Security & data

Security

Secrets

Docker builds exclude SQLite DBs, logs, state, Cloudflare token-looking files, API-token-looking files, and any accidental local config/secret files from the build context.

API

Mutating API calls require X-Api-Key. The first authenticated setup save creates an API key when one is missing; command endpoints fail closed until a key exists.

Public Access

Keep Stackarr local until auth is configured. The default dashboard binding is local-only; only advanced Docker deployments should override the bind address explicitly.

MCP

The default MCP server is local stdio. Stackarr also includes an optional authenticated Streamable HTTP endpoint at /mcp. It is disabled by default and requires a named connection-policy bearer token. Keep it behind TLS and private-network access; do not expose it directly to the public internet.

On this page