiceGroupId}/services/{DocumentTypeId}No
PUT/{ServiceGroupId}/services/{DocumentTypeId}Yes
DELETE/{ServiceGroupId}/services/{DocumentTypeId}Yes
GET/businesscard/{ServiceGroupId}No
PUT/businesscard/{ServiceGroupId}Yes
DELETE/businesscard/{ServiceGroupId}Yes

​
Management UI login

The management UI at /secure/ uses server-side session authentication managed by the ph-oton framework. Sessions are maintained via a browser cookie.

​
Default credentials

FieldDefault value
Email[email protected]
Passwordpassword
Change the default password on first login before exposing the server to a network. Navigate to Administration > Change Password after logging in.

​
Login error details

By default the login page may indicate whether the email or the password was wrong. Disable this in production to avoid user enumeration: 
webapp.security.login.errordetails = false

​
Creating and managing user tokens

1

Log in to the management UI

Open /secure/ and sign in with an admin account.
2

Navigate to User Tokens

Go to Administration > Security > User Tokens.
3

Create a new token

Click Create new User Token. Assign it to a user account and optionally set an expiry date. Copy the generated token value — it is shown only once.
4

Use the token in API calls

Include Authorization: Bearer <token> in every write request.
5

Revoke a token when no longer needed

Return to User Tokens and delete the token. The corresponding Authorization: Bearer header will immediately start returning HTTP 401.

​
Security recommendations

  • Prefer Bearer tokens over Basic Auth for all API clients.
  • Use HTTPS in production. Basic Auth over plain HTTP sends credentials in clear text.
  • Disable login error details in production (webapp.security.login.errordetails = false).
  • Change the default admin password immediately after installation.
  • Rotate tokens regularly and revoke any that are no longer in use.
  • Avoid exposing /secure/ to the public internet where possible; restrict with a firewall or reverse-proxy ACL.

​
HTTP vs HTTPS

The SMP specification requires that the public SMP URL be reachable over HTTP (for some older clients) and/or HTTPS. For the management UI and write API, HTTPS is strongly recommended. Configure the public URL via: 
smp.publicurl = https://smp.example.org
If phoss SMP is running behind a reverse proxy that terminates TLS, set: 
smp.forceroot = true
smp.publicurl.mode = x-forwarded-header   # or: forwarded-header

Build docs developers (and LLMs) love

Get started for freeTalk to us