docs: refresh webvnc ticket docs

2026-05-07 06:21:47 +01:00 · 2026-05-07 06:21:47 +01:00 · c638a55dbb
commit c638a55dbb
parent 335b1d2b28
1 changed files with 4 additions and 1 deletions
--- a/docs/commands/webvnc.md
+++ b/docs/commands/webvnc.md
@ -45,7 +45,10 @@ This keeps the security boundary the same as `crabbox vnc`:
 - VNC stays bound to runner loopback.
 - The cloud provider does not open public VNC ingress.
 - The coordinator authenticates the browser through portal auth and the bridge
-  through a one-use short-lived ticket.
+  through a one-use short-lived ticket. The CLI sends the ticket as an
+  `Authorization: Bearer ...` header so it stays out of websocket URLs and
+  proxy/access logs; the coordinator falls back to a `?ticket=` query string
+  for older CLIs.
 - The noVNC client is served from the coordinator origin, not a third-party CDN.
 - The local `crabbox webvnc` process must keep running while the browser uses
  the desktop.