Access URLs and credentials
Where to log in, and with what
After running octl deploy (or podman compose up -d from platform/dev), Olympus exposes the following on localhost:
Web UIs
| URL | What | Auth |
|---|---|---|
| http://localhost:2000 | Site, brochure, OAuth2 playground, docs | none |
| http://localhost:3000 | Hera CIAM, customer login UI | as customer |
| http://localhost:3001 | Athena CIAM, customer admin dashboard | as admin (see below) |
| http://localhost:4000 | Hera IAM, employee login UI | as employee |
| http://localhost:4001 | Athena IAM, employee admin dashboard | as admin (see below) |
| http://localhost:5433 | pgAdmin, database administration | SSO via IAM |
| http://localhost:5434 | MailSlurper, captured email | none |
APIs
| Port | Service | Public/Admin |
|---|---|---|
:3100 | CIAM Kratos | public, self-service flows |
:3101 | CIAM Kratos | admin, identity CRUD |
:3102 | CIAM Hydra | public, token, discovery, JWKS |
:3103 | CIAM Hydra | admin, client management, consent |
:4100 | IAM Kratos | public |
:4101 | IAM Kratos | admin |
:4102 | IAM Hydra | public |
:4103 | IAM Hydra | admin |
:5432 | PostgreSQL | five databases |
In production, only ports 80 and 443 should be public. See Operate, Network Topology for the host firewall ruleset.
Default credentials (development only)
IAM Admin, used to log into Athena CIAM and Athena IAM:
| Field | Value |
|---|---|
admin@demo.user | |
| Password | admin123! |
Role (in traits.role) | admin |
pgAdmin, does not have a separate password. Click "Login with Olympus" on the pgAdmin login page and authenticate as the IAM admin above. Your database role is mapped from your OIDC role claim, see Security, pgAdmin DBA Accounts.
MailSlurper, no authentication. Outbound emails (verification links, recovery codes, notifications) are captured here; nothing is delivered to the real internet in dev.
Logging into Athena
The dev IAM admin credentials are seeded by iam-seed-dev.sh at first start. To log in:
- Open http://localhost:4001.
- Click "Sign in with Olympus IAM."
- Authenticate as
admin@demo.user/admin123!. - Consent to the Athena IAM scopes.
- You land on the Athena dashboard.
The same flow works against http://localhost:3001 (Athena CIAM), note that even though Athena CIAM is a customer-facing dashboard surface, it is operated by employees, so it authenticates via the IAM domain. The "C" in "Athena CIAM" describes the data the dashboard manages, not the audience using it.
Changing the default password
Before exposing any dev stack to even a coworker on your LAN, change admin@demo.user's password through the Kratos settings flow (/self-service/settings/browser) or delete the seed identity and create your own through the Athena UI.
In production, the seed script does not run, production admins are created through Daedalus's Accounts wizard step.