[GH-ISSUE #3417] Add token support #2284

New issue

Open

opened 2026-02-26 07:34:51 +03:00 by kerem · 12 comments

kerem commented 2026-02-26 07:34:51 +03:00

Owner

Copy link

Originally created by @skyfore on GitHub (Dec 25, 2023).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3417

Is your feature request related to a problem? Please describe.

No

Describe the solution you'd like

By adding token support, we are able to retrieve information, such as lists of websites, using tokens through API requests.

Originally created by @skyfore on GitHub (Dec 25, 2023). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3417 <!-- Are you in the right place? - If you are looking for support on how to get your upstream server forwarding, please consider asking the community on Reddit. - If you are writing code changes to contribute and need to ask about the internals of the software, Gitter is the best place to ask. - If you think you found a bug with NPM (not Nginx, or your upstream server or MySql) then you are in the *right place.* --> **Is your feature request related to a problem? Please describe.** <!-- A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] --> No **Describe the solution you'd like** <!-- A clear and concise description of what you want to happen. --> By adding token support, we are able to retrieve information, such as lists of websites, using tokens through API requests.

kerem added the

enhancement

stale

labels 2026-02-26 07:34:51 +03:00

kerem commented 2026-02-26 07:34:51 +03:00

Author

Owner

Copy link

@tilalx commented on GitHub (Jan 10, 2024):

Hi,
couldn`t you not just request

curl 'http://localhost:81/api/tokens' \
  -H 'Content-Type: application/json; charset=UTF-8' \
  --data-raw '{"identity":"[Your Email]","secret":"[Your Secret]"}' \
  --compressed

returns

{
    "token": "[Your Token]",
    "expires": "2024-01-11T18:13:18.525Z"
}

then you can get all websites for example via:

curl -X GET 'http://localhost:81/api/nginx/proxy-hosts' \
     -H 'Authorization: Bearer [Your Token]' \
     -H 'Accept: application/json'

returns

[
    {
        "id": 1,
        "created_on": "2023-01-01T00:00:00.000Z",
        "modified_on": "2023-01-02T00:00:00.000Z",
        "owner_user_id": 123,
        "domain_names": [
            "example.com",
            "www.example.com"
        ],
        "forward_host": "192.0.2.1",
        "forward_port": 8080,
        "access_list_id": 0,
        "certificate_id": 1234,
        "ssl_forced": 1,
        "caching_enabled": 0,
        "block_exploits": 1,
        "advanced_config": "location ~* \\.(css|js)$ { expires 7d; ... }",
        "meta": {
            "letsencrypt_agree": false,
            "dns_challenge": false,
            "nginx_online": true,
            "nginx_err": null
        },
        "allow_websocket_upgrade": 1,
        "http2_support": 1,
        "forward_scheme": "http",
        "enabled": 1,
        "locations": [
            {
                "path": "/examplepath1",
                "advanced_config": "",
                "forward_scheme": "http",
                "forward_host": "192.0.2.2",
                "forward_port": 8081
            },
            {
                "path": "/examplepath2",
                "advanced_config": "",
                "forward_scheme": "http",
                "forward_host": "192.0.2.3",
                "forward_port": 8082
            }
        ],
        "hsts_enabled": 1,
        "hsts_subdomains": 1,
        "owner": {
            "id": 123,
            "created_on": "2023-01-01T00:00:00.000Z",
            "modified_on": "2023-01-02T00:00:00.000Z",
            "is_deleted": 0,
            "is_disabled": 0,
            "email": "user@example.com",
            "name": "John Doe",
            "nickname": "JDoe",
            "avatar": "//www.gravatar.com/avatar/example",
            "roles": [
                "admin"
            ]
        },
        "access_list": null,
        "certificate": {
            "id": 1234,
            "created_on": "2023-01-01T00:00:00.000Z",
            "modified_on": "2023-01-01T00:00:00.000Z",
            "owner_user_id": 123,
            "is_deleted": 0,
            "provider": "other",
            "nice_name": "*.example.com",
            "domain_names": [
                "*.example.com"
            ],
            "expires_on": "2024-01-01T23:59:59.000Z",
            "meta": {}
        }
    }
]

<!-- gh-comment-id:1885387294 --> @tilalx commented on GitHub (Jan 10, 2024): Hi, couldn`t you not just request ``` curl 'http://localhost:81/api/tokens' \ -H 'Content-Type: application/json; charset=UTF-8' \ --data-raw '{"identity":"[Your Email]","secret":"[Your Secret]"}' \ --compressed ``` returns ``` { "token": "[Your Token]", "expires": "2024-01-11T18:13:18.525Z" } ``` then you can get all websites for example via: ``` curl -X GET 'http://localhost:81/api/nginx/proxy-hosts' \ -H 'Authorization: Bearer [Your Token]' \ -H 'Accept: application/json' ``` returns ``` [ { "id": 1, "created_on": "2023-01-01T00:00:00.000Z", "modified_on": "2023-01-02T00:00:00.000Z", "owner_user_id": 123, "domain_names": [ "example.com", "www.example.com" ], "forward_host": "192.0.2.1", "forward_port": 8080, "access_list_id": 0, "certificate_id": 1234, "ssl_forced": 1, "caching_enabled": 0, "block_exploits": 1, "advanced_config": "location ~* \\.(css|js)$ { expires 7d; ... }", "meta": { "letsencrypt_agree": false, "dns_challenge": false, "nginx_online": true, "nginx_err": null }, "allow_websocket_upgrade": 1, "http2_support": 1, "forward_scheme": "http", "enabled": 1, "locations": [ { "path": "/examplepath1", "advanced_config": "", "forward_scheme": "http", "forward_host": "192.0.2.2", "forward_port": 8081 }, { "path": "/examplepath2", "advanced_config": "", "forward_scheme": "http", "forward_host": "192.0.2.3", "forward_port": 8082 } ], "hsts_enabled": 1, "hsts_subdomains": 1, "owner": { "id": 123, "created_on": "2023-01-01T00:00:00.000Z", "modified_on": "2023-01-02T00:00:00.000Z", "is_deleted": 0, "is_disabled": 0, "email": "user@example.com", "name": "John Doe", "nickname": "JDoe", "avatar": "//www.gravatar.com/avatar/example", "roles": [ "admin" ] }, "access_list": null, "certificate": { "id": 1234, "created_on": "2023-01-01T00:00:00.000Z", "modified_on": "2023-01-01T00:00:00.000Z", "owner_user_id": 123, "is_deleted": 0, "provider": "other", "nice_name": "*.example.com", "domain_names": [ "*.example.com" ], "expires_on": "2024-01-01T23:59:59.000Z", "meta": {} } } ] ```

kerem commented 2026-02-26 07:34:51 +03:00

Author

Owner

Copy link

@skyfore commented on GitHub (Jan 11, 2024):

@tilalx thanks very much, really helpful !

But this method relies on your account and password, which can sometimes be insecure.

<!-- gh-comment-id:1886428993 --> @skyfore commented on GitHub (Jan 11, 2024): @tilalx thanks very much, really helpful ! But this method relies on your account and password, which can sometimes be insecure.

kerem commented 2026-02-26 07:34:51 +03:00

Author

Owner

Copy link

@elchusco commented on GitHub (Mar 11, 2024):

Thanks @tilalx, couldn't find any relaterd information on how to process token retrieval. Is it documented somewhere that I missed ?

<!-- gh-comment-id:1988562015 --> @elchusco commented on GitHub (Mar 11, 2024): Thanks @tilalx, couldn't find any relaterd information on how to process token retrieval. Is it documented somewhere that I missed ?

kerem commented 2026-02-26 07:34:52 +03:00

Author

Owner

Copy link

@gadget78 commented on GitHub (Mar 24, 2024):

@tilalx thanks very much, really helpful !

But this method relies on your account and password, which can sometimes be insecure.

once you have created a token, you dont need to use the user/pass anymore.
plus you can set/increase the timeframe the token expires from the default of a day ..

curl "http://192.168.1.10:81/api/tokens" -H "Content-Type: application/json; charset=UTF-8" --data-raw '{"identity":"email@address","secret":"place-password-here","expiresIn":"1y"}

also for docs, ive been using this location, to work out what to do ..
https://github.com/NginxProxyManager/nginx-proxy-manager/tree/develop/backend/routes/api

<!-- gh-comment-id:2016771373 --> @gadget78 commented on GitHub (Mar 24, 2024): > @tilalx thanks very much, really helpful ! > > But this method relies on your account and password, which can sometimes be insecure. once you have created a token, you dont need to use the user/pass anymore. plus you can set/increase the timeframe the token expires from the default of a day .. ```curl "http://192.168.1.10:81/api/tokens" -H "Content-Type: application/json; charset=UTF-8" --data-raw '{"identity":"email@address","secret":"place-password-here","expiresIn":"1y"}``` also for docs, ive been using this location, to work out what to do .. https://github.com/NginxProxyManager/nginx-proxy-manager/tree/develop/backend/routes/api

kerem commented 2026-02-26 07:34:52 +03:00

Author

Owner

Copy link

@skyfore commented on GitHub (Mar 25, 2024):

@tilalx thanks very much, really helpful !
But this method relies on your account and password, which can sometimes be insecure.

once you have created a token, you dont need to use the user/pass you can set the timeframe the token expires in ..

`curl "http://192.168.1.10:81/api/tokens" -H "Content-Type: application/json; charset=UTF-8" --data-raw '{"identity":"email@address","secret":"place-password-here","expiresIn":"1y"}'``

also for docs, ive been using this location, to work out what to do .. https://github.com/NginxProxyManager/nginx-proxy-manager/tree/develop/backend/routes/api

Thank you, this is really helpful.

<!-- gh-comment-id:2017880366 --> @skyfore commented on GitHub (Mar 25, 2024): > > @tilalx thanks very much, really helpful ! > > But this method relies on your account and password, which can sometimes be insecure. > > once you have created a token, you dont need to use the user/pass you can set the timeframe the token expires in .. > > `curl "http://192.168.1.10:81/api/tokens" -H "Content-Type: application/json; charset=UTF-8" --data-raw '{"identity":"email@address","secret":"place-password-here","expiresIn":"1y"}'`` > > also for docs, ive been using this location, to work out what to do .. https://github.com/NginxProxyManager/nginx-proxy-manager/tree/develop/backend/routes/api Thank you, this is really helpful.

kerem commented 2026-02-26 07:34:52 +03:00

Author

Owner

Copy link

@TheEdgeFox commented on GitHub (Aug 27, 2024):

@tilalx thanks very much, really helpful !
But this method relies on your account and password, which can sometimes be insecure.

once you have created a token, you dont need to use the user/pass anymore. plus you can set/increase the timeframe the token expires from the default of a day ..

curl "http://192.168.1.10:81/api/tokens" -H "Content-Type: application/json; charset=UTF-8" --data-raw '{"identity":"email@address","secret":"place-password-here","expiresIn":"1y"}

also for docs, ive been using this location, to work out what to do .. https://github.com/NginxProxyManager/nginx-proxy-manager/tree/develop/backend/routes/api

Is the "expiresIn" actively working for you? No matter what I've tried, I cannot get it to expire any later than 1 day.

<!-- gh-comment-id:2311446580 --> @TheEdgeFox commented on GitHub (Aug 27, 2024): > > @tilalx thanks very much, really helpful ! > > But this method relies on your account and password, which can sometimes be insecure. > > once you have created a token, you dont need to use the user/pass anymore. plus you can set/increase the timeframe the token expires from the default of a day .. > > `curl "http://192.168.1.10:81/api/tokens" -H "Content-Type: application/json; charset=UTF-8" --data-raw '{"identity":"email@address","secret":"place-password-here","expiresIn":"1y"}` > > also for docs, ive been using this location, to work out what to do .. https://github.com/NginxProxyManager/nginx-proxy-manager/tree/develop/backend/routes/api Is the "expiresIn" actively working for you? No matter what I've tried, I cannot get it to expire any later than 1 day.

kerem commented 2026-02-26 07:34:52 +03:00

Author

Owner

Copy link

@tilalx commented on GitHub (Aug 27, 2024):

Replace "expiresIn":"1y" with "expiry": "1y". When I do this, it returns the following response:
{ "token": "ey...", "expires": "2025-08-27T07:30:06.209Z" }

<!-- gh-comment-id:2311774109 --> @tilalx commented on GitHub (Aug 27, 2024): Replace "expiresIn":"1y" with "expiry": "1y". When I do this, it returns the following response: `{ "token": "ey...", "expires": "2025-08-27T07:30:06.209Z" }`

kerem commented 2026-02-26 07:34:52 +03:00

Author

Owner

Copy link

@moutasem1989 commented on GitHub (Oct 22, 2024):

Hello @tilalx ! I came across your post trying to understand JWT Authentication.

curl 'http://localhost:81/api/tokens' \
  -H 'Content-Type: application/json; charset=UTF-8' \
  --data-raw '{"identity":"[Your Email]","secret":"[Your Secret]"}' \
  --compressed

Can NPM also automatically authenticate and fetch the Token to bypass the login screen ?
I have done this successfully for services that use Basic HTTP Authentication but not the ones that use JWT Authentication like NPM itself.
My purpose is to find a workaround and authenticate in to services with Authentik and bypass log in screen.

<!-- gh-comment-id:2428747487 --> @moutasem1989 commented on GitHub (Oct 22, 2024): Hello @tilalx ! I came across your post trying to understand JWT Authentication. ``` curl 'http://localhost:81/api/tokens' \ -H 'Content-Type: application/json; charset=UTF-8' \ --data-raw '{"identity":"[Your Email]","secret":"[Your Secret]"}' \ --compressed ``` Can NPM also automatically authenticate and fetch the Token to bypass the login screen ? I have done this successfully for services that use Basic HTTP Authentication but not the ones that use JWT Authentication like NPM itself. My purpose is to find a workaround and authenticate in to services with Authentik and bypass log in screen.

kerem commented 2026-02-26 07:34:52 +03:00

Author

Owner

Copy link

@rahulparekh commented on GitHub (Jan 22, 2025):

Replace "expiresIn":"1y" with "expiry": "1y". When I do this, it returns the following response: { "token": "ey...", "expires": "2025-08-27T07:30:06.209Z" }

For anyone reading this as of today, expiry has to be passed in as a query param instead of request body. Like this:

curl 'http://localhost:81/api/tokens?expiry=10y' \
  -H 'Content-Type: application/json; charset=UTF-8' \
  --data-raw '{"identity":"[Your Email]","secret":"[Your Secret]"}' \
  --compressed

https://github.com/NginxProxyManager/nginx-proxy-manager/blob/develop/backend/routes/tokens.js#L28

<!-- gh-comment-id:2607338137 --> @rahulparekh commented on GitHub (Jan 22, 2025): > Replace "expiresIn":"1y" with "expiry": "1y". When I do this, it returns the following response: `{ "token": "ey...", "expires": "2025-08-27T07:30:06.209Z" }` For anyone reading this as of today, `expiry` has to be passed in as a query param instead of request body. Like this: ``` curl 'http://localhost:81/api/tokens?expiry=10y' \ -H 'Content-Type: application/json; charset=UTF-8' \ --data-raw '{"identity":"[Your Email]","secret":"[Your Secret]"}' \ --compressed ``` https://github.com/NginxProxyManager/nginx-proxy-manager/blob/develop/backend/routes/tokens.js#L28

kerem commented 2026-02-26 07:34:52 +03:00

Author

Owner

Copy link

@Erreur32 commented on GitHub (Jan 30, 2025):

I have updated my script using http://localhost:81/api/tokens?expiry=10y, but the token still expires after one day. I also tried:

TOKEN_EXPIRY="365d"
TOKEN_EXPIRY="31536000s"
TOKEN_EXPIRY="1y"

However, it still expires after one day. Has anyone else encountered this issue @rahulparekh ?

<!-- gh-comment-id:2625459134 --> @Erreur32 commented on GitHub (Jan 30, 2025): I have updated my script using http://localhost:81/api/tokens?expiry=10y, but the token still expires after one day. I also tried: ``` TOKEN_EXPIRY="365d" TOKEN_EXPIRY="31536000s" TOKEN_EXPIRY="1y" ``` However, it still expires after one day. Has anyone else encountered this issue @rahulparekh ?

kerem commented 2026-02-26 07:34:52 +03:00

Author

Owner

Copy link

@rahulparekh commented on GitHub (Feb 13, 2025):

I have updated my script using http://localhost:81/api/tokens?expiry=10y, but the token still expires after one day. I also tried:

TOKEN_EXPIRY="365d"
TOKEN_EXPIRY="31536000s"
TOKEN_EXPIRY="1y"

However, it still expires after one day. Has anyone else encountered this issue @rahulparekh ?

Try this:

https://github.com/NginxProxyManager/nginx-proxy-manager/discussions/3265#discussioncomment-12192178

<!-- gh-comment-id:2657907772 --> @rahulparekh commented on GitHub (Feb 13, 2025): > I have updated my script using http://localhost:81/api/tokens?expiry=10y, but the token still expires after one day. I also tried: > > ``` > TOKEN_EXPIRY="365d" > TOKEN_EXPIRY="31536000s" > TOKEN_EXPIRY="1y" > ``` > > However, it still expires after one day. Has anyone else encountered this issue [@rahulparekh](https://github.com/rahulparekh) ? Try this: https://github.com/NginxProxyManager/nginx-proxy-manager/discussions/3265#discussioncomment-12192178

kerem commented 2026-02-26 07:34:52 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Sep 9, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:3268604190 --> @github-actions[bot] commented on GitHub (Sep 9, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#2284

No description provided.