From c939b77db3cdbc6576b465941e8722c158b66f88 Mon Sep 17 00:00:00 2001
From: Mingqing Ye <darcyye0129@gmail.com>
Date: Fri, 22 May 2026 16:00:33 +0800
Subject: [PATCH 1/2] docs: document --dapc seed flag for air-gapped OSS
 installs

---
 .../deployment-and-configuration.mdx          |  6 +++
 docs/logto-oss/using-cli/README.mdx           | 42 +++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/docs/logto-oss/deployment-and-configuration.mdx b/docs/logto-oss/deployment-and-configuration.mdx
index e1f02fc641f..e0537f66cd6 100644
--- a/docs/logto-oss/deployment-and-configuration.mdx
+++ b/docs/logto-oss/deployment-and-configuration.mdx
@@ -108,6 +108,12 @@ npm run cli db seed -- --swe
 
 Refer to the [Logto CLI](/logto-oss/using-cli) for more details.
 
+:::tip Air-gapped or offline installs
+
+If your deployment environment cannot reach `api.pwnedpasswords.com`, append `--dapc` to the seed command so the first admin sign-up does not hang on the HaveIBeenPwned breach check. See [Seed for air-gapped or offline deployments](/logto-oss/using-cli#seed-for-air-gapped-or-offline-deployments) for details.
+
+:::
+
 ### Shared connectors folder \{#shared-connectors-folder}
 
 By default, Logto will create a `connectors` folder in the root directory of the `core` folder. We recommend sharing the folder between multiple instances of Logto, you need to mount the `packages/core/connectors` folder to the container and run `npm run cli connector add -- --official` to deploy the connectors.
diff --git a/docs/logto-oss/using-cli/README.mdx b/docs/logto-oss/using-cli/README.mdx
index 1e5d1ab093a..24255de6b10 100644
--- a/docs/logto-oss/using-cli/README.mdx
+++ b/docs/logto-oss/using-cli/README.mdx
@@ -79,3 +79,45 @@ This will be helpful for one-off invocations, e.g.:
 ```bash
 npx @logto/cli db seed --db-url postgresql://your-database-url
 ```
+
+### Seed for air-gapped or offline deployments \{#seed-for-air-gapped-or-offline-deployments}
+
+Since Logto v1.40.0, the `db seed` command accepts an extra flag for environments that cannot reach the public internet during installation:
+
+```bash
+--dapc, --disable-admin-pwned-password-check
+```
+
+When set, the seeded `sign_in_experiences.password_policy` row for the **admin tenant** is `{"rejects": {"pwned": false}}` instead of the default `{}`. This skips the [HaveIBeenPwned (HIBP)](https://haveibeenpwned.com/) password breach check during the first admin sign-up, so creating the initial admin from the Welcome page no longer hangs when `api.pwnedpasswords.com` is unreachable (for example in air-gapped data centers or behind strict egress firewalls).
+
+The flag is scoped to the admin tenant only — the default tenant's password policy is left untouched, and stays under your control through Admin Console > **Sign-in experience** > **Password policy** after the first admin signs in. From the Admin Console you can also re-enable the HIBP check on the admin tenant at any time.
+
+Example:
+
+<Tabs groupId="cmd">
+
+  <TabItem value="cli" label="CLI">
+
+```bash
+logto db seed --dapc
+```
+
+  </TabItem>
+  <TabItem value="npm" label="npm">
+
+```bash
+npm run cli db seed -- --dapc
+```
+
+  </TabItem>
+  <TabItem value="npx" label="npx">
+
+```bash
+npx @logto/cli db seed --dapc
+```
+
+  </TabItem>
+
+</Tabs>
+
+The long alias `--disable-admin-pwned-password-check` is accepted as a more explicit equivalent in scripts.

From df9c3e6f9b4d16fae8148acb75ba86011ebf56ea Mon Sep 17 00:00:00 2001
From: Mingqing Ye <darcyye0129@gmail.com>
Date: Fri, 22 May 2026 16:40:26 +0800
Subject: [PATCH 2/2] docs: apply review feedback for
 --disable-admin-pwned-password-check

---
 docs/logto-oss/deployment-and-configuration.mdx |  2 +-
 docs/logto-oss/using-cli/README.mdx             | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/docs/logto-oss/deployment-and-configuration.mdx b/docs/logto-oss/deployment-and-configuration.mdx
index e0537f66cd6..f3209fc5c58 100644
--- a/docs/logto-oss/deployment-and-configuration.mdx
+++ b/docs/logto-oss/deployment-and-configuration.mdx
@@ -110,7 +110,7 @@ Refer to the [Logto CLI](/logto-oss/using-cli) for more details.
 
 :::tip Air-gapped or offline installs
 
-If your deployment environment cannot reach `api.pwnedpasswords.com`, append `--dapc` to the seed command so the first admin sign-up does not hang on the HaveIBeenPwned breach check. See [Seed for air-gapped or offline deployments](/logto-oss/using-cli#seed-for-air-gapped-or-offline-deployments) for details.
+If your deployment environment cannot reach `api.pwnedpasswords.com`, append `--disable-admin-pwned-password-check` to the seed command so the first admin sign-up does not hang on the Have I Been Pwned breach check. See [Seed for air-gapped or offline deployments](/logto-oss/using-cli#seed-for-air-gapped-or-offline-deployments) for details.
 
 :::
 
diff --git a/docs/logto-oss/using-cli/README.mdx b/docs/logto-oss/using-cli/README.mdx
index 24255de6b10..3d872e57461 100644
--- a/docs/logto-oss/using-cli/README.mdx
+++ b/docs/logto-oss/using-cli/README.mdx
@@ -85,10 +85,10 @@ npx @logto/cli db seed --db-url postgresql://your-database-url
 Since Logto v1.40.0, the `db seed` command accepts an extra flag for environments that cannot reach the public internet during installation:
 
 ```bash
---dapc, --disable-admin-pwned-password-check
+--disable-admin-pwned-password-check, --dapc
 ```
 
-When set, the seeded `sign_in_experiences.password_policy` row for the **admin tenant** is `{"rejects": {"pwned": false}}` instead of the default `{}`. This skips the [HaveIBeenPwned (HIBP)](https://haveibeenpwned.com/) password breach check during the first admin sign-up, so creating the initial admin from the Welcome page no longer hangs when `api.pwnedpasswords.com` is unreachable (for example in air-gapped data centers or behind strict egress firewalls).
+When set, the seeded password policy on the **admin tenant** disables the [Have I Been Pwned (HIBP)](https://haveibeenpwned.com/) breach check by default. This means creating the initial admin from the Welcome page no longer hangs when `api.pwnedpasswords.com` is unreachable (for example in air-gapped data centers or behind strict egress firewalls).
 
 The flag is scoped to the admin tenant only — the default tenant's password policy is left untouched, and stays under your control through Admin Console > **Sign-in experience** > **Password policy** after the first admin signs in. From the Admin Console you can also re-enable the HIBP check on the admin tenant at any time.
 
@@ -99,25 +99,25 @@ Example:
   <TabItem value="cli" label="CLI">
 
 ```bash
-logto db seed --dapc
+logto db seed --disable-admin-pwned-password-check
 ```
 
   </TabItem>
   <TabItem value="npm" label="npm">
 
 ```bash
-npm run cli db seed -- --dapc
+npm run cli db seed -- --disable-admin-pwned-password-check
 ```
 
   </TabItem>
   <TabItem value="npx" label="npx">
 
 ```bash
-npx @logto/cli db seed --dapc
+npx @logto/cli db seed --disable-admin-pwned-password-check
 ```
 
   </TabItem>
 
 </Tabs>
 
-The long alias `--disable-admin-pwned-password-check` is accepted as a more explicit equivalent in scripts.
+The short alias `--dapc` is accepted as an equivalent for terser scripts.