feat: add authentication documentation and update installer for local auth

- Add full authentication docs page (EN + ES) covering auth modes, organizations,
  RBAC, invites, password management, WebSocket auth, and security details
- Update install.sh to default to AUTH_PROVIDER=local with auto-generated
  JWT_SECRET and SETTINGS_ENCRYPTION_KEY using openssl rand
- Add auth environment variables to docker-compose.yml, .env.example, and
  configuration docs (AUTH_PROVIDER, JWT_SECRET, SETTINGS_ENCRYPTION_KEY,
  MULTI_TENANT, JWT_ACCESS_EXPIRATION, JWT_REFRESH_EXPIRATION)
- Update architecture docs to mention auth/authorization layer and multi-tenant
  data isolation in the API Server section
- Update quick-start guide with new registration step and auth token generation
  in the manual install flow
- Add Authentication link to docs sidebar, docs index, and i18n translations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: barckcode

.env.example

@@ -1,6 +1,22 @@
 # Required: Generate a secure random token for NATS authentication
 NATS_AUTH_TOKEN=change-me-to-a-secure-token
 
+# Required: Secret for signing JWT tokens (minimum 32 characters)
+JWT_SECRET=change-me-to-a-secure-random-string-at-least-32-chars
+
+# Required: Key for encrypting sensitive data at rest (API keys, invite tokens)
+SETTINGS_ENCRYPTION_KEY=change-me-to-a-secure-random-string
+
+# Authentication provider: "local" (email/password) or "noop" (no auth)
+AUTH_PROVIDER=local
+
+# Multi-tenancy: false = single organization, true = unlimited organizations
+MULTI_TENANT=false
+
+# Optional: JWT token expiration times
+# JWT_ACCESS_EXPIRATION=24h
+# JWT_REFRESH_EXPIRATION=7d
+
 # Optional: Customize ports (defaults shown)
 # API_PORT=3000
 # FRONTEND_PORT=8080

docker-compose.yml

@@ -19,6 +19,12 @@ services:
       - NATS_AUTH_TOKEN=${NATS_AUTH_TOKEN}
       - DATABASE_PATH=/data/agentcrew.db
       - AGENT_IMAGE=${AGENT_IMAGE:-ghcr.io/helmcode/agent_crew_agent:0.3.0}
+      - SETTINGS_ENCRYPTION_KEY=${SETTINGS_ENCRYPTION_KEY}
+      - AUTH_PROVIDER=${AUTH_PROVIDER:-local}
+      - JWT_SECRET=${JWT_SECRET}
+      - JWT_ACCESS_EXPIRATION=${JWT_ACCESS_EXPIRATION:-24h}
+      - JWT_REFRESH_EXPIRATION=${JWT_REFRESH_EXPIRATION:-7d}
+      - MULTI_TENANT=${MULTI_TENANT:-false}
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - agentcrew_db:/data

web/public/install.sh

@@ -66,12 +66,18 @@ check_dependencies() {
   if ! command -v curl &>/dev/null; then
     fail "curl is not installed. Please install curl and try again."
   fi
+
+  if ! command -v openssl &>/dev/null; then
+    fail "openssl is not installed. Please install openssl and try again."
+  fi
 }
 
 # ── Install ─────────────────────────────────────────────────────────
 install() {
-  # Generate NATS auth token
-  NATS_TOKEN=$(openssl rand -hex 16 2>/dev/null || head -c 32 /dev/urandom | od -An -tx1 | tr -d ' \n')
+  # Generate secure tokens
+  NATS_TOKEN=$(openssl rand -base64 24)
+  JWT_SECRET=$(openssl rand -base64 48)
+  ENCRYPTION_KEY=$(openssl rand -base64 32)
 
   # Create install directory
   if [[ -d "$INSTALL_DIR" ]]; then
@@ -93,18 +99,30 @@ install() {
   curl -fsSL -o "$INSTALL_DIR/docker-compose.yml" "$REPO_BASE/docker-compose.yml"
   success "docker-compose.yml downloaded"
 
-  # Create .env file (preserve existing to keep NATS token)
+  # Create .env file (preserve existing to keep tokens)
   if [[ -f "$INSTALL_DIR/.env" ]]; then
     info "Existing .env found, keeping current configuration."
   else
     info "Generating configuration..."
     {
       echo "# AgentCrew configuration — generated by install.sh"
+      echo ""
+      echo "# Internal messaging token (auto-generated)"
       echo "NATS_AUTH_TOKEN=$NATS_TOKEN"
+      echo ""
+      echo "# Authentication"
+      echo "AUTH_PROVIDER=local"
+      echo "JWT_SECRET=$JWT_SECRET"
+      echo "SETTINGS_ENCRYPTION_KEY=$ENCRYPTION_KEY"
+      echo "MULTI_TENANT=false"
+      echo ""
+      echo "# Optional overrides"
       echo "# API_PORT=3000"
       echo "# FRONTEND_PORT=8080"
+      echo "# JWT_ACCESS_EXPIRATION=24h"
+      echo "# JWT_REFRESH_EXPIRATION=7d"
     } > "$INSTALL_DIR/.env"
-    success ".env created with secure NATS token"
+    success ".env created with secure tokens"
   fi
 
   # Start the stack
@@ -137,7 +155,10 @@ summary() {
   echo ""
   echo -e "  ${BOLD}Open:${NC}  http://localhost:8080"
   echo ""
-  echo -e "  ${YELLOW}Next step: go to Settings (gear icon) and add your"
+  echo -e "  ${YELLOW}First time? Create your account at the registration page."
+  echo -e "  The first user becomes the organization admin.${NC}"
+  echo ""
+  echo -e "  ${YELLOW}Then go to Settings (gear icon) and add your"
   echo -e "  Anthropic API key or OAuth token to start deploying agents.${NC}"
   echo ""
   echo -e "  ${BOLD}Manage:${NC}"

web/src/layouts/DocsLayout.astro

@@ -55,6 +55,7 @@ const sidebarSections: NavSection[] = [
       { href: `${base}/docs/webhooks`, label: t('docs.webhooks') },
       { href: `${base}/docs/post-actions`, label: t('docs.postActions') },
       { href: `${base}/docs/mcp`, label: t('docs.mcp') },
+      { href: `${base}/docs/authentication`, label: t('docs.authentication') },
       { href: `${base}/docs/architecture`, label: t('docs.architecture') },
     ],
   },

web/src/pages/docs/architecture.astro

@@ -68,10 +68,12 @@ import DocsLayout from '../../layouts/DocsLayout.astro';
     </p>
 
     <ul>
+      <li><strong>Authentication and authorization:</strong> Built-in auth layer with JWT tokens, user management, organizations, and role-based access control (admin/member). See <a href="/docs/authentication">Authentication</a>.</li>
       <li>REST API endpoints for CRUD operations on teams, agents, and skills.</li>
       <li>Application settings management (API keys, configuration).</li>
       <li>Docker runtime management, including creating networks, volumes, and containers for each team.</li>
       <li>NATS message routing between the frontend and agent containers.</li>
+      <li>Multi-tenant data isolation: all queries are scoped to the user's organization.</li>
       <li>SQLite database access for persistent storage.</li>
     </ul>
 

web/src/pages/docs/authentication.astro

@@ -0,0 +1,252 @@
+---
+import DocsLayout from '../../layouts/DocsLayout.astro';
+---
+
+<DocsLayout title="Authentication | AgentCrew" lang="en">
+  <div class="docs-prose">
+    <h1>Authentication</h1>
+
+    <p>
+      AgentCrew includes a built-in authentication system with user management,
+      organizations, invite-based onboarding, and role-based access control.
+      Authentication is configured via the <code>AUTH_PROVIDER</code> environment
+      variable and supports two modes: <strong>local</strong> (default) and
+      <strong>noop</strong>.
+    </p>
+
+    <h2>Authentication Modes</h2>
+
+    <h3>Local Authentication (default)</h3>
+
+    <p>
+      Set <code>AUTH_PROVIDER=local</code> to enable email/password authentication
+      with JWT tokens. This is the default mode when using the installer.
+    </p>
+
+    <ul>
+      <li>Users register with email, password, name, and organization name.</li>
+      <li>Passwords are hashed with <strong>bcrypt</strong> (cost factor 12).</li>
+      <li>JWT access tokens (default 24h) and refresh tokens (default 7d) are issued on login.</li>
+      <li>Tokens are signed with <strong>HMAC-SHA256</strong> using the <code>JWT_SECRET</code> environment variable.</li>
+      <li>The frontend automatically refreshes expired access tokens using the refresh token.</li>
+    </ul>
+
+    <p>
+      Required environment variables for local mode:
+    </p>
+
+    <table>
+      <thead>
+        <tr>
+          <th>Variable</th>
+          <th>Description</th>
+        </tr>
+      </thead>
+      <tbody>
+        <tr>
+          <td><code>JWT_SECRET</code></td>
+          <td>Secret for signing JWT tokens. Minimum 32 characters. Generate with <code>openssl rand -base64 48</code>.</td>
+        </tr>
+        <tr>
+          <td><code>SETTINGS_ENCRYPTION_KEY</code></td>
+          <td>Key for encrypting sensitive data (API keys, invite tokens) at rest using AES-256-GCM. Generate with <code>openssl rand -base64 32</code>.</td>
+        </tr>
+      </tbody>
+    </table>
+
+    <h3>Noop Authentication (no auth)</h3>
+
+    <p>
+      Set <code>AUTH_PROVIDER=noop</code> to disable authentication entirely. In
+      this mode:
+    </p>
+
+    <ul>
+      <li>No login screen is shown.</li>
+      <li>A default organization and user are created automatically.</li>
+      <li>All API requests are accepted without tokens.</li>
+      <li>Ideal for local development, testing, or single-user self-hosted setups where security is handled at the network level.</li>
+    </ul>
+
+    <blockquote>
+      <strong>Note:</strong> Switching from <code>noop</code> to <code>local</code>
+      is seamless. Existing data (teams, agents, settings) is automatically
+      associated with the default organization. You will just need to create
+      your first user account.
+    </blockquote>
+
+    <h2>Organizations</h2>
+
+    <p>
+      Every user belongs to an organization. Organizations provide <strong>data
+      isolation</strong>: teams, agents, schedules, webhooks, settings, and all
+      other resources are scoped to the organization. Users in one organization
+      cannot see or access resources from another.
+    </p>
+
+    <h3>Single-Tenant Mode (default)</h3>
+
+    <p>
+      With <code>MULTI_TENANT=false</code> (the default), only one organization
+      can exist. The first user who registers creates the organization and becomes
+      its admin. Additional users can only join via invite.
+    </p>
+
+    <h3>Multi-Tenant Mode</h3>
+
+    <p>
+      With <code>MULTI_TENANT=true</code>, anyone can register and create a new
+      organization. Each organization is fully isolated with its own users,
+      teams, settings, and data.
+    </p>
+
+    <h2>User Roles</h2>
+
+    <p>
+      AgentCrew uses a simple two-role model:
+    </p>
+
+    <table>
+      <thead>
+        <tr>
+          <th>Role</th>
+          <th>Capabilities</th>
+        </tr>
+      </thead>
+      <tbody>
+        <tr>
+          <td><strong>Admin</strong></td>
+          <td>Full access. Can manage organization settings, invite users, change roles, reset passwords, and remove members. The first user (organization creator) is always an admin and cannot be downgraded.</td>
+        </tr>
+        <tr>
+          <td><strong>Member</strong></td>
+          <td>Can create and manage teams, agents, schedules, webhooks, and settings. Cannot manage users or organization settings.</td>
+        </tr>
+      </tbody>
+    </table>
+
+    <blockquote>
+      <strong>Safety:</strong> The system enforces that at least one admin always
+      exists. The organization owner cannot be removed or downgraded.
+    </blockquote>
+
+    <h2>First-Time Setup</h2>
+
+    <ol>
+      <li>
+        <strong>Install AgentCrew</strong> using the
+        <a href="/docs/quick-start">Quick Start</a> guide. The installer
+        generates all required secrets automatically.
+      </li>
+      <li>
+        <strong>Open the UI</strong> at <code>http://localhost:8080</code>. You
+        will see the registration page.
+      </li>
+      <li>
+        <strong>Create your account</strong> with your name, email, password, and
+        organization name. This account becomes the organization admin.
+      </li>
+      <li>
+        <strong>Add API keys</strong> in Settings to start deploying agent teams.
+      </li>
+    </ol>
+
+    <h2>Inviting Users</h2>
+
+    <p>
+      Admins can invite new users from the <strong>Organization Settings</strong>
+      page:
+    </p>
+
+    <ol>
+      <li>Go to <strong>Organization Settings</strong> in the sidebar.</li>
+      <li>In the <strong>Invitations</strong> section, enter the email address and click <strong>Invite</strong>.</li>
+      <li>Copy the invite link from the listing and share it with the user.</li>
+      <li>The invited user opens the link, fills in their name and password, and joins the organization.</li>
+    </ol>
+
+    <p>
+      Invitations expire after <strong>7 days</strong>. Admins can cancel pending
+      invitations at any time. The system prevents duplicate invites: you cannot
+      invite an email that is already a member or has a pending invitation.
+    </p>
+
+    <h2>Password Management</h2>
+
+    <h3>Changing Your Password</h3>
+
+    <p>
+      Users can change their own password from their <strong>Profile</strong>
+      page. They must enter their current password and the new one. Passwords
+      must be at least 8 characters and include an uppercase letter, a lowercase
+      letter, and a digit.
+    </p>
+
+    <h3>Admin Password Reset</h3>
+
+    <p>
+      Admins can reset any member's password from the Organization Settings page.
+      When reset, a temporary password is generated and displayed. The user must
+      change it on their next login (a forced password change screen is shown).
+    </p>
+
+    <h2>WebSocket Authentication</h2>
+
+    <p>
+      Real-time chat connections use WebSocket. Since WebSocket does not support
+      custom headers, the JWT token is passed as a query parameter:
+    </p>
+
+    <pre><code class="language-text">ws://localhost:8080/api/ws/team/&lt;team-id&gt;?token=&lt;jwt-access-token&gt;</code></pre>
+
+    <p>
+      The API server validates the token before upgrading the connection. In
+      <code>noop</code> mode, no token is required.
+    </p>
+
+    <h2>Security Details</h2>
+
+    <ul>
+      <li><strong>Password hashing:</strong> bcrypt with cost factor 12.</li>
+      <li><strong>JWT signing:</strong> HMAC-SHA256. The <code>none</code> algorithm is explicitly blocked.</li>
+      <li><strong>Token types:</strong> Access and refresh tokens include a <code>type</code> claim to prevent cross-use.</li>
+      <li><strong>Invite tokens:</strong> 32 bytes from <code>crypto/rand</code>. A SHA-256 hash is stored in the database; the raw token is encrypted with AES-256-GCM for admin retrieval.</li>
+      <li><strong>Sensitive data at rest:</strong> API keys and settings values are encrypted with AES-256-GCM using <code>SETTINGS_ENCRYPTION_KEY</code>.</li>
+      <li><strong>Email normalization:</strong> All emails are lowercased and trimmed to prevent case-sensitivity issues.</li>
+      <li><strong>Data isolation:</strong> All database queries are scoped to the user's organization ID, enforced at the middleware level.</li>
+    </ul>
+
+    <h2>Disabling Authentication</h2>
+
+    <p>
+      To run AgentCrew without authentication (useful for local development or
+      trusted networks):
+    </p>
+
+    <pre><code class="language-bash"># In your .env file
+AUTH_PROVIDER=noop</code></pre>
+
+    <p>
+      In noop mode, <code>JWT_SECRET</code> and <code>SETTINGS_ENCRYPTION_KEY</code>
+      are not required. All API endpoints accept unauthenticated requests, and a
+      default user and organization are created automatically.
+    </p>
+
+    <h2>Next Steps</h2>
+
+    <ul>
+      <li>
+        <a href="/docs/configuration">Configuration</a>: Full list of
+        environment variables including auth settings.
+      </li>
+      <li>
+        <a href="/docs/architecture">Architecture</a>: How the auth layer
+        integrates with the API server and frontend.
+      </li>
+      <li>
+        <a href="/docs/quick-start">Quick Start</a>: Get AgentCrew running
+        with authentication in one command.
+      </li>
+    </ul>
+  </div>
+</DocsLayout>