Access & sharing

Tokens, sessions, and shareable links that don't leak secrets.

By default a node runs open on a trusted local network. For anything beyond that, OneSVD supports a bearer token and an IP allowlist.

Requiring a token#

Set ONESVD_TOKEN (see configuration). The UI then prompts for the token when you connect. Entering it exchanges the token for a session cookie, so the browser stays signed in without the token appearing in URLs.

File and folder links are authorized by the session cookie, not by a token in the URL. That means you can copy a link to a file — or a folder's zip — and it won't leak your token. Recipients still need access to the node.

IP allowlist#

Set ONESVD_ALLOW_IPS to a comma-separated list to restrict which addresses can reach the node at all. Loopback is always allowed, so local tooling keeps working.

Warning:

With no token and no allowlist, write endpoints are open to anyone who can reach the port. That's fine on a private machine; lock it down before exposing a node.