API Key management UI plus per-provider OIDC and forward-auth setup guides covering Microsoft Entra ID, Keycloak, Authentik, Pocket ID, Zitadel, Google, Authelia, and Cloudflare Access.
Added
- Settings > Security > API Key lets admins generate, rotate, and delete the instance-wide API key from the dashboard. The plaintext is shown exactly once after generation; afterwards only the bcrypt hash lives on disk. The previous flow (write
api_key_hashtoconfig.yamlby hand or viamuximux hash) still works and the UI surfaces the result of either path. Resolves the comment from #321 about the missing UI. - Authentication wiki gained a second worked example showing how to expose a proxied app's webhook endpoint (for example a CI tool's GitHub receiver) to an external service via
auth_bypass+require_api_key: true, with notes on how the proxied app's ownX-Api-Keyheader semantics interact with Muximux's. - Step-by-step setup guides for eight identity providers, each with the IdP-side configuration, matching
config.yaml, validation steps, and a troubleshooting table: Microsoft Entra ID, Keycloak, Authentik, Pocket ID, Zitadel, Google, Authelia (forward auth or OIDC), Cloudflare Access (forward auth). Linked from the wiki sidebar, the README, and the central authentication page.