Why do you need the API_SECRET to login via a web browser?

We just upgraded to to V5 and set API_SECRET because we want to use the API with a project we’re developing.

Why would we need to provide that to login with a browser? Is there a way around that, besides removing the API_SECRET from the env? Every time my session expires I don’t want to go dig out the API_SECRET.


The app also uses the API so (if set) the secret would be required.

By default the app’s session doesn’t expire, you only need to login once.

The app… you mean the web app or the PWA you can install on devices?

I was referring to the web app but it’s also true of the mobile and desktop apps.

Note: although the v5 web app can be installed as a PWA it’s much better to install the native desktop app instead.

interesting take on authentication, just to login you’re treated like an API connection. We use several opensource self hosted solutions and that’s a first.

actually just had a concern. If i want to enable client login, currently i do not… will they need the API secret to login?

The client login is separate from user login, it doesn’t require the API secret.

at home, logged into our selfhosted instance. replied to this thread a few times. shutdown. came to the office and get this:

it would seem something causes the session to expire. Everything else i was signed into is still signed in. This forum being one of them.

I suggest checking what the web session timeout is set to on Settings > Account Management > Security Settings

I’m still so confused as to why a user needs to use an API secret to login. So for any user to login to the web interface they not only need a password and username, they also need the API secret. Even though they’re not an API, they’re a user accessing a prebuilt web app.

And that same key is used by API’s to access the invoicing.

We use nextcloud, comet backup, several other projects and we do some coding ourselves. I’ve never seen a project require users to have an API_KEY to login.


it is an optional field, some self hosted users would use this as an additional layer of protection for their system.

To use the api with another project, you have to set api_secret. Once you do, it’s not optional to login. Unless there’s a setting i’ve missed.


If you remove the API_SECRET variable from the .env file and then optimize

php artisan optimize

You do not have to use the API_SECRET at all.