js/ui.js

@@ -539,6 +539,7 @@ function _renderJobConfigFields(key, cfg) {
     </div>`;
   if (key === 'patchmon_sync' || key === 'semaphore_sync') {
     const label = key === 'semaphore_sync' ? 'API Token (Bearer)' : 'API Token (Basic)';
+    const tokenPlaceholder = key === 'patchmon_sync' ? 'token_key:token_secret' : '';
     return `
     <div class="form-group">
       <label class="form-label" for="job-cfg-api-url">API URL</label>
@@ -548,6 +549,7 @@ function _renderJobConfigFields(key, cfg) {
     <div class="form-group">
       <label class="form-label" for="job-cfg-api-token">${label}</label>
       <input class="form-input" id="job-cfg-api-token" type="password"
+        placeholder="${tokenPlaceholder}"
         value="${esc(cfg.api_token ?? '')}">
     </div>`;
   }

server/jobs.js

@@ -41,8 +41,14 @@ async function patchmonSyncHandler(cfg) {
   const { api_url, api_token } = cfg;
   if (!api_url || !api_token) throw new Error('Patchmon not configured — set API URL and token');
 
+  // Accept raw "key:secret" (recommended) or a pre-encoded base64 string.
+  // ":" cannot appear in a valid base64 string, so it's a reliable discriminator.
+  const credential = api_token.includes(':')
+    ? Buffer.from(api_token).toString('base64')
+    : api_token;
+
   const res = await fetch(api_url, {
-    headers: { Authorization: `Basic ${api_token}` },
+    headers: { Authorization: `Basic ${credential}` },
   });
   if (!res.ok) throw new Error(`Patchmon API ${res.status}`);