By default, Fooocus runs without any authentication — anyone who can reach the web UI can use it. When you expose Fooocus beyond localhost (viaDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/lllyasviel/Fooocus/llms.txt
Use this file to discover all available pages before exploring further.
--listen or --share), you should add HTTP basic authentication by placing an auth.json file in the main Fooocus directory before starting the application.
When authentication matters
Authentication is not needed when Fooocus is only accessible on127.0.0.1 (the default). It becomes important in two scenarios:
--listen— you have bound Fooocus to a LAN or external IP, making it reachable from other machines on the network.--share— you have enabled Gradio’s live endpoint, which creates a public URL accessible from anywhere on the internet.
Creating auth.json
Create a file namedauth.json in the root of your Fooocus directory (the same directory that contains entry_with_update.py). The file must contain a JSON array of objects, each with a user key and either a pass key (plain-text password) or a hash key (SHA-256 hex digest of the password).
auth-example.json in the repository:
How authentication is applied
When Fooocus starts,modules/auth.py reads auth.json from the path defined in modules/constants.py (AUTH_FILENAME = 'auth.json'). If the file exists and contains at least one valid entry, authentication is automatically enabled for all UI access — no additional flags are required.
Passwords stored as plain text (pass) are hashed with SHA-256 in memory at load time. You can also pre-hash passwords and store them directly as the hash value if you prefer not to store plain-text credentials on disk.
auth.json is absent or contains no valid entries, auth_enabled is False and the UI is open to all visitors.
Multi-user mode
The--multi-user flag pairs naturally with authentication. When enabled, each authenticated user session maintains its own independent generation queue and state, preventing one user’s jobs from blocking another’s.
auth.json present and --multi-user active, each user in the JSON file gets a separate, isolated session on the same Fooocus instance.
Using —share for temporary access
The--share flag registers a temporary public URL through Gradio’s sharing infrastructure:
auth.json for controlled temporary sharing:
Security considerations
| Scenario | Recommendation |
|---|---|
Local use only (127.0.0.1) | No auth.json needed |
LAN sharing (--listen) | Add auth.json with strong passwords |
Public sharing (--share) | Add auth.json; treat the link as temporary |
| Internet-facing deployment | Use a TLS-terminating reverse proxy + auth.json |
