docs: refresh shared-secret default mirrors

2026-05-03 20:30:26 +00:00 · 2026-04-04 21:11:16 +01:00
parent 0738ed8d19
commit e2b841d7d0
6 changed files with 13 additions and 10 deletions
--- a/docs/web/control-ui.md
+++ b/docs/web/control-ui.md
@@ -31,10 +31,9 @@ Auth is supplied during the WebSocket handshake via:
 - trusted-proxy identity headers when `gateway.auth.mode: "trusted-proxy"`

 The dashboard settings panel keeps a token for the current browser tab session
-and selected gateway URL; passwords are not persisted. Onboarding generates a
-gateway token by default, so shared-secret setups usually paste that token here
-on first connect, but password auth works too when `gateway.auth.mode` is
-`"password"`.
+and selected gateway URL; passwords are not persisted. Onboarding usually
+generates a gateway token for shared-secret auth on first connect, but password
+auth works too when `gateway.auth.mode` is `"password"`.

 ## Device pairing (first connection)

--- a/docs/web/index.md
+++ b/docs/web/index.md
@@ -97,7 +97,8 @@ Open:

 - Gateway auth is required by default (token, password, trusted-proxy, or Tailscale Serve identity headers when enabled).
 - Non-loopback binds still **require** gateway auth. In practice that means token/password auth or an identity-aware reverse proxy with `gateway.auth.mode: "trusted-proxy"`.
- The wizard generates a gateway token by default (even on loopback).
+- The wizard creates shared-secret auth by default and usually generates a
+  gateway token (even on loopback).
 - In shared-secret mode, the UI sends `connect.params.auth.token` or
  `connect.params.auth.password`.
 - In identity-bearing modes such as Tailscale Serve or `trusted-proxy`, the