ARI.Software Docs

ARI.Software Docs

Authentication

Set up authentication and access control for your ARI instance.

Overview

ARI is a personal workspace. Authentication ensures only you can access your instance. ARI uses Better Auth for session management and access control.

Email and Password Login

ARI uses email and password authentication by default. During the first-run setup wizard, you create an admin account with your email and a secure password. Public sign-up is disabled — only the admin account created during setup can access the instance.

A secure HTTP-only session cookie is set after successful login, valid for 30 days with a 5-minute cache TTL.

Two-Factor Authentication (2FA)

ARI supports TOTP-based two-factor authentication via the Better Auth twoFactor plugin. Once enabled in Settings > Security, you can:

  • Scan a QR code with any authenticator app (Google Authenticator, Authy, 1Password, etc.)
  • Enter a 6-digit code on each login after your password
  • Generate one-time backup codes for emergency access

2FA adds a critical second layer of protection to your instance.

Additional Auth Methods

Better Auth supports additional authentication methods that can be enabled in the configuration:

  • Magic link (passwordless) login — Not enabled by default
  • OAuth providers (Google, GitHub, etc.) — Not enabled by default

These require additional configuration in the Better Auth setup. See the Better Auth documentation for details on enabling these providers.

Rate Limiting

ARI enforces rate limits on authentication endpoints to prevent brute-force attacks:

Action Limit
Sign-in attempts 5 per 5 minutes
Sign-up attempts 3 per 5 minutes

Exceeding these limits will temporarily block further attempts from the same source.

IP Allowlisting

You can restrict access to your ARI instance by IP address or hostname using the ALLOWED_IPS environment variable. When set, only requests from the specified addresses will be allowed through the middleware.

ALLOWED_IPS=192.168.1.100,203.0.113.50

This is useful for locking down access to known networks or devices.

Security Recommendations

  • Use a strong, unique password
  • Enable two-factor authentication
  • Enable HTTPS on your deployment (automatic on Vercel)
  • Use IP allowlisting if your access patterns are predictable
  • Review active sessions periodically

Your Personal Workspace. Your Rules.

Open Source. Self-Hosted. Full Data Control. Fully Extendable. AI Native. Dozens of Built-In Modules And Build Your Own In Minutes. No Coding Required.

Download