Skip to main content

Nebi Server

The Nebi server is a hosted web interface to manage Nebi workspaces in a team. It has a similar interface as the local desktop, but with more features for teams and organizations.

This page covers how to run and configure it.

Admin Credentials

Before starting the server for the first time, set ADMIN_USERNAME and ADMIN_PASSWORD. Nebi uses these to create the initial admin account for authentication.

Nebi login screen

You (and your team) will use these credentials to log in via nebi login or the web UI.

Export the variables in your terminal session before starting the server:

export ADMIN_USERNAME=admin
export ADMIN_PASSWORD=your-password

Running the Server

Start the server:

nebi serve

By default (--host unset), Nebi binds all interfaces on port 8460.

To use a different port:

nebi serve --port 9000

To explicitly bind a host/interface, use --host (or NEBI_SERVER_HOST):

nebi serve --host 127.0.0.1 --port 8460

For local-only usage (desktop/IPC scenarios), always set --host 127.0.0.1 (or NEBI_SERVER_HOST=127.0.0.1).

Once the server is running, authenticate from any client machine with nebi login.

API Documentation

The Swagger API docs are available at http://localhost:8460/docs.

Groups

OIDC group sync

When OIDC authentication is configured, nebi requests the groups scope alongside openid profile email. The IdP must return a groups claim in the ID token (a JSON array of strings). On every login, nebi reconciles the user's group memberships:

  • For each name in the claim, an OIDC-source group is created (if missing) and the user is added to it.
  • Memberships in OIDC-source groups that aren't in this login's claim are removed.
  • Native groups (created via the admin UI) are never modified by OIDC sync — even if a claim name happens to collide with a native group name.

OIDC groups with zero members are kept so existing workspace shares survive temporary churn. There is no background reconcile worker; all updates happen at login time.

What's Next