| `--restart unless-stopped` | Auto-restart on reboot |
**Why the encryption key?** TREK encrypts stored secrets (API keys, MFA seeds, OIDC credentials) using this key. If you skip it, TREK auto-generates one and saves it to `./data/.encryption_key`. Setting it explicitly means you control the key and can back it up separately.
Generate a standalone key at any time:
```bash
openssl rand -hex 32
```
## Access TREK
Open `http://localhost:3000` in your browser.
## First User
On first boot TREK automatically seeds an admin account before any user registers. The credentials depend on how you start the container:
- **With `ADMIN_EMAIL` and `ADMIN_PASSWORD` env vars set:** those values are used directly.
- **Without those env vars:** TREK creates the account with email `admin@trek.local`, username `admin`, and a randomly generated password. The credentials are printed to the container log — run `docker logs trek` to retrieve them.
You will be prompted to change the password on first login.
> **Admin:** As admin you unlock the Admin Panel — user management, addon toggles, packing templates, backups, and API key configuration.