[GH-ISSUE #4357] [DOCS]: sso login path, server behavior vs docs? #2778

Closed
opened 2026-02-22 18:31:12 -05:00 by yindo · 1 comment
Owner

Originally created by @olagarde on GitHub (Sep 2, 2025).
Original GitHub issue: https://github.com/Mintplex-Labs/anything-llm/issues/4357

Description

Can't get SSO and auth tokens to work following the docs, is 1.8.5 new since https://docs.anythingllm.com/configuration#integration was last updated?

Docker and bare metal do exactly the same so this is almost certainly my config/usage.

With sso and login page both enabled the admin account can log into the gui, complete the initial workflow, create account(s), and generate an api token for itself and a standard user, but using a token always fails. The login path produced by the server does not match the online docs or forum posts of others using auth-tokens successfully.

Expected from GUI: https://{server}:{port}/sso/simple?token={key}
Received from GUI: https://{server}:{port}/api|brx-{key}

Trying "https://{server}:{port}/api|brx-{key}" results in a white screen, the chrome (139.0.7258.155) devtools panel says the client gets the index.js and index.css and parses the css, but does not make any other requests (ie, the XHR calls to GET /api/{system,setup-complete}, etc). The "automatically connect to extension" button next to the token on the Browser Extension page does nothing; the browser console, server logs, and tcpdump all show no events when pressing this. This behavior is the same when proxying to add TLS or when contacting the server directly without encryption.

Sidebar question: Is the 'brx-' prefix a keytype specifier, part of the key, or effectively both?

Docs and forum posts from others successfully using api tokens say the login path should be "/sso/simple?token={token}" rather than "/api|{token}" but trying /sso/simple always produces "[001] An error occurred while validating the token: Invalid token" whether the token is for the admin account or for other standard users. Both "token={key}" and "token=brx-{key}" do the same so I can't tell which one is due to using the wrong argument.

The docs for curl requesting a new token says it should return json. Some users imply {id} is the account name, others that it is the account ordinal. Trying either with "Authorization: Bearer {token}", whether or not {token} includes the "brx-" prefix, always returns the html for a first-time client connection. This includes when intentionally trying to produce an error with a garbage {token}.

Originally created by @olagarde on GitHub (Sep 2, 2025). Original GitHub issue: https://github.com/Mintplex-Labs/anything-llm/issues/4357 ### Description Can't get SSO and auth tokens to work following the docs, is 1.8.5 new since https://docs.anythingllm.com/configuration#integration was last updated? Docker and bare metal do exactly the same so this is almost certainly my config/usage. With sso and login page both enabled the admin account can log into the gui, complete the initial workflow, create account(s), and generate an api token for itself and a standard user, but using a token always fails. The login path produced by the server does not match the online docs or forum posts of others using auth-tokens successfully. Expected from GUI: https://{server}:{port}/sso/simple?token={key} Received from GUI: https://{server}:{port}/api|brx-{key} Trying "https://{server}:{port}/api|brx-{key}" results in a white screen, the chrome (139.0.7258.155) devtools panel says the client gets the index.js and index.css and parses the css, but does not make any other requests (ie, the XHR calls to GET /api/{system,setup-complete}, etc). The "automatically connect to extension" button next to the token on the Browser Extension page does nothing; the browser console, server logs, and tcpdump all show no events when pressing this. This behavior is the same when proxying to add TLS or when contacting the server directly without encryption. Sidebar question: Is the 'brx-' prefix a keytype specifier, part of the key, or effectively both? Docs and forum posts from others successfully using api tokens say the login path should be "/sso/simple?token={token}" rather than "/api|{token}" but trying /sso/simple always produces "[001] An error occurred while validating the token: Invalid token" whether the token is for the admin account or for other standard users. Both "token={key}" and "token=brx-{key}" do the same so I can't tell which one is due to using the wrong argument. The docs for curl requesting a new token says it should return json. Some users imply {id} is the account name, others that it is the account ordinal. Trying either with "Authorization: Bearer {token}", whether or not {token} includes the "brx-" prefix, always returns the html for a first-time client connection. This includes when intentionally trying to produce an error with a garbage {token}.
yindo added the documentationneeds info / can't replicate labels 2026-02-22 18:31:12 -05:00
yindo closed this issue 2026-02-22 18:31:12 -05:00
Author
Owner

@timothycarambat commented on GitHub (Sep 3, 2025):

brx- key prefix is only for the Browser Extension
https://chromewebstore.google.com/detail/anythingllm-browser-compa/pncmdlebcopjodenlllcomedphdmeogm?hl=en&pli=1

This is not for the SSO login, which is a key you should get from the Developer API - not the Browser extension key page. These keys look similar but do not start with brx. Those keys specifically only function in the companion chrome extension and cannot be used for auth.

Expected from GUI: https://{server}:{port}/sso/simple?token={key}
Received from GUI: https://{server}:{port}/api|brx-{key}

Can you screenshot this?

@timothycarambat commented on GitHub (Sep 3, 2025): `brx-` key prefix is only for the [Browser Extension](https://github.com/Mintplex-Labs/anything-llm/blob/4f86a513fc5f2ae1a7ce5b1e7d8ff0c2c5fa4121/server/models/browserExtensionApiKey.js#L10-L13) https://chromewebstore.google.com/detail/anythingllm-browser-compa/pncmdlebcopjodenlllcomedphdmeogm?hl=en&pli=1 This is **not** for the SSO login, which is a key you should get from the **Developer API** - not the Browser extension key page. These keys look similar but do not start with brx. Those keys specifically only function in the companion chrome extension and cannot be used for auth. > Expected from GUI: https://{server}:{port}/sso/simple?token={key} > Received from GUI: https://{server}:{port}/api|brx-{key} Can you screenshot this?
yindo changed title from [DOCS]: sso login path, server behavior vs docs? to [GH-ISSUE #4357] [DOCS]: sso login path, server behavior vs docs? 2026-06-05 14:48:29 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Mintplex-Labs/anything-llm#2778