diff --git a/docs/logto-oss/deployment-and-configuration.mdx b/docs/logto-oss/deployment-and-configuration.mdx index e1f02fc641f..f3209fc5c58 100644 --- a/docs/logto-oss/deployment-and-configuration.mdx +++ b/docs/logto-oss/deployment-and-configuration.mdx @@ -108,6 +108,12 @@ npm run cli db seed -- --swe Refer to the [Logto CLI](/logto-oss/using-cli) for more details. +:::tip Air-gapped or offline installs + +If your deployment environment cannot reach `api.pwnedpasswords.com`, append `--disable-admin-pwned-password-check` to the seed command so the first admin sign-up does not hang on the Have I Been Pwned breach check. See [Seed for air-gapped or offline deployments](/logto-oss/using-cli#seed-for-air-gapped-or-offline-deployments) for details. + +::: + ### Shared connectors folder \{#shared-connectors-folder} By default, Logto will create a `connectors` folder in the root directory of the `core` folder. We recommend sharing the folder between multiple instances of Logto, you need to mount the `packages/core/connectors` folder to the container and run `npm run cli connector add -- --official` to deploy the connectors. diff --git a/docs/logto-oss/using-cli/README.mdx b/docs/logto-oss/using-cli/README.mdx index 1e5d1ab093a..3d872e57461 100644 --- a/docs/logto-oss/using-cli/README.mdx +++ b/docs/logto-oss/using-cli/README.mdx @@ -79,3 +79,45 @@ This will be helpful for one-off invocations, e.g.: ```bash npx @logto/cli db seed --db-url postgresql://your-database-url ``` + +### Seed for air-gapped or offline deployments \{#seed-for-air-gapped-or-offline-deployments} + +Since Logto v1.40.0, the `db seed` command accepts an extra flag for environments that cannot reach the public internet during installation: + +```bash +--disable-admin-pwned-password-check, --dapc +``` + +When set, the seeded password policy on the **admin tenant** disables the [Have I Been Pwned (HIBP)](https://haveibeenpwned.com/) breach check by default. This means creating the initial admin from the Welcome page no longer hangs when `api.pwnedpasswords.com` is unreachable (for example in air-gapped data centers or behind strict egress firewalls). + +The flag is scoped to the admin tenant only — the default tenant's password policy is left untouched, and stays under your control through Admin Console > **Sign-in experience** > **Password policy** after the first admin signs in. From the Admin Console you can also re-enable the HIBP check on the admin tenant at any time. + +Example: + + + + + +```bash +logto db seed --disable-admin-pwned-password-check +``` + + + + +```bash +npm run cli db seed -- --disable-admin-pwned-password-check +``` + + + + +```bash +npx @logto/cli db seed --disable-admin-pwned-password-check +``` + + + + + +The short alias `--dapc` is accepted as an equivalent for terser scripts.