Molecule AI

ADMIN_TOKEN — Production Requirement

Mandatory ADMIN_TOKEN configuration for self-hosted Molecule AI deployments.

Overview

ADMIN_TOKEN is a required secret for all production Molecule AI deployments. It gates access to administrative endpoints and must be set before going live.

Deadline to migrate: April 22, 2026. Deployments without ADMIN_TOKEN set will begin rejecting /admin/* requests after this date.

What ADMIN_TOKEN is

ADMIN_TOKEN is a bearer token that authenticates callers to the platform's administrative endpoints (/admin/*). It is checked by the AdminAuth middleware on every admin route.

Generating a token

Generate a cryptographically random token:

openssl rand -base64 32

Store the output — it is shown only once and cannot be recovered from the platform.

Setting ADMIN_TOKEN in production

fly secrets set ADMIN_TOKEN="your-generated-token"
fly deploy

Docker / Docker Compose

services:
  platform:
    environment:
      ADMIN_TOKEN: "your-generated-token"

Bare-metal / systemd

export ADMIN_TOKEN="your-generated-token"
./platform-server  # or however you start the binary

What ADMIN_TOKEN gates

All /admin/* endpoints require Authorization: Bearer <ADMIN_TOKEN>:

EndpointPurpose
GET /admin/workspacesList all workspaces
POST /admin/workspaces/:id/pausePause a workspace
POST /admin/workspaces/:id/resumeResume a workspace
POST /admin/workspaces/:id/terminateForce-terminate a container
GET /admin/metricsPlatform-level metrics
POST /admin/tier-promotePromote a workspace to a higher tier

What happens if ADMIN_TOKEN is missing

In deployments where ADMIN_TOKEN is unset (empty string or not present in the environment), the AdminAuth middleware currently fail-opens — it allows all requests through without credential validation.

This fail-open behavior exists for backward compatibility during the transition period but will be removed. After April 22, 2026, requests to /admin/* endpoints without a valid ADMIN_TOKEN will return 401 Unauthorized.

Verifying your setup

Check that ADMIN_TOKEN is present and working:

curl -s -H "Authorization: Bearer $ADMIN_TOKEN" \
  http://localhost:8080/admin/workspaces | jq '.count'

If the response is 401, the token is missing or incorrect. If you get a JSON payload with a count field, the token is working.

Rotating ADMIN_TOKEN

To rotate without downtime:

  1. Deploy the new token: fly secrets set ADMIN_TOKEN="new-token" && fly deploy
  2. Verify the new token works (see above)
  3. Remove the old token: fly secrets unset OLD_TOKEN_NAME (Fly does not persist old secret values after unset)

MCP Server

Manage Molecule AI workspaces from any MCP-compatible AI agent using 87 tools.

Observability

Monitor agent activity, LLM traces, and platform health.

On this page

OverviewWhat ADMIN_TOKEN isGenerating a tokenSetting ADMIN_TOKEN in productionFly.io (recommended for self-hosted)Docker / Docker ComposeBare-metal / systemdWhat ADMIN_TOKEN gatesWhat happens if ADMIN_TOKEN is missingVerifying your setupRotating ADMIN_TOKENRelated