'error', 'message' => 'Broker Base URL is required. Set it to http://broker:3000 (Docker) or your broker public URL.']; } if ($brokerInternalApiToken === '' && $brokerInternalApiTokenEnv === '') { $notices[] = ['type' => 'error', 'message' => 'Broker Internal API Token is not configured. Set BROKER_INTERNAL_API_TOKEN in your env file and/or set a matching token below.']; } if ($externalAuthDocsUrl === '') { $notices[] = ['type' => 'warning', 'message' => 'External Auth Docs URL is empty. Set it to your External Auth docs page for quick access.']; } if ($externalAuthBaseUrl === '') { $notices[] = ['type' => 'warning', 'message' => 'External Auth Base URL is empty. Broker wallet operations will fail until it is configured.']; } if ($externalAuthAppId === '' || $externalAuthAppSecret === '') { $notices[] = ['type' => 'warning', 'message' => 'External Auth App ID/Secret are missing. Broker wallet operations require these credentials.']; } if ($externalAuthNodeUrl === '') { $notices[] = ['type' => 'warning', 'message' => 'External Auth Qortal Node URL is empty. Ensure the External Auth container has a Qortal node configured.']; } if ($externalAuthNodeUrl !== '' && $externalAuthNodeApiKey === '' && $qortalNodeApiKey === '') { $notices[] = ['type' => 'warning', 'message' => 'External Auth node API key is empty. Restricted Qortal endpoints may fail if the node requires an API key. In containerized setups, set QORTAL_AUTH_NODE_API_KEY in .env.devprod and recreate external_auth.']; } elseif ($externalAuthNodeUrl !== '' && $externalAuthNodeApiKey === '' && $qortalNodeApiKey !== '') { $notices[] = ['type' => 'warning', 'message' => 'External Auth node API key is empty. Runtime sync will fall back to the Qortal Node API key value.']; } if ($oidcIssuerUrl === '' && $brokerBaseUrl === '') { $notices[] = ['type' => 'error', 'message' => 'OIDC Issuer URL cannot be resolved. Set Broker Base URL or provide an explicit issuer URL.']; } if ($oidcClientId === '') { $notices[] = ['type' => 'warning', 'message' => 'OIDC Client ID is empty. Default will fall back to nextcloud-local.']; } if ($oidcClientSecret === '') { $notices[] = ['type' => 'error', 'message' => 'OIDC Client Secret is required. Set it in the OIDC Provider Settings section.']; } elseif ($oidcClientSecret === 'dev-secret') { $notices[] = ['type' => 'warning', 'message' => 'OIDC Client Secret is set to dev-secret. Replace it before production.']; } if ($nextcloudPublicUrl === '') { $notices[] = ['type' => 'warning', 'message' => 'Nextcloud Public URL is empty. Trusted domains and overwrite settings will not be updated by setup actions.']; } ?>

Configure broker connectivity, setup wallets, and manage pre-linked identities for Qortal OIDC link mode.

Setup Notices

Required broker endpoints: /api/health and /api/qortal/health

Used by Nextcloud when calling broker internal APIs. Must match broker env BROKER_INTERNAL_API_TOKEN. For containerized setup, prefer setting the env value in .env.devprod.

Save Settings updates Nextcloud app settings and attempts live broker/external-auth runtime sync. Container env files are not changed by Save Settings.

Broker internal APIs require BROKER_INTERNAL_API_TOKEN on the broker service. If this token changes in env, update the matching token here (or via app env QORTAL_BROKER_INTERNAL_API_TOKEN).

Setup Overview

OIDC Provider Settings

These values are used when generating or running the user_oidc provider setup only. They do not update broker runtime env values.

Defaults to broker base URL if left empty.

Used to update trusted domains and overwrite settings when running setup.

External Auth Configuration

Store External Auth connection details here for runtime sync and env generation. Save Settings stores these in Nextcloud and attempts live runtime sync through the broker. If your daemon does not expose runtime settings endpoints, update env files and recreate/restart containers.

Important: for bundled/containerized External Auth, set QORTAL_AUTH_NODE_API_KEY in .env.devprod and recreate external_auth. The admin field below is a best-effort runtime override and may not persist across container restarts.

Used by broker as QORTAL_EXTERNAL_AUTH_BASE_URL.

Warning: registering a new app will replace existing credentials. If External Auth is already configured via .env, this will generate a new App ID/Secret and you may lose access to existing wallets. Backup your .env or .env.devprod first.

If left empty, runtime sync falls back to the key in “Qortal Node + Gateway”. For containerized setup, still set QORTAL_AUTH_NODE_API_KEY in .env.devprod.

Only used when mode is set to paths. Use / to send X-API-KEY on all node API calls.


		

			Save Settings attempts live runtime sync through the broker. If your External Auth daemon
			does not expose runtime settings endpoints, apply env files and restart with
			./recreate-devprod.sh --extauth or
			docker compose up -d --build broker external_auth.
		

	


	

		
Qortal Node + Gateway

		

			Configure the node used for Q-App rendering and signed requests. Gateway nodes expose a separate gateway port
			and do not require an API key.
		

		

			
			

			
			

			
			

				
				
Use a public gateway (e.g. https://qortal.link) or your own gateway node URL.

			


			
			

				
				

					Use only if your gateway uses a self-signed certificate or the container lacks CA roots. Recommended to keep off for production.
				

			

		

		

			
		

		

		

			When running a local node container, ensure gateway mode is enabled and expose the gateway port.
		

	


	

		
Setup Components

		

			Generate the setup commands or run them automatically (requires occ access inside the Nextcloud container).
		

		

			
			
		

		

	


	

		
Auto-Provision Policy (Broker)

		

			Read-only effective broker policy values (from env defaults plus optional admin overrides).
		

		

			
			
unknown


			
			
unknown


				
				
-


				
				
unknown


				
				
-

			

			

			

				
				

				
				

				
				

				
				

				
				
			

		

			
		

		

			Save Settings now syncs these overrides to broker runtime. Leave a field blank to keep using env defaults.
		

		

	


	

		
Full Setup Options

		

			Use one of the supported setup entry points depending on your environment.
		

		

			

				Local Docker Dev
				
./start-dev.sh

			

			

				Dev-Prod (Caddy SSL)
				
./start-devprod.sh

			

			

				Dev-Prod (No SSL / External Proxy)
				
./start-devprod.sh

				
Choose "no" when prompted for Caddy SSL.

			

			

				VM Install (Nextcloud VM + broker containers)
				
sudo bash scripts/nextcloud-vm-install.sh

			

			

				Recreate Containers (apply new env)
				
./recreate-devprod.sh

			

		

	


	

		
Q-Apps Access

		

			Enable Q-Apps access in Nextcloud and define allowed qortal:// app addresses.
		

		

			
			
			
		

		

			
			
		

		

			
			
			
			
			
			
			
			
			
			
			
			
		

		

			

				
					

						Name
						Qortal Address
						Icon
						Description
						Actions
					

				
				
			

		

	


	

		
Initial Setup Checklist

		
    
			
  1. Configure broker URL and save settings.
    2. 
			
  2. Use Refresh Setup Data and confirm broker and External Auth are healthy.
    3. 
			
  3. Create or import wallet(s) visible to broker app credentials.
    4. 
			
  4. Link each Qortal address to a Nextcloud user (required for link_only mode).
    5. 
			
  5. Verify OIDC provider in Nextcloud login page.
    6. 
		

	


	

		
Wallet Operations

		

			Create wallets through the broker using configured External Auth app credentials.
			If you link a wallet to a user, share the password securely with that user.
		

		

			
			
			
			
			
			
			
			
			
		

		

		

			

				
					

						Wallet ID
						Address
						Created
					

				
				
			

		

	


	

		
Identity Mapping Operations

		

			Link or unlink Qortal addresses so OIDC login can resolve identities in link_only mode.
		

		

			
			
			
			
			
			
			
			
		

		

			

				
					

						Qortal Address
						Nextcloud User
						Wallet ID
						Status
						Updated
						Actions
					

				
				
			

		

	


	

		
Allowlisted Qortal Addresses

		

			These addresses can be preloaded for future use. Enforcement only applies when
			OIDC_POLICY_MODE=auto_provision and the guard is enabled.
		

		

			
			
			
			
		

		

			

				
					

						Qortal Address
						Added By
						Added
						Actions
					

				
				
			

		

	


	

		
Invite Tokens

		

			Generate invite tokens for users to paste into the Qortal login form when auto-provisioning.
		

		

			
			
			
			
		

		

		

			

				
					

						Token
						Status
						Expires
						Used By
						Actions
					

				
				
			

		

	


	

		
Invite Existing Qortal Users To Cloud

		

			Generate a message for existing Qortal users. When auto-provisioning is enabled, an invite token is included.
			In link-only mode, this message prompts users to link their Qortal account to an existing Nextcloud login.
		

		

			
			
		

		
	


	

		
Onboard Cloud Users

		

			Send onboarding prompts to existing Nextcloud users. Invite tokens are not required for existing users.
		

		

			
			

			
			

				
				
Placeholders: {link}, {invite}, {user}, {displayName}

			

		

		

			
			

			
			
		

		

			
			
			
		

		

			

				
					

						User ID
						Display Name
						Email
						Actions
					

				
				
			

		

		

			
			
			
		

		

			

				
					

						Group ID
						Display Name
						Actions
					

				
				
			

		

		

			
			
			
			
		

		
Invite tokens are only required when auto-provision is enabled. Existing users do not need them.