RomM supports multiple authentication methods and a role-based permission system so you can control exactly who can view, edit, or administer your library. Whether you are integrating a third-party app, building an automation script, or running a shared family server, there is an auth method that fits your use case.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/rommapp/romm/llms.txt
Use this file to discover all available pages before exploring further.
Roles and Permissions
RomM has two top-level roles that determine a user’s access level.| Role | Description |
|---|---|
admin | Full access to everything. Admins bypass all permission checks, can manage other users, run tasks, view backend logs, and perform any write operation across the entire library. |
user | Access determined entirely by the user’s permission group and any per-user overrides. |
The legacy
viewer and editor roles from older versions of RomM are automatically mapped to user via Role.coerce(). Any in-flight invite tokens that reference those old roles will still work and will be treated as user on registration.Permission Groups
Non-admin users belong to a permission group — a named matrix of(entity, action) grants. Each grant can also be flagged as own_only, restricting it to resources the user owns (for example, managing their own saves or collections without touching anyone else’s).
The permission entities are: platforms, roms, collections, firmware, assets, devices, users, tasks, and logs. Each entity supports read, write, and delete actions.
On top of a user’s group, per-user overrides can add a grant the group doesn’t provide, or revoke one it does. One group is designated the server-wide default and is applied to every new user automatically.
Admins are unaffected by groups and overrides — they always have full access.
OAuth Scopes
Scopes are the coarse-grained access vocabulary used by OAuth2 tokens and client tokens. They are derived from a user’s resolved permission group at access time. Read scopes (available to all users with read access):| Scope | Description |
|---|---|
me.read | View your own profile |
roms.read | View ROMs |
platforms.read | View platforms |
assets.read | View assets (saves, states, screenshots) |
devices.read | View devices |
firmware.read | View firmware |
roms.user.read | View user-specific ROM properties |
collections.read | View collections |
| Scope | Description |
|---|---|
me.write | Modify your own profile and manage your client tokens |
assets.write | Modify assets |
devices.write | Modify devices |
roms.user.write | Modify user-specific ROM properties |
collections.write | Modify collections |
| Scope | Description |
|---|---|
roms.write | Modify ROMs |
platforms.write | Modify platforms |
firmware.write | Modify firmware |
| Scope | Description |
|---|---|
users.read | View all users |
users.write | Modify users |
tasks.run | Run background tasks |
logs.read | View backend logs |
Session Login (Browser)
The RomM web interface authenticates via HTTP session cookies. When you log in through the browser, RomM creates a server-side session and sets an encryptedromm_session cookie.
First-Boot Setup Wizard
On first boot, if no admin user exists, RomM shows a setup wizard that lets you create the initial admin account. You can skip this by settingDISABLE_SETUP_WIZARD=true in your environment.
Login Endpoint
The session login endpoint uses HTTP Basic Auth:username and a device_id in the session. It also records the user’s last_login and last_active timestamps.
Session Lifetime
Sessions expire after the duration set bySESSION_MAX_AGE_SECONDS (default: 1209600 seconds, or 14 days).
Logout
POST /api/logout clears the session. If OIDC RP-initiated logout is enabled and the session contains an OIDC id_token, the response includes an oidc_logout_url field your client should redirect the browser to in order to also end the session at the identity provider.
OAuth2 Token Authentication
For API clients and automation, RomM implements an OAuth2 password grant flow. This is the recommended method for scripts, CLI tools, and any integration that does not use the browser.Obtaining Tokens
Send aPOST request to /api/token with form-encoded credentials:
scope field (space-separated):
Token Response
A signed JWT used in the
Authorization header of every API request.A signed JWT used to obtain a new access token without re-entering credentials.
Access token lifetime in seconds. Controlled by
OAUTH_ACCESS_TOKEN_EXPIRE_SECONDS (default: 1800).Refresh token lifetime in seconds. Controlled by
OAUTH_REFRESH_TOKEN_EXPIRE_SECONDS (default: 604800, i.e. 7 days).Using the Access Token
Include the token in theAuthorization header:
Refreshing the Access Token
When the access token expires, use the refresh token to obtain a new pair without re-entering credentials:Token Lifetime Configuration
Client Tokens (API Keys)
Client tokens are long-lived, named API keys suited for persistent integrations and third-party applications. Unlike OAuth2 bearer tokens, they do not expire by default and do not require a password to create after the initial login.Creating a Client Token
A human-readable label for the token.
A list of scopes to grant. Must be a subset of your own effective scopes.
Optional expiry:
30d, 90d, 1y, or never (the default). Omit for a non-expiring token.raw_token field — this is the only time the plain-text token value is returned. Store it securely.
Using a Client Token
Pass the raw token value in theAuthorization header exactly like a bearer token:
Available Scopes for Client Tokens
You can assign any scope to a client token, provided it does not exceed your own effective scopes:Limits and Management
- Each user can hold a maximum of 25 client tokens.
- Tokens can be listed (
GET /api/client-tokens), deleted (DELETE /api/client-tokens/{token_id}), and regenerated (PUT /api/client-tokens/{token_id}/regenerate) at any time. - Admins can list and delete any user’s tokens via
GET /api/client-tokens/allandDELETE /api/client-tokens/{token_id}/admin.
Token Pairing (Device Flow)
RomM supports a device pairing flow for apps that cannot display an interactive login screen (TV apps, CLI tools, game launchers, etc.).Generate a pair code
code (8 characters) and an expires_in of 60 seconds.Display the code to the user
Show the pair code on the device screen and ask the user to enter it in the RomM web UI or companion app.
The exchange endpoint is rate-limited to 5 attempts per 60 seconds per IP address to prevent brute-forcing pair codes.
Disabling and Restricting Features
Disable Username/Password Login
/api/token and /api/login endpoints will reject all password-based requests.
Disable Download Endpoint Authentication
Disable CSRF Protection
Kiosk Mode
kiosk user (id: -1, role: user) for every unauthenticated request.
Disable the Setup Wizard
DISABLE_SETUP_WIZARD=true to skip it — useful in automated deployments where the first admin is created by a provisioning script.
Password Reset
Users can request a password reset link viaPOST /api/forgot-password (body: {"username": "..."}) and then submit the token they receive via POST /api/reset-password (body: {"token": "...", "new_password": "..."}). The reset flow is independent of OIDC — it always operates on the local password.
Invite Links
Admins (and users withusers.write permission) can generate time-limited invite links. The default expiry is controlled by:
admin role.