Secret (Optional) field on login page

I am self-hosted.

I am a little dense on this and have looked through the documentation and source but I cannot figure out the use of the “Secret (Optional)” field that is on the login page. I understand it is tied to the APP_KEY variable in .env but what is the use?

If I put in my email/password/2fa, and put it random characters in the field I can still login?

This also shows up on the iOS app.

Super confused.



You can optionally set an APP_SECRET value in the .env file

So, it is like a type of second password?

Correct, it’s an additional layer of security

can you somehow “whitelist” apps?

i.e. do not require it if accessed via the IN web front end but do require it if accessed from a desktop or mobile app?

No, it isn’t supported