Integration Setup Guides

RAM — 8 GB minimum (recommended). The default Docker stack runs the portal, MongoDB, and 40+ MCP integration containers. Services such as Memory and Code Search load embedding models (~300 MB each) at startup. On servers with less than ~8 GB RAM you risk out-of-memory kills and unstable behaviour.

CPU — AVX support required. MongoDB 7 needs a CPU with AVX instructions (typical on Intel Haswell / AMD Ryzen and newer). The installer checks this automatically.

Disk — tens of GB free. Docker images for all services add up; leave enough space for images, volumes, and logs.

Docker & Docker Compose — required. See the Docker install guide.

Google and Microsoft require HTTPS for OAuth redirect URIs in production. If your Portal URL uses http://, OAuth login and account linking will not work. Exception: http://localhost is allowed for local development.

ClearFox includes a setup command that installs Caddy and configures HTTPS automatically:

<code>curl -fsSL https://clearfox.ai/install.sh | sudo sh -s caddy ai.yourcompany.com</code>
Make sure DNS for your domain points to the server and ports 80/443 are open.

Alternatively, use nginx with Let's Encrypt, or a cloud load balancer (AWS ALB, Cloudflare Tunnel, etc.).

After setting up HTTPS, update the Portal URL in Admin → Settings to https://ai.yourcompany.com.

Then register the HTTPS redirect URIs in your OAuth provider console (Google Cloud Console or Azure Portal). The URIs are shown in Admin → OAuth Accounts.

Go to Google Cloud Console → Credentials. Create a project if you don't have one.

Click Create Credentials → OAuth client ID → Application type: Web application.

Under Authorized redirect URIs, add both (replace with your portal URL):

https://ai.yourcompany.com/api/auth/callback/google
https://ai.yourcompany.com/api/admin/oauth/callback

Copy the Client ID and Client Secret.

Go to OAuth consent screen. Under Audience, select Internal if your organization uses Google Workspace — this removes the “Google hasn’t verified this app” warning entirely. If you only see External (personal Gmail account), you must add every Google account you plan to connect to ClearFox under Test users. Without this, connecting that account in Admin → OAuth Accounts will fail with a 403 error. Up to 100 test users are allowed.

In ClearFox Admin → OAuth Accounts tab, paste the Client ID and Client Secret under the Google subtab.

Enable any Google APIs you plan to use (Analytics, Sheets, etc.) in the API Library.

Optional — remove the “unverified app” warning permanently: If you want any Google account to connect without restrictions (not just test users), submit your app for Google verification. Before submitting: fill in the app logo, homepage URL, and privacy policy on the consent screen, then click Publish App to move from testing to production. Then click Prepare for Verification, write a justification for each scope explaining how your app uses it, record a short demo video showing the OAuth flow, and click Submit for Verification. Expected review time: ~2–3 business days for brand-only, ~10 business days for sensitive scopes (Analytics, Sheets, Drive), ~6 weeks for restricted scopes. Google will contact the project owner by email.

Go to Azure Portal → App registrations → New registration.

Name: e.g. 'ClearFox Portal'. Supported account types: 'Accounts in this organizational directory only' (single tenant).

Under Redirect URI, add (replace with your portal URL):

https://ai.yourcompany.com/api/auth/callback/azure-ad

After creation, go to Authentication → Add a platform → Web. Add the second redirect URI:

https://ai.yourcompany.com/api/admin/oauth/callback

Go to Certificates & secrets → New client secret. Copy the Value (not Secret ID).

Copy the Application (client) ID and Directory (tenant) ID from the app's Overview page.

In ClearFox Admin → OAuth Accounts tab, paste the Tenant ID, Client ID, and Client Secret under the Microsoft subtab.

Go to console.anthropic.com/settings/keys.

Click 'Create Key', give it a name (e.g. 'ClearFox'), and copy the key.

Paste the key in the ClearFox setup wizard (or Admin → LLMs after installation).

Recommended models: claude-sonnet-4-20250514 (default), claude-opus-4-20250514 (max quality).

Pricing: pay-per-token via Anthropic. No minimum commitment.

Go to platform.openai.com/api-keys.

Click 'Create new secret key', name it (e.g. 'ClearFox'), and copy the key.

Paste the key in the ClearFox setup wizard (or Admin → LLMs after installation).

Recommended models: gpt-4o (default), gpt-4-turbo.

Pricing: pay-per-token via OpenAI. No minimum commitment.

Install Ollama: ollama.com/download (macOS, Linux, Windows).

Pull a model:

ollama pull llama3.1:70b

Ollama serves an OpenAI-compatible API on port 11434 by default.

If Ollama runs on the host machine, use host.docker.internal as the host.

Enter the Ollama base URL and model name in the ClearFox setup wizard (or Admin → LLMs).

Example: http://host.docker.internal:11434 with model llama3.1:70b

All data stays on your machine. No internet access required after model download.

Install vLLM: docs.vllm.ai or use the Docker image.

Start vLLM with an OpenAI-compatible server:

vllm serve meta-llama/Llama-3.1-70B-Instruct --port 8000

If vLLM runs on the host machine, use host.docker.internal as the host.

Enter the vLLM base URL and model name in the ClearFox setup wizard (or Admin → LLMs).

Example: http://host.docker.internal:8000/v1 with model meta-llama/Llama-3.1-70B-Instruct

Requires a GPU with sufficient VRAM (70B model needs ~40GB). For smaller setups, use 8B or 13B models.

Full air-gap support. Nothing leaves your network.

Create a read-only MySQL user for the AI:

CREATE USER 'clearfox'@'%' IDENTIFIED BY 'your-password';
GRANT SELECT ON your_database.* TO 'clearfox'@'%';

If MySQL runs on the host machine, use host.docker.internal as the host.

If MySQL runs in Docker, use the container name as the host.

In ClearFox Admin UI → Data Sources, find MySQL → click '+' to add a config. Fill in host, user, pass, db.

Optionally set key_tables to highlight important tables.

Create a read-only PostgreSQL user for the AI:

CREATE USER clearfox WITH PASSWORD 'your-password';
GRANT CONNECT ON DATABASE your_db TO clearfox;
GRANT USAGE ON SCHEMA public TO clearfox;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO clearfox;

If PostgreSQL runs on the host machine, use host.docker.internal as the host.

In ClearFox Admin UI → Data Sources, find PostgreSQL → click '+' to add a config. Fill in host, user, pass, db.

Optionally set schema and key_tables.

Create a read-only MongoDB user for the AI:

use admin
db.createUser({ user: "clearfox", pwd: "your-password", roles: [{ role: "read", db: "your_database" }] })

In ClearFox Admin UI → Data Sources, find MongoDB → click '+' to add a config. Set the URI (include database name in the path).

If MongoDB runs on the host machine, use host.docker.internal as the host. If in Docker, use the container name.

Go to Google Cloud Console → Service Accounts and create a new service account (e.g. clearfox-analytics). No roles needed during creation.

Enable the Google Analytics Data API for your Google Cloud project.

Open the created service account → Keys tab → Add Key → Create new key → JSON. Download the JSON file.

⚠️ If you get an iam.disableServiceAccountKeyCreation error, your organization blocks key creation. Ask your Organization Policy Administrator to temporarily disable the iam.disableServiceAccountKeyCreation constraint in Organization Policies, or create the key for you.

In Google Analytics, go to Admin → Property Access Management → + → Add users. Add the service account email with Viewer role. The email is in the downloaded JSON file — look for the client_email field (looks like clearfox-analytics@your-project.iam.gserviceaccount.com). ⚠️ Without this step you will get a 403 PermissionDenied error even if the JSON key is valid.

Find your GA4 Property ID: Google Analytics → Admin → Property Settings → Property ID (9-digit number).

In ClearFox Admin → Data Sources, find Google Analytics → click '+'. Paste the contents of the JSON key file and enter the Property ID.

Go to Azure Portal → App registrations → New registration. Set redirect URI to https://oauth.pstmn.io/v1/callback (for Postman) or http://localhost.

Go to API permissions → Add a permission → Power BI Service → Delegated permissions → enable Dataset.Read.All, Report.Read.All, Dashboard.Read.All. Click 'Grant admin consent'.

Go to Certificates & secrets → New client secret → copy the Value (not the Secret ID).

Generate an Access Token: use Postman or curl to call the Azure token endpoint:

POST https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
grant_type=client_credentials&client_id=YOUR_APP_ID&client_secret=YOUR_SECRET&scope=https://analysis.windows.net/powerbi/api/.default

Find your Workspace ID (optional): Power BI → Workspaces → select workspace → ID is in the URL after /groups/.

In ClearFox Admin UI → Data Sources, find Power BI → click '+' to add a config. Paste the access token and workspace ID.

Note: access tokens expire after ~1 hour. For production, implement a refresh flow using the client secret.

Go to Atlassian API Tokens.

Click 'Create API token', name it (e.g. 'ClearFox AI'), and copy the token.

In ClearFox Admin UI → Data Sources, find Jira → click '+' to add a config. Fill in base_url, email, api_token, and optionally default_projects.

Go to Atlassian API Tokens.

Click 'Create API token', name it (e.g. 'ClearFox AI'), and copy the token.

In ClearFox Admin UI → Data Sources, find Confluence → click '+' to add a config. Fill in url, email, api_token.

Go to notion.so/profile/integrations and click + New integration.

Give it a name (e.g. ClearFox AI), select your workspace, set type to Internal, and click Save.

On the integration page, copy the Internal Integration Secret — it starts with ntn_.

Grant content access — this is required. By default the integration cannot read any pages. For each page or database you want ClearFox to access:

Open the page in Notion → click … (top right) → Connections → find your integration and click Connect.

Tip: connect the integration to a top-level page and all child pages will inherit access automatically.

⚠️ Without this step, the AI will not be able to read any Notion content.

In ClearFox Admin UI → Data Sources, find Notion → click + to add a config. Paste the integration secret and save.

Go to Slack API Apps and click 'Create New App' → 'From scratch'.

Name it (e.g. 'ClearFox AI') and select your workspace.

Go to 'OAuth & Permissions' → 'Scopes' → add Bot Token Scopes:

channels:read, channels:history, groups:read, groups:history,
users:read, search:read, chat:write (if you want the AI to post).

Click 'Install to Workspace' and authorize.

Copy the 'Bot User OAuth Token' (starts with xoxb-...).

In ClearFox Admin UI → Data Sources, find Slack → click '+' to add a config. Paste the bot token.

Invite the bot to channels it should access: /invite @ClearFox AI

Log in to Freshservice as an admin.

Go to your profile icon → Profile Settings.

On the right side, find your API Key and copy it.

Your domain is the subdomain (e.g. 'mycompany' from mycompany.freshservice.com).

In ClearFox Admin UI → Data Sources, find Freshservice → click '+' to add a config. Fill in url and api_key.

Log in to Zendesk as an admin.

Go to Admin Center → Apps and integrations → Zendesk API → Settings.

Enable 'Token Access' and click 'Add API token'.

Copy the token (it is shown only once).

Your subdomain is the part before .zendesk.com (e.g. 'mycompany' from mycompany.zendesk.com).

In ClearFox Admin UI → Data Sources, find Zendesk → click '+' to add a config. Fill in subdomain, email, api_token.

Go to Stripe Dashboard → API Keys.

Click '+ Create restricted key' (recommended over the secret key for security).

Give it a name (e.g. 'ClearFox AI Read-Only').

Set permissions: All Read access. Do NOT enable any Write permissions unless needed.

Click 'Create key' and copy it (starts with rk_live_... or sk_live_...).

In ClearFox Admin UI → Data Sources, find Stripe → click '+' to add a config. Paste the API key.

For test mode, use keys from 'Test mode' toggle (starts with sk_test_...).

Go to Intuit Developer Dashboard → click 'Create an app' (or select existing).

Select 'QuickBooks Online and Payments' as the platform. Copy the Client ID and Client Secret from the app's Keys & credentials page.

Generate an Access Token: go to the app's OAuth 2.0 Playground in the Intuit Developer Portal. Select your app, click 'Connect to QuickBooks', authorize, and copy the Access Token.

Find your Realm (Company) ID: after connecting in the playground, the Realm ID is shown. Or log in to QuickBooks Online → look at the URL: /app/homepage?companyId=REALM_ID.

In ClearFox Admin UI → Data Sources, find QuickBooks → click '+' to add a config. Fill in access_token, realm_id, environment.

Note: access tokens expire after 1 hour. Use a refresh token flow for production.

Go to Xero Developer → My Apps → 'New app'. Set type to 'Web app', redirect URI to https://oauth.pstmn.io/v1/callback (for Postman) or http://localhost. Copy the Client ID and generate a Client Secret.

Generate an Access Token: use Postman → Authorization tab → type OAuth 2.0 → Auth URL: https://login.xero.com/identity/connect/authorize, Token URL: https://identity.xero.com/connect/token, Scope: openid offline_access accounting.transactions.read accounting.reports.read. Click 'Get New Access Token', authorize in Xero, and copy the token.

Find your Tenant ID: with the access token, call:

curl -H "Authorization: Bearer YOUR_TOKEN" https://api.xero.com/connections
Copy the <code>tenantId</code> from the JSON response for the organization you need.

In ClearFox Admin UI → Data Sources, find Xero → click '+' to add a config. Paste access_token and tenant_id.

Note: Xero tokens expire after 30 minutes. Use a refresh token mechanism for production.

Log in to Wise → API Tokens.

Click 'Add new token' → select 'Read only' for safety.

Copy the token.

In ClearFox Admin UI → Data Sources, find Wise → click '+' to add a config. Paste the api_token and set environment.

For sandbox, register at sandbox.transferwise.tech and create a token there.

Go to PayPal Developer Dashboard.

Click 'Create App', name it (e.g. 'ClearFox AI').

Select 'Merchant' app type.

Copy the Client ID and Secret (toggle Live/Sandbox as needed).

In ClearFox Admin UI → Data Sources, find PayPal → click '+' to add a config. Fill in client_id, client_secret, environment.

Go to HubSpot → Settings (gear icon) → Integrations → Private Apps.

Click 'Create a private app', name it (e.g. 'ClearFox AI').

Go to 'Scopes' tab and enable read scopes you need:

crm.objects.contacts.read, crm.objects.deals.read, crm.objects.companies.read, etc.

Click 'Create app' and copy the access token.

In ClearFox Admin UI → Data Sources, find HubSpot → click '+' to add a config. Paste the access token.

In Salesforce, go to Setup → search 'App Manager' → 'New Connected App'. Name it (e.g. 'ClearFox AI').

Enable OAuth Settings: set callback URL to https://login.salesforce.com/services/oauth2/success. Add scopes: api, refresh_token, offline_access. Save and wait a few minutes for activation.

Copy the Consumer Key (Client ID) and Consumer Secret from the connected app.

Get an Access Token: open in browser (replace YOUR_CLIENT_ID with your Consumer Key):

https://login.salesforce.com/services/oauth2/authorize?response_type=token&client_id=YOUR_CLIENT_ID&redirect_uri=https://login.salesforce.com/services/oauth2/success
Authorize, and copy the <code>access_token</code> from the redirect URL.

Your Instance URL is visible in the redirect URL or in Salesforce → Setup → My Domain (e.g. https://mycompany.my.salesforce.com).

In ClearFox Admin UI → Data Sources, find Salesforce → click '+' to add a config. Fill in access_token and instance_url.

Note: access tokens expire after ~2 hours. For production, use a refresh token flow with the Consumer Key/Secret.

Log in to Pipedrive → click your profile → Company settings → Personal preferences.

Go to the 'API' tab and copy your personal API token.

Your domain is the subdomain in your Pipedrive URL (e.g. 'yourcompany' from yourcompany.pipedrive.com).

In ClearFox Admin UI → Data Sources, find Pipedrive → click '+' to add a config. Fill in api_token and domain.

The token inherits the permissions of the user. Use an admin account for full access.

Log in to BambooHR as an admin.

Click your name → API Keys.

Click 'Add New Key', name it (e.g. 'ClearFox AI'), and copy the key.

Your subdomain is the part before .bamboohr.com (e.g. 'mycompany').

In ClearFox Admin UI → Data Sources, find BambooHR → click '+' to add a config. Fill in subdomain and api_key.

Log in to Personio as an admin.

Go to Settings → Integrations → API credentials.

Click 'Generate new credentials'.

Select read permissions for the data you need (employees, absences, attendances).

Copy the Client ID and Client Secret.

In ClearFox Admin UI → Data Sources, find Personio → click '+' to add a config. Fill in client_id and client_secret.

Log in to HiBob as an admin.

Go to Settings → Integrations → Service Users.

Create a new service user with the required permissions.

Copy the Service User ID and Token.

In ClearFox Admin UI → Data Sources, find HiBob → click '+' to add a config. Fill in api_token and service_user_id.

Get your Developer Token: log in to Google Ads → Tools & Settings (wrench icon) → Setup → API Center. Copy the Developer Token. If you don't have one, click 'Apply for access' (Basic access is enough for read-only).

Enable the Google Ads API in your Google Cloud project.

Create OAuth 2.0 Client ID: go to Google Cloud Console → Credentials → Create Credentials → OAuth client ID → type 'Web application'. In 'Authorized redirect URIs' add https://developers.google.com/oauthplayground. Copy the Client ID and Client Secret.

Generate a Refresh Token: go to OAuth 2.0 Playground → click the gear icon (⚙️) → check 'Use your own OAuth credentials' → paste your Client ID and Secret. In Step 1, enter scope https://www.googleapis.com/auth/adwords → Authorize → Exchange code → copy the Refresh Token.

Find your Customer ID: Google Ads → top-right corner (format: 123-456-7890, use without dashes).

In ClearFox Admin UI → Data Sources, find Google Ads → click '+' to add a config. Fill in developer_token, client_id, client_secret, refresh_token, customer_id.

Go to Meta for Developers → My Apps → create or select an app (type: 'Business').

In App Dashboard → Add Products → find Marketing API → Set Up.

Go to Tools → Graph API Explorer. Select your app, click 'Generate Access Token', and check permissions: ads_read, ads_management. Copy the short-lived token.

Exchange for a long-lived token (lasts ~60 days): open your browser and go to:

https://graph.facebook.com/v21.0/oauth/access_token?grant_type=fb_exchange_token&client_id=YOUR_APP_ID&client_secret=YOUR_APP_SECRET&fb_exchange_token=YOUR_SHORT_LIVED_TOKEN

Copy the access_token from the JSON response — this is your long-lived token.

Find your Ad Account ID: Business Manager → Ad Accounts (format: act_123456789, include the act_ prefix).

In ClearFox Admin UI → Data Sources, find Meta Ads → click '+' to add a config. Paste access_token and ad_account_id.

Note: long-lived tokens expire after ~60 days. You will need to regenerate periodically.

Log in to Mailchimp → Profile → Extras → API keys.

Click 'Create A Key' and copy it.

The server prefix (e.g. us21) is the part after the dash in your API key.

In ClearFox Admin UI → Data Sources, find Mailchimp → click '+' to add a config. Fill in api_key and server_prefix.

Prerequisite: Google OAuth must be configured in ClearFox (Client ID + Secret). If you haven't done this yet, see the Google OAuth Setup section above.

Enable the Google Sheets API in your Google Cloud project (the same project where your OAuth app lives).

Go to Admin → OAuth Accounts → click Connect Google Account. A popup will open — sign in with the Google account that has access to your spreadsheets and grant the requested permissions.

⚠️ If you see a “Google hasn’t verified this app” warning: click Advanced → Go to [your domain] (unsafe). To remove this warning permanently, set your OAuth consent screen to Internal (Google Workspace orgs only: Cloud Console → OAuth consent screen) or submit your app for Google verification.

Go to Admin → Data Sources → Google Sheets → click + to create a config. Select the Google account you just connected.

Users can add their own spreadsheets in Profile → My Data Sources → Google Sheets. The connected Google account must have access to each spreadsheet (either as owner or via sharing).

Prerequisite: Microsoft 365 OAuth must be configured first. See Microsoft 365 OAuth Setup.

In Azure Portal → App registrations, open your ClearFox app → API permissions → Add a permission → Microsoft Graph → Delegated permissions. Add: Calendars.ReadWrite, User.Read, People.Read, offline_access. Click Grant admin consent.

Microsoft Calendar uses per-user OAuth — each user connects their own account. There is no admin-level config needed in Data Sources.

Each user goes to Profile → My Data Sources and clicks Connect Microsoft Account next to Microsoft Calendar. This opens a Microsoft login popup. After approving, their calendar is immediately available to the AI.

The AI can then list events, check availability, create meetings, and search the calendar — all scoped to that user's own account.

Tip: If users see a permissions error after connecting, make sure admin consent was granted in step 2 for the entire organization.

Go to Azure Portal → App registrations → New registration. Set redirect URI to https://oauth.pstmn.io/v1/callback (for Postman) or http://localhost.

Go to API permissions → Add a permission → Microsoft Graph → Delegated permissions → enable Files.Read.All, Sites.Read.All. Click 'Grant admin consent'.

Go to Certificates & secrets → New client secret → copy the Value.

Generate an Access Token: use Postman → Authorization tab → type OAuth 2.0 → Auth URL: https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize, Token URL: https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token, Scope: https://graph.microsoft.com/.default. Click 'Get New Access Token' and copy it.

Find your Drive ID (optional): call GET https://graph.microsoft.com/v1.0/me/drives with the token → copy the id field. If omitted, the default OneDrive is used.

In ClearFox Admin UI → Data Sources, find MS Excel → click '+' to add a config. Paste access_token and optionally drive_id.

Note: access tokens expire after ~1 hour. For production, implement a refresh flow using the client secret.

Log in to Odoo as an admin.

Go to Settings → Users & Companies → your user → Preferences tab.

Scroll to 'API Keys' section → click 'New API Key', name it, and copy the key.

Your Odoo URL is the base URL of your instance (e.g. https://mycompany.odoo.com).

The database name is visible in the URL or in Settings → Database Manager.

In ClearFox Admin UI → Data Sources, find Odoo → click '+' to add a config. Fill in url, db, username, api_key.

Log in to Make.com → click your profile icon (bottom-left) → Profile.

Scroll to the API section → click 'Add API token'. Select all scopes you need (at minimum: scenarios, connections, organizations) → click 'Save'. Copy the token immediately (it is shown only once).

Find your Organization ID: go to Organization settings → the ID is in the URL: make.com/organization/ORG_ID/....

Find your Team ID (optional): click on a team → the ID is in the URL: make.com/organization/.../team/TEAM_ID/....

In ClearFox Admin UI → Data Sources, find Make → click '+' to add a config. Fill in api_token, and optionally team_id and zone.

Log in to Zapier → go to Settings (gear icon) → API Keys.

Click 'Create API Key', name it (e.g. 'ClearFox AI'), and copy the key.

In ClearFox Admin UI → Data Sources, find Zapier → click '+' to add a config. Paste the API key.

The API key provides read access to your Zaps, task history, and folders.

Identify the base URL of the API you want to connect (e.g. https://api.example.com/v1).

If the API requires authentication, prepare the auth header name and value.

Optionally provide an OpenAPI/Swagger spec URL for automatic endpoint discovery.

In ClearFox Admin UI → Data Sources, find REST API → click '+' to add a config. Fill in base_url, auth_header, auth_value, and optionally openapi_url.

You can add multiple REST API configs for different APIs.

Generate a dedicated SSH deploy key (no passphrase):

ssh-keygen -t ed25519 -C "clearfox-git" -f ~/.ssh/clearfox_git -N ""

Copy the public key — you will need it in the next step:

cat ~/.ssh/clearfox_git.pub

Add the public key as a deploy key in your Git hosting. Grant read-only access.
GitHub: Managing deploy keys · GitLab: Deploy keys

Base64-encode the private key (the value ClearFox needs):

cat ~/.ssh/clearfox_git | base64 -w0 ; echo

On macOS use base64 without -w0 and strip line breaks:

cat ~/.ssh/clearfox_git | base64 | tr -d '\n' ; echo

In ClearFox Admin UI → Data Sources, find Git → click '+' to add a config. Paste the base64 SSH key and repos (comma-separated URL|branch).

The server will clone repos on startup and provide code search and file reading tools.

No configuration needed. This server fetches URLs and extracts content as markdown.

It works out of the box with no API keys required.

No configuration needed. This server provides structured step-by-step reasoning.

It works out of the box with no API keys required.

No configuration needed. This server provides persistent memory storage for the AI.

It works out of the box with no API keys required.

View real-time logs from the portal container:

docker compose logs -f portal --tail 100

Restart all ClearFox services:

docker compose restart

Stop all containers (data is preserved):

docker compose down

Passwords are stored as bcrypt hashes and cannot be recovered. You can only set a new one.

Generate a new bcrypt hash (replace NEW_PASSWORD with your new password):

docker compose exec portal sh -c "cd /tmp && npm install --no-save bcryptjs 2>/dev/null && node -e \"require('/tmp/node_modules/bcryptjs').hash('NEW_PASSWORD',12,function(e,h){console.log(h)})\""

Copy the output hash (starts with $2a$12$...) and update the user in the database (replace admin@example.com and HASH):

docker compose exec mongodb mongosh portal --eval 'db.users.updateOne({email:"admin@example.com"},{$set:{passwordHash:"HASH",updatedAt:new Date()}})'

If the output shows modifiedCount: 1, the password has been changed. You can now log in.

Drop the portal database. This removes all data — users, settings, conversations:

docker compose exec mongodb mongosh portal --eval "db.dropDatabase()"

After reset, restart the portal and go through the setup wizard again:

docker compose restart portal