Skip to main content

Password Protection

# Basic auth
GITAGENT_PASSWORD=mysecret gitagent --voice --dir ~/assistant

# With custom username (defaults to "admin")
GITAGENT_USERNAME=alice GITAGENT_PASSWORD=mysecret gitagent --voice --dir ~/assistant
  • All HTTP routes show a login page instead of the UI
  • WebSocket connections are rejected without valid auth cookie
  • /health endpoint remains open (for load balancers)
  • Cookie: HttpOnly, SameSite=Strict, 24-hour expiry
  • Token is SHA-256 hash (password never stored in cookie)
  • GITAGENT_USERNAME sets the login username (defaults to “admin”)

Best Practices

PracticeDetail
Use HTTPS in productionVia nginx, Caddy, or Cloudflare Tunnel
Set GITAGENT_PASSWORDWhen exposing to a network
Use —sandbox for untrusted codeRuns the agent in an isolated E2B cloud VM
Enable audit loggingFor compliance and incident review

HTTPS Setup

nginx reverse proxy
server {
  listen 443 ssl;
  server_name agent.example.com;

  location / {
    proxy_pass http://localhost:3333;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
}
Cloudflare Tunnel (zero-config)
cloudflared tunnel --url http://localhost:3333
Never expose port 3333 directly — always proxy via nginx, Caddy, or Cloudflare Tunnel in production.

E2B Cloud Sandbox

Run the agent in an isolated E2B cloud VM via the --sandbox flag.
  1. Cloud VM isolation — Agent runs inside an E2B cloud sandbox — fully isolated from your local machine.
  2. Filesystem isolation — The sandbox has its own filesystem. Your host files are not accessible unless explicitly mounted.
  3. Remote repo support — Use —sandbox-repo to clone a repository directly into the sandbox environment.
  4. API token required — Set E2B_API_KEY in your environment — the E2B SDK reads it directly. —sandbox-token is a Git token for cloning the repository (falls back to GITHUB_TOKEN / GIT_TOKEN).
Quick Start
# Run agent in an E2B cloud sandbox
gitagent --sandbox --dir ~/assistant

# Clone a remote repo into the sandbox
gitagent --sandbox --sandbox-repo https://github.com/user/repo --dir ~/assistant

Compliance & Audit

Risk levels, regulatory frameworks, and audit logging

Hooks

Block dangerous tool calls with pre_tool_use hooks

Interfaces

CLI, web, voice, and messaging access to GitAgent

Environment Variables

GITAGENT_PASSWORD, GITAGENT_USERNAME, and E2B_API_KEY reference