title: Deployment Modes summary: local_trusted vs authenticated (private/public)
Paperclip supports two runtime modes with one authenticated exposure split.local_trusted
The default mode. Optimized for single-operator local use.
- Host binding: loopback only (
localhost,127.0.0.1,::1) - Authentication: no login required
- Use case: local development, solo experimentation
- Board identity: local board user is auto-created
- Trusted origins: loopback only
- Typical env:
HOST=127.0.0.1,PAPERCLIP_DEPLOYMENT_MODE=local_trusted
authenticated
Login required. Supports two exposure policies.
authenticated + private
For private network access (Tailscale, VPN, LAN).
- Authentication: login required via Better Auth
- Secrets:
BETTER_AUTH_SECRETrequired;PAPERCLIP_AGENT_JWT_SECRETremains separate for agent JWT minting - URL handling:
PAPERCLIP_AUTH_BASE_URL_MODE=auto - Host binding: usually
HOST=0.0.0.0 - Host trust: private-host allowlist required for non-loopback names
- Typical env:
PAPERCLIP_DEPLOYMENT_EXPOSURE=private
authenticated + public
For internet-facing deployment.
- Authentication: login required
- Secrets:
BETTER_AUTH_SECRETrequired - URL: explicit public URL required
- Security: stricter deployment checks in doctor
- Canonical host:
PAPERCLIP_PUBLIC_URLorPAPERCLIP_AUTH_PUBLIC_BASE_URLshould point at the hosted origin so trusted origins can be derived deterministically - Host binding: usually
HOST=0.0.0.0 - Typical env:
PAPERCLIP_AUTH_BASE_URL_MODE=explicit
Mode Matrix
| Setting | local_trusted | authenticated + private | authenticated + public |
|---|---|---|---|
| Human login | No | Yes | Yes |
| Host binding | Loopback only | 0.0.0.0 | 0.0.0.0 |
PAPERCLIP_PUBLIC_URL | Optional | Recommended | Required |
PAPERCLIP_AUTH_BASE_URL_MODE | auto | auto | explicit |
PAPERCLIP_ALLOWED_HOSTNAMES | Not needed | For Tailscale/LAN aliases | Only for extra hostnames |
| Best use | Solo local work | Private-network sharing | Hosted production |
Board Claim Flow
When migrating fromlocal_trusted to authenticated, Paperclip emits a one-time claim URL at startup:
- Promotes the current user to instance admin
- Demotes the auto-created local board admin
- Ensures active company membership for the claiming user
Changing Modes
Update the deployment mode:Current Implementation Notes
authenticateduses Better Auth sessions and bootstrap invite flow.local_trustedkeeps the board operator path loopback-only and non-interactive.authenticated + privatederives trusted origins from the public URL and allowed hostnames.authenticated + publicshould use HTTPS in production and an explicit canonical host.