Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.opendot.ai/llms.txt

Use this file to discover all available pages before exploring further.

OpenDot has one auth page with two backend modes:
  • Local Compose/self-hosted mode uses OpenDot email/password auth.
  • Supabase mode uses Supabase Auth in the browser and sends the Supabase access token to the OpenDot API.
For the console-facing login and signup flow, start with Login and signup. This page focuses on deployment settings and the auth/data ownership boundary.

Local auth

For local runs, copy the root env template: 
cp .env.example .env
Leave these defaults: 
OPENDOT_LOCAL_AUTH_DISABLED=false
PLATFORM_AUTH_REQUIRED=true
VITE_SUPABASE_URL=
VITE_SUPABASE_ANON_KEY=
Signup creates an app_users row, a hashed password row in local_auth_credentials, and the default user preferences through the platform API. Passwords are never stored as plaintext. Change OPENDOT_SESSION_SECRET before using local auth on any shared or public deployment.

Supabase auth

For Supabase-backed deployments, use Supabase Auth for email/password: 
SUPABASE_URL=https://<project-ref>.supabase.co
VITE_SUPABASE_URL=https://<project-ref>.supabase.co
VITE_SUPABASE_ANON_KEY=<supabase anon key>
PLATFORM_AUTH_REQUIRED=true
OPENDOT_LOCAL_AUTH_DISABLED=true
The browser signs in with Supabase and sends the Supabase JWT to the OpenDot API. The API validates the token, maps auth.users.id to app_users.id, and keeps durable product data in OpenDot-owned tables. The OSS core is single-workspace and does not put authorization-critical product state in Supabase user_metadata. For the current preview flow without email verification, disable email confirmations in Supabase Auth settings. The forgot-password, Google, and GitHub controls are visible in the UI but are not wired yet.