First Login

# Released install (systemd)
journalctl -u aihummer-gateway | grep -i "admin password"

http://localhost:8765/admin/

aihummer set-password
# or
aihummer admin-password

The very first time AiHummer starts against an **empty database**, it bootstraps a single `admin` account and prints a **one-time password** to the gateway log. You use it to sign in once, then change it immediately. This page walks through that first login and how to harden it for production. ## Find the one-time password On an empty database the gateway writes a generated `admin` password to its log on startup. Read it from the service log: ```bash # Released install (systemd) journalctl -u aihummer-gateway | grep -i "admin password" ``` The password is generated once, for the bootstrap `admin` user. It is not stored in plaintext anywhere except that log line, so capture it before clearing logs. > [!WARNING] > Treat the printed password as a secret. On a production host, make sure the > startup log is not shipped to a place where it lingers — rotate or scrub it once > you have logged in. ## Log in as admin Open the admin UI and sign in with `admin` and the password from the log: ```text http://localhost:8765/admin/ ``` If you are behind a reverse proxy, use your external admin URL instead. The admin UI is served at the `/admin/` path of the gateway. ## Change the password immediately Change the bootstrap password right after your first sign-in, from the admin UI. You can also rotate it from the bundled CLI: ```bash aihummer set-password # or aihummer admin-password ``` > [!DANGER] > Do not leave the bootstrap password in place, and do not leave it sitting in > logs on a production host. The bootstrap `admin` account is a full administrator > — anyone who reads that log line and reaches `/admin/` has complete control. ## Secure the admin surface By itself, the `/admin/*` surface trusts development headers when no enterprise auth issuer is configured — which is fine on a laptop but unsafe on an exposed host. For any production deployment, protect `/admin/*` with an auth issuer and do not expose it without one. > [!IMPORTANT] > Set `AIHUMMER_OIDC_ISSUER` (or configure LDAP/SAML) before exposing the admin > UI. Without it, admin endpoints trust dev headers and must never be reachable > from an untrusted network. ## Enable enterprise SSO (production) For production, move authentication onto your identity provider. AiHummer supports enterprise SSO so the bootstrap local account becomes a break-glass fallback rather than the daily path: - **OIDC** — protects `/v1/admin/*` (deny-by-default). - **SAML** — federation via `/saml/metadata`, `/saml/acs`, `/saml/login`. - **LDAP / Active Directory** — directory-backed login. - **SCIM** — automated user provisioning at `/scim/v2/Users`. Once SSO is in place, scope down or retire day-to-day use of the local `admin` account and rely on your IdP's groups and roles. ## Where to next - Tune the deployment from the UI: [Configuration](/en/v1.0/getting-started/configuration). - Add a channel and an agent: [Quickstart](/en/v1.0/getting-started/quickstart). - Review what you deployed: [Installation](/en/v1.0/getting-started/installation).