Skip to main content

System, Authentication & Time

This guide covers the admin-facing system pages: the System Info dashboard, the router Time Sync controls, and the Auth page for API tokens, one-time passwords, and SSH keys.

System Info

The System Info page lives at /admin/info and is split into three tabs: System, Containers, and Network Info.

System

The System tab shows host status and the most common maintenance actions:

  • Release / update information at the top, and the Time Sync banner (see Time Sync).
  • Theme selector, with a link to /admin/theme to customize.
  • Hostname — editable inline; submitting writes to PUT /info/hostname.
  • Version — the running SPR version, read from /version.
  • Restart SPR — sends PUT /restart to restart the stack.
  • Host metrics from /info/uptime: Time, Uptime, Users, and the 1 / 5 / 15 min load averages. These refresh every 5 seconds.
  • Database settings and the Configs Backup panel.

Configs Backup creates an on-device backup with PUT /backup; each backup is listed with a timestamp and can be downloaded (web only) via GET /backup/{filename}.

Containers

The Containers tab (Container Info) shows the container network configuration, Docker/plugin container status, and container Logs. Use it to confirm that the API, DNS, WireGuard, and any plugin containers are running.

Network Info

The Network Info tab shows the current ARP table (device-to-IP/MAC mappings seen on the router).

Time Sync

Accurate time matters on the router: OTP codes are time-based (TOTP) and TLS certificate validation depends on the clock being correct. The Time Sync banner appears on the System Info page and above OTP setup.

The banner calls GET /time (which returns the router's Unix time) and compares it to your browser's clock. If the two differ by more than 60 seconds it turns into a warning — "Clock mismatch with this device" — showing the drift in seconds and reminding you that OTP and TLS depend on accurate time. Verify your own device's clock first, since either side could be wrong.

Sync Now sends PUT /time/sync. The API proxies this to the privileged superd service, which restarts systemd-timesyncd on the host to re-poll NTP. The banner re-checks the drift a couple of seconds later.

On the OTP setup panel the banner is hidden while the clock is in sync and only appears when there is drift, so a warning there is a strong hint to fix the clock before enrolling OTP.

Authentication

The Auth page lives at /admin/auth and manages OTP, API Tokens, and SSH Keys.

For how tokens and Basic Auth are used against the API, see Web API Authentication.

OTP (one-time password)

SPR supports TOTP-based OTP for the admin user (WebAuthN support exists in the codebase but is currently disabled in the UI).

  1. Press Register OTP (PUT /otp_register). SPR generates a secret and displays a QR code (otpauth://totp/Auth?secret=...&issuer=SPR-OTP). Scan it with an authenticator app.
  2. Enter the current 6-digit code and press Verify OTP Code (PUT /otp_validate). On success SPR issues a short-lived JWT (default 1 hour) that is sent as the X-JWT-OTP header for OTP-gated calls.
  3. Check Require For Login (Verify to set) to make OTP mandatory for all admin logins (the AlwaysOn flag). It takes effect when you verify a code.

Status is reported as unregistered, not yet validated, or registered via GET /otp_status. OTP validation is rate limited: after 5 failed attempts within a minute the account is locked for 15 minutes.

Because listing and adding API tokens is gated behind a valid OTP JWT, you must register and confirm OTP before the API Tokens list will load.

API Tokens

The API Tokens section lists existing bearer tokens and lets you create or revoke them.

  • Add Auth Token — give the token a Name and pick an Expiration (Never, 1 hour, 1 day, 30 days, 90 days, or 1 year). SPR generates the token value server-side (PUT /tokens). Copy it from the list.
  • Each row shows the token name, value, its Scoped Paths (if any), and the expiry (or Never). Scoped-path tokens are restricted to matching URL prefixes and are read-only when scoped with :r.
  • Press the close (×) icon to revoke a token (DELETE /tokens).

Send a token as an Authorization: Bearer <token> header. See Web API Authentication for full usage.

SSH Keys

The SSH Keys section manages the host ubuntu user's authorized_keys from the UI (GET/PUT /authorizedKeys, proxied to superd).

  • If no keys are set, paste one or more SSH public keys (one per line, e.g. ssh-ed25519 AAAA...) and press Add.
  • Once authorized_keys exists on the host, the panel becomes locked and read-only — further changes must be made directly over SSH. Keys are validated for format before being written.