Appearance
Admin Settings
Admin settings are found under Admin → Settings and are split across tabs. All settings are stored in the database and take effect immediately without restarting the container.
General
| Setting | Description |
|---|---|
| App Name | Name displayed in the browser tab and app header. Default: ApiMeld. |
| Log Retention | How many days to keep task run history. 0 = keep forever. A nightly job purges logs older than this. |
| Orphan Timeout | If a run stays in Running state for longer than this (minutes), it is automatically marked Failed. Catches executions where the process died without updating the database. |
Authentication
Registration mode
| Setting | Description |
|---|---|
| Allow open registration | When enabled, anyone can sign up at /register without an invitation. When disabled, only invited users can create accounts. |
OpenID Connect (SSO)
Enable SSO to show a "Sign in with [Provider]" button on the login page. Username/password login remains available alongside it.
| Setting | Description |
|---|---|
| Enable OIDC | Show the SSO button on the login page. |
| Authority URL | The OIDC provider's base URL (see examples below). |
| Client ID | Your app's client ID from the provider. |
| Client Secret | Your app's client secret (stored encrypted). |
| Role Claim Path | JSON path into the token where roles are found (e.g. roles or realm_access.roles). Optional — if blank, all OIDC users are assigned the User role. |
| Admin Role Value | The role string in the token that maps to ApiMeld's Admin role (e.g. meld-admin). |
| User Role Value | The role string in the token that maps to ApiMeld's User role (e.g. meld-user). |
| Require role | When enabled, users whose token contains no recognised role are denied access entirely. When disabled, unmatched users are assigned the User role by default. |
Provider examples
Microsoft Entra ID / Azure AD:
Authority URL: https://login.microsoftonline.com/{your-tenant-id}/v2.0
Client ID: (from App Registration)
Client Secret: (from Certificates & secrets)In Entra, add https://tasks.example.com/api/auth/oidc/callback as a redirect URI under Authentication.
Google:
Authority URL: https://accounts.google.com
Client ID: (from Google Cloud Console → Credentials)
Client Secret: (from Google Cloud Console → Credentials)In Google Cloud Console, add https://tasks.example.com/api/auth/oidc/callback as an authorised redirect URI.
Keycloak:
Authority URL: https://your-keycloak.example.com/realms/{realm-name}
Client ID: (from Keycloak client config)
Client Secret: (from Keycloak client credentials tab)Role mapping example (Keycloak): Keycloak puts realm roles at realm_access.roles in the token. If your admin role is called meld-admin and your user role is meld-user:
Role Claim Path: realm_access.roles
Admin Role Value: meld-admin
User Role Value: meld-user
Require role: enabledEmail
Configures the SMTP server used for invitations, password resets, and email notifications. See Email / SMTP for provider-specific setup guides.
| Setting | Description |
|---|---|
| Enable email | Master switch. When disabled, no emails are sent and the invitation flow requires manual link sharing. |
| SMTP Host | Mail server hostname (e.g. smtp.gmail.com). |
| Port | Typically 587 (STARTTLS) or 465 (SSL). |
| Use SSL | Enable for port 465. Leave off for port 587 (uses STARTTLS automatically). |
| Username | SMTP auth username — usually your email address. |
| Password | SMTP auth password (stored encrypted). |
| From Address | The address emails are sent from. |
| From Name | The display name shown in the From field. |
Email templates
Invitation and password reset email content is customisable using Fluid templating syntax (similar to Liquid).
Invitation template variables:
{{ AppName }}— the configured app name{{ InvitedByName }}— display name of the admin who sent the invite{{ InviteLink }}— the full accept-invite URL
Password reset template variables:
{{ AppName }}— the configured app name{{ ResetLink }}— the full password reset URL
Click Preview to render the template with sample values before saving.
Notifications
Controls which roles can use each notification channel from within scripts.
| Setting | Description |
|---|---|
| Email notifications | Enable email sending from scripts via the notifications API. Requires email to be configured. |
| Email allowed roles | Admin only or All users — who can send email notifications from scripts. |
| Slack allowed roles | Admin only or All users — who can post to Slack webhooks from scripts. |
| Teams allowed roles | Admin only or All users — who can post to Teams webhooks from scripts. |
Named Slack and Teams webhooks are also managed from this tab. See Slack and Microsoft Teams for setup guides.
MQTT
Configures the external MQTT broker connection. See MQTT Triggers for full setup details.
| Setting | Description |
|---|---|
| Host | Broker hostname or IP. |
| Port | 1883 (plain) or 8883 (TLS). |
| Username / Password | Broker credentials (password stored encrypted). Optional. |
| Client ID | Custom MQTT client ID. Leave blank to auto-generate. |
| QoS | Default Quality of Service level for subscriptions (0, 1, or 2). |
| Keep-alive | Ping interval in seconds. Default: 60. |
| Use TLS | Encrypt the broker connection. |
| Skip certificate validation | Disable TLS cert verification — only for internal brokers with self-signed certs. |
| Use MQTT 5 | Use MQTT protocol version 5 instead of 3.1.1. |
Storage
| Setting | Description |
|---|---|
| Network share file size limit (MB) | Maximum file size ApiMeld will read from a Network Share (SMB) data source in a single operation. Default: 25 MB. |
Access Restrictions (Sandbox)
For trusted environments only
Unrestricted mode removes language-level sandbox protections. Only enable this for installations where all users are fully trusted — e.g. a private team deployment where every user is an admin or senior developer.
By default, scripts run with sandbox restrictions that block dangerous operations (see Scripts Overview for details). Unrestricted mode relaxes these language-level restrictions for admin and/or standard users.
What unrestricted mode removes:
- PowerShell: cmdlet whitelist, blocked cmdlets,
PSLanguageMode.ConstrainedLanguage, and AST validation are all bypassed — any PowerShell code can run - JavaScript/TypeScript:
require,process,fs, and other blocked globals become available - Python/Bash: already relatively unrestricted; this flag is reserved for future use
What unrestricted mode does NOT remove:
- OS-level isolation is always active — scripts still run as the locked-down
script-runneruser script-runnerstill cannot read/app/config, write to the application directory, or use npm/npx- Script timeouts are still enforced
| Setting | Description |
|---|---|
| Admin unrestricted | Admins execute scripts without language-level sandbox restrictions. Must be enabled before user unrestricted can be turned on. |
| User unrestricted | Standard users also execute scripts without restrictions. Only available when admin unrestricted is enabled. |
Typical use cases
Fully restricted (default): Multi-user team deployment where not all users have the same level of trust. Sandbox prevents accidental or malicious misuse of the script runtime.
Admin unrestricted only: Admins need to use advanced PowerShell modules or Node.js require() for complex automation. Standard users remain sandboxed.
Both unrestricted: Small fully-trusted team where every member is a senior developer and everyone effectively has the same level of trust. Equivalent to giving everyone a local script runner.
ApiMeld is designed for internal use
ApiMeld should be deployed on a private network or behind an authenticated gateway (e.g. Cloudflare Access). It is not designed to be exposed directly to untrusted users — sandboxing is a defence-in-depth measure, not a substitute for access control.