GitHubBlog

Search Documentation

Search for a page in the docs

Remote Access

OpenAlice is a trading workbench. Prefer private network paths first, and expose it publicly only when you have a clear reason and a stronger boundary in front of it.

Localhost

For source installs, the dev UI is usually http://localhost:5173. For Docker Compose, the production Web UI is http://localhost:47331.

Local dev (pnpm dev) skips the admin-token gate for loopback requests unless you configure trusted proxies. Docker binds the Web UI to 0.0.0.0 inside the container and requires the admin token from first boot.

LAN or Tailscale

Docker Compose already publishes the Web UI as:

ports:
  - "47331:47331"

So another device on the same LAN or tailnet can open:

http://<machine-ip-or-tailnet-name>:47331

Use the admin token to sign in. No separate origin configuration is needed when the browser, API, and WebSocket all share the same origin.

Tailscale is the preferred remote path for most users: it avoids public internet exposure while still letting phones, laptops, and servers reach the same instance.

Tailscale Serve

Tailscale Serve can put HTTPS in front of a local OpenAlice instance without changing Alice's bind host:

tailscale serve --bg 47331

Or point Serve explicitly at the local service:

tailscale serve --bg http://127.0.0.1:47331

Keep Alice's own admin-token gate enabled. Tailscale controls network reach; the OpenAlice token controls app access.

Reverse Proxy

Use a reverse proxy when you need a domain, HTTPS termination, or another auth layer in front of OpenAlice.

Set OPENALICE_TRUSTED_PROXIES to the proxy IP as Alice sees it. This disables the localhost bypass and lets Alice trust forwarded protocol/client headers from that proxy only.

OPENALICE_TRUSTED_PROXIES=127.0.0.1

For Docker Compose, add it under the service:

services:
  openalice:
    environment:
      OPENALICE_TRUSTED_PROXIES: 127.0.0.1

Caddy

alice.example.com {
  reverse_proxy 127.0.0.1:47331
}

Caddy forwards Host, handles WebSocket upgrades, and sets the forwarded protocol headers OpenAlice needs.

nginx

server {
  listen 443 ssl http2;
  server_name alice.example.com;

  location / {
    proxy_pass http://127.0.0.1:47331;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
}

If nginx runs in a different container or on another host, set OPENALICE_TRUSTED_PROXIES to that peer address instead of 127.0.0.1.

Public Internet

Public exposure is mechanically possible, but it should be the least-preferred shape. If you do it:

  • Use HTTPS.
  • Keep OpenAlice's admin-token gate enabled.
  • Add proxy-level auth, OAuth, client certificates, or an equivalent outer boundary.
  • Do not expose the MCP/CLI port.
  • Start with paper/demo broker accounts.

Cross-Origin Setups

Most deployments should serve the UI and backend from the same origin. If you deliberately split them, allowlist the UI origin:

WEB_TERMINAL_ALLOWED_ORIGINS=https://ui.example.com
OPENALICE_CSRF_TRUSTED_ORIGINS=https://ui.example.com

Use comma-separated values for multiple origins.