Skip to content
Claw Force One Claw Force One

Authentication

First-time setup

Section titled “First-time setup”

On first run with an empty database, Clawforce shows a Create admin account form before the login page. Enter a username and password to create the initial admin account.

Alternatively, create the admin account from the CLI:

Terminal window
# Docker Compose
docker compose exec clawforce ./clawforce --create-admin


# Kubernetes
kubectl exec -n clawforce deploy/clawforce -- ./clawforce --create-admin

Roles

Section titled “Roles”

Clawforce has two roles:

Admin

Section titled “Admin”
  • Full access to all instances
  • Create, edit, and delete users
  • Assign instances to users
  • Access the Settings page (global API keys, SSH keys, audit logs)
  • View and configure SSH source IP restrictions per instance

User

Section titled “User”
  • Read and write access to assigned instances only
  • No access to the Settings page
  • Cannot view or manage other users
  • Cannot see instances not assigned to them

User management

Section titled “User management”

Admins manage users from SettingsUsers:

ActionHow
Create userClick Add user, enter username and password
Change roleEdit user → change Role dropdown
Assign instancesEdit user → select instances from the list
Reset passwordEdit user → click Reset password
Delete userEdit user → click Delete

Passkeys (WebAuthn)

Section titled “Passkeys (WebAuthn)”

Clawforce supports passkeys for passwordless login using biometrics or hardware security keys.

Registering a passkey

Section titled “Registering a passkey”
  1. Log in with your username and password.
  2. Go to ProfileSecurity.
  3. Click Register passkey and follow your browser’s prompt.

Logging in with a passkey

Section titled “Logging in with a passkey”

On the login page, click Sign in with passkey instead of entering a password.

Production configuration

Section titled “Production configuration”

For passkeys to work, configure the Relying Party settings to match your domain:

Terminal window
CLAWFORCE_RP_ORIGINS=https://clawforce.example.com
CLAWFORCE_RP_ID=clawforce.example.com

Sessions

Section titled “Sessions”

Sessions use HTTP-only cookies and expire after 1 hour of inactivity. Sessions are stored in memory — restarting the Clawforce process logs all users out.

Disabling authentication

Section titled “Disabling authentication”

For local development only, you can disable authentication entirely:

Terminal window
CLAWFORCE_AUTH_DISABLED=true

Password reset (CLI)

Section titled “Password reset (CLI)”

If the admin password is lost:

Terminal window
# Docker Compose
docker compose exec clawforce ./clawforce --reset-password --username admin


# Kubernetes
kubectl exec -n clawforce deploy/clawforce -- ./clawforce --reset-password --username admin