Using the Admin Panel for ONLYOFFICE Docs

Overview

Starting from version 9.1, the ONLYOFFICE Admin Panel provides a secure web interface for managing server configuration and monitoring. This guide explains how to set up and use the authentication system.

Initial setup

By default, the Admin Panel is disabled. Follow the http://example.com/welcome page instructions to start it.

The example.com is the name of the server with the ONLYOFFICE Docs installed.

First-time installation

When you start the Admin Panel for the first time, it requires an initial setup:

1. Start the Admin Panel server.

   • The server automatically detects that no admin password is configured.
   • A bootstrap code will be generated and displayed in the server logs.

2. Locate your bootstrap code.

   Check the server logs for a message like:

   AdminPanel SETUP REQUIRED | Bootstrap code: ELAA8ZOCRUTX | Expires: 2025-10-01T20:50:00.000Z | Open: http://example.com/admin

   The bootstrap code is a short 12-character code (letters and numbers).

   This code is valid for 1 hour only.

3. Open the Admin Panel web interface.

   Navigate to http://example.com/admin — the setup page will appear.

   

4. Complete setup.

   • Enter the bootstrap code from the server logs.
   • Create your admin password.
   • Click Setup.
   • You will be automatically logged in.
   

Security notes

• The bootstrap code is stored only in memory and displayed once in the logs.
• Codes are valid only until a password is set (checked via passwordHash in runtime.json).
• After setup, all bootstrap codes become invalid across all nodes.
• In clusters, codes work across all nodes sharing the same ADMINPANEL_BOOTSTRAP_SECRET.
• No password is transmitted or logged — only secure hashes are stored.

Regular login

After initial setup is complete:

1. Navigate to http://example.com/admin.
2. Enter your admin password.
3. Click Login.
   
4. Your session is valid for 1 hour.

Session details

• Sessions use secure HTTP-only cookies.
• They expire automatically after 1 hour of inactivity.
• SameSite=Strict protection is applied against CSRF attacks.

Changing your password

To change your admin password:

1. Log in to the Admin Panel.
2. Go to the Change Password page.
3. Enter your current password.
4. Enter your new password.
5. Confirm the change.
6. Your session remains active after changing the password.

Password hash details

• Algorithm: PBKDF2-SHA256 (600,000 iterations, OWASP 2023).
• Cross-platform: The hash can be generated via Python or Node.js.

Generate password hash externally

OpenSSL 3.0+ (recommended - MCF format):

PASSWORD="YourPassword"; I=600000; S=$(openssl rand -base64 16 | tr -d '\n'); H=$(openssl kdf -binary -keylen 32 -kdfopt digest:SHA256 -kdfopt pass:UTF8:"$PASSWORD" -kdfopt salt:base64:"$S" -kdfopt iter:$I PBKDF2 | base64 | tr -d '\n'); echo "\$pbkdf2-sha256\$$I\$$S\$$H"

Node.js:

node -e "const crypto=require('crypto');const p=process.argv[1];const s=crypto.randomBytes(16);const sb=s.toString('base64').replace(/\+/g,'.').replace(/=/g,'');crypto.pbkdf2(p,s,600000,32,'sha256',(e,k)=>{const h=k.toString('base64').replace(/\+/g,'.').replace(/=/g,'');console.log('\$pbkdf2-sha256\$600000\$'+sb+'\$'+h)})" "YourPassword"

Check OpenSSL version:

openssl version
# OpenSSL 3.0.0 or newer - ✅ Use openssl kdf command
# OpenSSL 1.x - ✅ Use openssl keyutl command

Add the resulting hash to the runtime.json file:

{
  "adminPanel": {
    "passwordHash": "$pbkdf2-sha256$600000$..."
  }
}

Password reset / recovery

If you forget your admin password, delete the passwordHash entry from runtime.json:

{
  "adminPanel": {
  }
}

A new bootstrap code will be generated. Follow the initial setup process again.

Troubleshooting

Can't find bootstrap code

Problem: The server started, but no bootstrap code is visible.

Solutions:

• Check server logs for “Bootstrap code” messages.
• If the code expired, refresh the Admin Panel page to generate a new one.