docs: clarify that /api/config does not persist api_token

claude · claude · commit c2e8b09d1c2a · 2026-05-05T02:04:18.000Z
The previous wording suggested operators could let the server write the token via /api/config, but ConfigService.saveConfig() only writes watchdog fields and would actually clobber an existing api_token in server_config.json. Spell out that the file must be edited directly. https://claude.ai/code/session_01WjsbdUtxDJZL3GaAvhyzav
diff --git a/docs/docs/setup.md b/docs/docs/setup.md
@@ -303,7 +303,8 @@ to configure the value, in priority order:
    a non-empty token.
 2. **`api_token` field in `app/server_config.json`** — the persisted file
    bind-mounted by `docker-compose.yml`. Used when `API_TOKEN` is absent.
-   Edit it directly or let the server write it via `/api/config`.
+   Edit the file directly; the dashboard's `/api/config` endpoint only
+   manages watchdog settings and does not write the token.
 
 Generate a fresh token with `openssl rand -hex 32`. The dashboard prompts
 for it on first load (and any time the server returns 401); paste the
