--- a/src/config.ts +++ b/src/config.ts @@ -137,15 +137,7 @@ raw.debug = normalizeDebugMode(raw.debug); - // Auto-generate API key if none configured - if (!raw["api-keys"] || raw["api-keys"].length === 0) { - const key = generateApiKey(); - raw["api-keys"] = [key]; - fs.writeFileSync(filePath, yaml.dump(raw, { lineWidth: -1 }), { - mode: 0o600, - }); - console.log(`\nGenerated API key (saved to ${filePath}):\n\n ${key}\n`); - } + // Empty api-keys = unauthenticated mode (safe when binding to localhost). return { ...raw, "api-keys": new Set(raw["api-keys"]) }; } --- a/src/server.ts +++ b/src/server.ts @@ -94,6 +94,8 @@ // API key auth middleware — accepts both OpenAI style (Authorization: Bearer) // and Anthropic style (x-api-key), so Claude Code and OpenAI clients both work const requireApiKey: express.RequestHandler = (req, res, next) => { + // No keys configured — unauthenticated mode (localhost-only). + if (config["api-keys"].size === 0) { next(); return; } const key = extractApiKey(req.headers); if (!key) { res.status(401).json({ error: { message: "Missing API key" } });