github thejuran/triggarr v2.7.1
Triggarr v2.7.1
on GitHub

8 hours ago

Dashboard refresh

The dashboard has been redesigned to give you more room to breathe and clearer at-a-glance status for each of your *arr apps.

What's new

  • Spacious header with icons beside each nav link, a live "Connection Stable" indicator that pulses when everything's reachable, and a refreshed app icon beside the Triggarr wordmark
  • Bigger stat cards — the Grab Rate, Movies, Series, Albums, and Next Scan numbers now render at hero size so you can see them from across the room, each with a color-coded icon for the app it covers
  • Per-app grab rate bars on the Grab Rate card so you can see Radarr, Sonarr, and Lidarr performance at a glance without clicking through
  • Color-coded app cards — orange border for Radarr, blue for Sonarr, green for Lidarr, red when an app is unreachable. Missing and Cutoff counts sit in recessed panels, and the Search Now button picks up the app's accent color on hover
  • Card-based activity rail on the right — each recent search sits in its own bubble with a colored timeline dot and the originating app tagged in monospace; older entries fade so the newest work is always visually on top
  • Refreshed log viewer — "System Logs" title, cleaner pause/expand icon buttons, a pulsing Tailing indicator, and highlighted rows for grab events so you can spot downloads instantly in the stream
  • Crisper favicon — fixed a long-standing aliasing artifact on the 16×16 browser-tab icon; the in-header app icon now uses a clean SVG that stays sharp at any size

Built-in authentication

This is the first public release that ships with authentication enabled by default. If you're upgrading from v2.7.0 (the previous tagged release) or any earlier version, you'll notice this on first launch.

What you'll see on first launch

When you open Triggarr after the upgrade, you'll be redirected to a one-time setup page:

  1. Pick a username and password — the password is hashed with bcrypt; the plaintext is never stored or logged
  2. Get an auto-generated API key — shown once with a copy-to-clipboard button; use this in curl / Home Assistant / n8n / any automation that talks to Triggarr's API
  3. You're logged in automatically and land on the dashboard

After that, logging in uses a signed session cookie that keeps you authenticated for 30 days, with a Logout button in the nav bar when you want to end a session early.

Four auth modes to choose from

Pick whichever fits how you expose Triggarr. All modes are switchable at runtime from Settings → Security without a restart:

Mode When to use it
Forms (default) The one described above. Username + password form on a dedicated login page, 30-day signed session cookie. Best default for most setups.
Basic Browser's built-in HTTP Basic auth popup. Simpler if you don't want a styled login page or you're using an HTTP client that doesn't handle cookies.
External Delegates all user identity to your reverse proxy (Authelia / Authentik / Tailscale / Cloudflare Access / etc.). Triggarr trusts the proxy completely and skips its own login. Pick this if you're already authenticating at the proxy edge.
Disabled No auth at all. Only safe on fully-trusted networks. Configurable only via config file (not the UI) and prints a loud warning in the logs every 60 seconds so you don't forget.

API clients will need to be updated

Any scripts, cron jobs, or integrations that called Triggarr endpoints before now need the API key. Send it with an X-Api-Key header: 

curl -H "X-Api-Key: <your-key>" http://your-triggarr/api/...

You can view, copy, or regenerate the key any time from Settings → Security. Regenerating immediately invalidates the old key.

Security hardening included in the box

  • Login rate limiting — 10 failed attempts per IP per 5 minutes before that IP gets a cool-down window (stops credential stuffing)
  • Unauthenticated /health endpoint — so Docker / Kubernetes health checks and upstream monitors keep working without poking credentials through
  • Timing-safe API key comparison and hashed password verification — no side-channel leaks
  • CSP headers + CSRF protection via SameSite=Lax cookies + Origin header checks
  • Log sanitization — usernames and setup inputs are never written to logs
  • SSRF hardening on outbound requests to *arr apps — IPv4-mapped IPv6 and multicast ranges blocked

Upgrade

docker pull ghcr.io/thejuran/triggarr:latest
# or pin the exact version
docker pull ghcr.io/thejuran/triggarr:v2.7.1

Your config, instances, schedules, and search history all carry forward untouched. Only the auth surface is new.

Full Changelog: v2.7.0...v2.7.1

Check out latest releases or
releases around thejuran/triggarr v2.7.1

Don't miss a new triggarr release

NewReleases is sending notifications on new releases.

Get notifications