[GH-ISSUE #5174] TOTP Documentation Update - User Awareness #3132

New issue

Open

opened 2026-02-26 07:37:55 +03:00 by kerem · 4 comments

kerem commented 2026-02-26 07:37:55 +03:00

Owner

Copy link

Originally created by @Hackpig1974 on GitHub (Jan 15, 2026).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/5174

Hi,

I wanted to share some feedback after implementing TOTP 2FA on my Nginx Proxy Manager instance. This isn't a bug, but rather a documentation enhancement that could help users avoid a common integration issue.

Issue Encountered:
After enabling TOTP 2FA on my NPM admin account, my Homepage dashboard widget for NPM immediately stopped working and began showing "API Error: Internal Error" in the UI. The NPM container logs showed repeated jwt malformed warnings whenever Homepage attempted to authenticate.

Root Cause:
Homepage (and likely other dashboard/monitoring tools) authenticates to NPM's API using username/password credentials. When 2FA is enabled on an account, the API authentication endpoint cannot complete the 2FA challenge, causing the authentication to fail and return invalid JWTs.

Solution/Workaround:
The standard solution is to create a dedicated service account in NPM specifically for API access:

Create a new user in NPM (e.g., homepage-api@domain.com)
Set password via the Edit User dialog
Do NOT enable TOTP 2FA on this service account
Update Homepage (or other tools) to use these credentials instead

This is a common pattern across many platforms - the primary admin account uses 2FA for security, while service/API accounts remain without interactive authentication challenges.

Recommendation:
It would be helpful to add a note in the TOTP plugin documentation warning users that:

Enabling 2FA on an account will break API integrations that authenticate with that account
Users should create dedicated service accounts without 2FA for API/automation purposes
This is expected behavior, not a bug

This would save users troubleshooting time and prevent confusion when their integrations suddenly stop working after enabling 2FA.

Thanks for the great TOTP enhancement! Just wanted to share this in case it helps other users.

Originally created by @Hackpig1974 on GitHub (Jan 15, 2026). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/5174 Hi, I wanted to share some feedback after implementing TOTP 2FA on my Nginx Proxy Manager instance. This isn't a bug, but rather a documentation enhancement that could help users avoid a common integration issue. Issue Encountered: After enabling TOTP 2FA on my NPM admin account, my Homepage dashboard widget for NPM immediately stopped working and began showing "API Error: Internal Error" in the UI. The NPM container logs showed repeated jwt malformed warnings whenever Homepage attempted to authenticate. Root Cause: Homepage (and likely other dashboard/monitoring tools) authenticates to NPM's API using username/password credentials. When 2FA is enabled on an account, the API authentication endpoint cannot complete the 2FA challenge, causing the authentication to fail and return invalid JWTs. Solution/Workaround: The standard solution is to create a dedicated service account in NPM specifically for API access: Create a new user in NPM (e.g., homepage-api@domain.com) Set password via the Edit User dialog Do NOT enable TOTP 2FA on this service account Update Homepage (or other tools) to use these credentials instead This is a common pattern across many platforms - the primary admin account uses 2FA for security, while service/API accounts remain without interactive authentication challenges. Recommendation: It would be helpful to add a note in the TOTP plugin documentation warning users that: Enabling 2FA on an account will break API integrations that authenticate with that account Users should create dedicated service accounts without 2FA for API/automation purposes This is expected behavior, not a bug This would save users troubleshooting time and prevent confusion when their integrations suddenly stop working after enabling 2FA. Thanks for the great TOTP enhancement! Just wanted to share this in case it helps other users.

kerem added the

enhancement

label 2026-02-26 07:37:55 +03:00

kerem commented 2026-02-26 07:37:56 +03:00

Author

Owner

Copy link

@piotrfx commented on GitHub (Jan 15, 2026):

@Hackpig1974, thank you for your input. I'm happy that more and more users are finding TOTP useful, as I did when I developed it. There are more issues to be resolved, and when I've got more time during the weekend, I'll sit, read them all again, create a list and hope to find the time to work on them :).

<!-- gh-comment-id:3756700103 --> @piotrfx commented on GitHub (Jan 15, 2026): @Hackpig1974, thank you for your input. I'm happy that more and more users are finding TOTP useful, as I did when I developed it. There are more issues to be resolved, and when I've got more time during the weekend, I'll sit, read them all again, create a list and hope to find the time to work on them :).

kerem commented 2026-02-26 07:37:56 +03:00

Author

Owner

Copy link

@piotrfx commented on GitHub (Jan 15, 2026):

Off the topic, @Hackpig1974 , what do you think about #5138 ? When I deal with the 2FA requests, I can try to develop it next.

<!-- gh-comment-id:3756706014 --> @piotrfx commented on GitHub (Jan 15, 2026): Off the topic, @Hackpig1974 , what do you think about #5138 ? When I deal with the 2FA requests, I can try to develop it next.

kerem commented 2026-02-26 07:37:56 +03:00

Author

Owner

Copy link

@Hackpig1974 commented on GitHub (Jan 15, 2026):

Appreciate you asking for input on this. I think it's a "sounds good on paper" idea, but there's a practical problem that kills it: the container boundary.

Most people run NPM in Docker. When you use something like systeminformation, you're getting container metrics, not host metrics, unless you start bind-mounting /proc and /sys, which gets messy fast and opens up security questions. Users will see container resource limits and think it's showing host health, which would be confusing.

If someone actually needs host-level monitoring, they should just use tools built for that: Netdata, Glances, Homepage, Prometheus, whatever. NPM trying to do it too just creates maintenance burden without really solving the problem.

What might make more sense: focusing on NPM-specific stuff.

Per-proxy metrics: request rates, errors, backend health
Active connections per host
Cert expiry warnings
Nginx worker stats

That's the kind of data people can actually use inside NPM, and it's directly tied to what NPM's managing. If you want to get fancy, add a /metrics endpoint for Prometheus and call it a day.

Anyway, that's my take. Hope that helps.
Good luck with whatever direction you go.

<!-- gh-comment-id:3756767339 --> @Hackpig1974 commented on GitHub (Jan 15, 2026): Appreciate you asking for input on this. I think it's a "sounds good on paper" idea, but there's a practical problem that kills it: the container boundary. Most people run NPM in Docker. When you use something like systeminformation, you're getting container metrics, not host metrics, unless you start bind-mounting /proc and /sys, which gets messy fast and opens up security questions. Users will see container resource limits and think it's showing host health, which would be confusing. If someone actually needs host-level monitoring, they should just use tools built for that: Netdata, Glances, Homepage, Prometheus, whatever. NPM trying to do it too just creates maintenance burden without really solving the problem. What might make more sense: focusing on NPM-specific stuff. Per-proxy metrics: request rates, errors, backend health Active connections per host Cert expiry warnings Nginx worker stats That's the kind of data people can actually use inside NPM, and it's directly tied to what NPM's managing. If you want to get fancy, add a /metrics endpoint for Prometheus and call it a day. Anyway, that's my take. Hope that helps. Good luck with whatever direction you go.

kerem commented 2026-02-26 07:37:56 +03:00

Author

Owner

Copy link

@piotrfx commented on GitHub (Jan 18, 2026):

Thank you, for now I thought I'll have a time to sit on the 2FA, and it has to wait a bit as we have a funeral situation here and no way to optimise my time for 2FA. Hope to have time soon. One of my technicians is coming back in one week from holiday, so I'll start to have more time after that.

<!-- gh-comment-id:3765681227 --> @piotrfx commented on GitHub (Jan 18, 2026): Thank you, for now I thought I'll have a time to sit on the 2FA, and it has to wait a bit as we have a funeral situation here and no way to optimise my time for 2FA. Hope to have time soon. One of my technicians is coming back in one week from holiday, so I'll start to have more time after that.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#3132

No description provided.