Web (Gateway)

Scope

The Gateway serves a browser Control UI from the same port as its WebSocket server (default 18789). This page covers bind modes, remote access, and basic security posture.

Control UI details: /docs/web/control-ui/.

Control UI (default-on)

If assets exist (dist/control-ui), the UI is enabled by default. You can control it via config:

{
  gateway: {
    controlUi: { enabled: true, basePath: "/moltbot" } // basePath optional
  }
}

Webhooks

When hooks are enabled, the Gateway exposes webhook endpoints on the same HTTP server. See /docs/gateway/configuration/ (hooks section).

Remote access (recommended patterns)

1) SSH tunnel (simple)

ssh -N -L 18789:127.0.0.1:18789 user@host

2) Tailscale Serve (recommended)

Keep the Gateway loopback-only and let Tailscale Serve proxy it:

{
  gateway: {
    bind: "loopback",
    tailscale: { mode: "serve" }
  }
}

3) Tailnet bind + token

{
  gateway: {
    bind: "tailnet",
    auth: { mode: "token", token: "your-token" }
  }
}

Security notes (baseline)

• Prefer loopback + SSH tunnel or Tailscale.
• Non-loopback binds should require a token/password unless you explicitly trust Tailscale identity headers.
• Review: /docs/gateway/security/.

Building the UI

The Gateway serves static UI files from dist/control-ui. Build them in the repo:

pnpm ui:build

Further reading

• Source path: web/index.md