Dokploy
Auth Broken | Cannot log in to Dokploy from other devices/browsers on local network after initial setup on Raspberry Pi
To Reproduce
- Install Dokploy on a Raspberry Pi 5 running Raspberry Pi OS Lite (64-bit) using the Docker Compose installation method.
- Access the Dokploy web interface from a web browser on a computer or device connected to the same local network as the Raspberry Pi (e.g.,
http://192.168.2.15:3000). - Complete the initial setup process within this browser, creating the administrative account with a specific email address and password.
- Confirm successful login to the Dokploy dashboard using the email and password in the browser used for setup.
- Open a different web browser on the same computer, or access the Dokploy web interface from a different device on the same local network (e.g., a smartphone, another computer's browser), again using
http://192.168.2.15:3000. - Attempt to log in using the exact same email and password that was successfully used during the initial setup and for logging in with the first browser.
Current vs. Expected behavior
the steps from the previous section, I expected to be able to log in to the Dokploy web interface from any device or browser on my local network using the correct email and password. However, I observed that every login attempt from a different device, a different browser, or an incognito/private browsing window results in an "Invalid email or password" error message, despite the credentials being verified as correct by logging in with the initial browser.
Provide environment information
OS: Raspberry Pi OS Lite
Arch: arm64
Dokploy version: v0.22.6
Which area(s) are affected? (Select all that apply)
Application
Are you deploying the applications where Dokploy is installed or on a remote server?
Same server where Dokploy is installed
Additional context
No response
Will you send a PR to fix it?
No
Does anything change if you reset your password?
- https://docs.dokploy.com/docs/core/reset-password
Does anything change if you reset your password?
No, I've tried that as well. But even with that new password it doesn't want to log in for some reason.
That's odd - Dokploy is currently using better-auth under the hood. No issues for me on my three instances (laptop homeserver, Hetzner VPS, Oracle Cloud).
One thing I do find odd is that I can't trace where the better-auth secret is being set in Dokploy's source code
-
https://www.better-auth.com/docs/reference/options#secret
i.e. not anywhere in here
https://github.com/Dokploy/dokploy/blob/17a26353b6d2412b6023ddfc4cc785605c1368fc/packages/server/src/lib/auth.ts#L16-L229
and no environment variables AUTH_SECRET or BETTER_AUTH_SECRET in my dokploy container's environment.
Very wild guess would be somehow the better-auth secret is not stable for your server instance, but may need Siumauricio to give further insight into this.
Actually, I do see the check for trusted origin here:
https://github.com/Dokploy/dokploy/blob/17a26353b6d2412b6023ddfc4cc785605c1368fc/packages/server/src/lib/auth.ts#L36-L53
which appears to get applied after the first user is created.
@InvixGG you may want to update the server's IP in that case, in Settings -> Web Server -> Server -> Update Server IP
then try refreshing or manually set your local ip, e.g. 192.168.2.15
and see if that works.
@InvixGG you may want to update the server's IP in that case, in
Settings->Web Server->Server->Update Server IP
then try refreshing or manually set your local ip, e.g.
192.168.2.15
and see if that works.
Yes I was also curious about this. As it tried using another IP to my local IP, even though I access the site via the local IP. But that makes sense now, I've changed the Server IP to the local IP now.
Sadly this doesn't change the fact that I still can't login with the credentials from incognito for example, or anywhere else on the network. Or even my own browser once I log out, but I don't want to setup everything again haha.
I even tried resetting it again, but using that newly generated password, that didn't work either.
So I'm not sure if I'm still doing something wrong or if it's something in the code.
I've worked with Better-Auth before as well, currently am. But would be curious where that secret is being used then, because that could be a potential issue while trying to retrieve a set password to login again. But then you mention it working fine on your systems, so that's then odd.
Or even my own browser once I log out, but I don't want to setup everything again
You'll be forcefully logged out after a couple of days when the session expiry is reached :(.
Long shot, but something you could try is, given that Dokploy overwrites the default hashing algo scrypt with bcrypt
https://github.com/Dokploy/dokploy/blob/17a26353b6d2412b6023ddfc4cc785605c1368fc/packages/server/src/lib/auth.ts#L74-L80
Maybe you could try verifying that bcrypt can actually compare the input password with the stored hash correctly on your Raspberry Pi, e.g. by running:
import * as bcrypt from 'bcrypt';
async function runTests() {
const testPassword = 'mySecret123';
const wrongPassword = 'notMySecret';
const hash = bcrypt.hashSync(testPassword, 10);
console.log(`Hash: ${hash}`);
const correctMatch = bcrypt.compareSync(testPassword, hash);
console.log(`Correct match: ${correctMatch}`);
const wrongMatch = bcrypt.compareSync(wrongPassword, hash);
console.log(`Wrong match: ${wrongMatch}`);
if (correctMatch && !wrongMatch) {
console.log('✅ All tests passed.');
} else {
console.error('❌ Test failed.');
}
}
runTests().catch(console.error);
Could also test by adding delays/sleep before the compareSync to see if bcrypt can compare correctly with varying time.
I think we'll need @Siumauricio to help answer the question on where the better-auth secret is set though - I still can't find it anywhere in ENV or config 🤷. Pretty sure it should be set somewhere somehow though, since better-auth is meant to complain in prod if unset.
You'll be forcefully logged out after a couple of days when the session expiry is reached :(.
Yea I figured that was gonna happen, so I'll just refrain from further setting up the program.
Maybe you could try verifying that bcrypt can actually compare the input password with the stored hash correctly on your Raspberry Pi, e.g. by running:
Sure I'll try that!
Is there a way to debug/check logs here? Maybe it says something?
There is logs for the dokploy container (you can use Docker CLI or the Web UI - there's a menu entry called "View Logs" above the "Update Server IP" from my screenshot above).
Unfortunately though, I don't think you will see much on authentication, since it's disabled in production...
https://github.com/Dokploy/dokploy/blob/17a26353b6d2412b6023ddfc4cc785605c1368fc/packages/server/src/lib/auth.ts#L21-L23
There is logs for the dokploy container (you can use Docker CLI or the Web UI - there's a menu entry called "View Logs" above the "Update Server IP" from my screenshot above).
Unfortunately though, I don't think you will see much on authentication, since it's disabled in production...
dokploy/packages/server/src/lib/auth.ts
Lines 21 to 23 in 17a2635
logger: { disabled: process.env.NODE_ENV === "production", },
Ah yea fair, makes sense.
I tried the test script, with time variation as well. But it all passed fine.
First thing to try is looking at your Browser's developer console to see if there's anything useful being logged, either in console or the networks tab.
If you still have access to your admin account, I would try creating a second user and seeing if the issue can be replicated.
If you can open UDP ports, you can probably circumvent the issue by hosting your own wireguard/adguard instance. I left a template here:
- https://github.com/Dokploy/dokploy/discussions/1240
Then try configuring DNS and set the same in Dokploy settings.
If you can't open ports or wants an easier way to get things running, look into Tailscale:
- https://tailscale.com
In particular, magic DNS and/or exit node.
Using Cloudflare Tunnel is another option if you have a domain, although I'll recommend configuring auth to protect your services. I left some instructions here:
- https://github.com/Dokploy/dokploy/discussions/966#discussioncomment-11664079
Configure host/domain in Dokploy settings.
Finally, you could also consider alternatives like Coolify:
- https://github.com/coollabsio/coolify
Or Caprover:
- https://github.com/caprover/caprover
The developer console and network tab just send back an error on the request. Which is just the email/password error. So that doesn't tell us a lot more.
I think I'll just switch to Coolify for now and see if it works over there. If not I'll try some of the other solutions.
Alright I've tried Coolify, and came back. It's quite a bit worse in terms of UX, and would rather fix this than use that. So I'll be trying some of the suggestions you made.
If you still have access to your admin account, I would try creating a second user and seeing if the issue can be replicated.
So I've created another account, and this did work when I logged into that member account. So something be going on there.
I can add a flag so that I can enable better-auth debug mode to see, maybe there is some useful information...
I can add a flag so that I can enable better-auth debug mode to see, maybe there is some useful information...
That would be great, yes! Has this been added yet in the meantime?
I find it weird that it's fine on a secondary account, but not on the primary one.
Alright so now I got back, apparently the cookie or something has expired and it doesn't work again.
So last time when I first opened this issue, I opened the website on my phone on my local network where the Pi runs and it immediately didn't work after I created the account on Dokploy.
About a week ago when I said it fixed it in the recent update, I recreated Dokploy and opened it on the phone and it worked fine.
But now a week later it doesn't work again and it says the password or email is wrong. Even tho nothing has changed.
Just had an interesting find when I ran the password reset:
Levi@raspberrypi:~ $ sudo docker exec -it 9efc8ea57fde bash -c "pnpm run reset-password"
WARN Unsupported engine: wanted: {"node":"^20.16.0"} (current: {"node":"v20.9.0","pnpm":"9.5.0"})
> [email protected] reset-password /app
> node -r dotenv/config dist/reset-password.mjs
2025-07-03T12:34:57.736Z ERROR [Better Auth]: You are using the default secret. Please set `BETTER_AUTH_SECRET` in your environment variables or pass `secret` in your auth config.
2025-07-03T12:34:57.738Z WARN [Better Auth]: Social provider github is missing clientId or clientSecret
2025-07-03T12:34:57.738Z WARN [Better Auth]: Social provider google is missing clientId or clientSecret
Password reset successful
Also got these:
Error during log cleanup: [Error: Command failed: tail -n 1000 /etc/dokploy/traefik/dynamic/access.log > /etc/dokploy/traefik/dynamic/access.log.tmp && mv /etc/dokploy/traefik/dynamic/access.log.tmp /etc/dokploy/traefik/dynamic/access.log
tail: cannot open '/etc/dokploy/traefik/dynamic/access.log' for reading: No such file or directory
] {
code: 1,
killed: false,
signal: null,
cmd: 'tail -n 1000 /etc/dokploy/traefik/dynamic/access.log > /etc/dokploy/traefik/dynamic/access.log.tmp && mv /etc/dokploy/traefik/dynamic/access.log.tmp /etc/dokploy/traefik/dynamic/access.log',
stdout: '',
stderr: "tail: cannot open '/etc/dokploy/traefik/dynamic/access.log' for reading: No such file or directory\n"
}
2025-07-03T12:33:58.280Z ERROR [Better Auth]: User not found { email: '[email protected]' }
Even tho that's the user I had just created and it worked fine when I created it, but after the cookie expired it broke.
I've now reinstalled Dokploy and added a different Better-Auth secret into the installation script. So hopefully that works.
Alright nvm, 5 days later even when settings a different Better-Auth secret it doesn't work. @Siumauricio @nktnet1
It just says this: ERROR [Better Auth]: User not found { email: '[email protected]' }. Which was the user I created, but this is always after 5 days and this isn't a Better-Auth secret issue I think as that error has been resolved now.
@InvixGG have you tried querying for the user in your database?
For example,
-
Open a container in your dokploy-postgres container
docker exec --interactive --tty "$(docker ps -all --filter 'name=dokploy-postgres' --format '{{.ID}}')" bash -
Inside the container, enter postgres
psql -U dokploy -
List all emails
SELECT email FROM user_temp;
Note that the error that's being logged from better-auth comes from here:
- https://github.com/better-auth/better-auth/blob/c5d43bad6c4d45a7c0a09a7ab561bb0a219c522d/packages/better-auth/src/api/routes/sign-in.ts#L463
@InvixGG have you tried querying for the user in your database?
I have tried this, but there are no emails in there, it seems that it gets deleted after these 5 days when the cookies get deleted and the Better-Auth secret shouldn't be default anymore. So I have no idea why the user get's deleted after these 5 days.
@Siumauricio @nktnet1
I've now tried recreating the Dokploy service and have added the same secret for Better-Auth which makes it not add this warning about the Better-Auth secret being default.
But now I've created the account and tried logging in on an incognito tab but it says this 2025-07-15T16:14:18.352Z ERROR [Better Auth]: User not found { email: '[email protected]' }
So I'm really not sure what's going on here.
Is this maybe because we run Dokploy and it's services all on the Raspberry Pi?