Remote Access

Opta Local Web supports two access modes: direct LAN connections with no authentication, and secure WAN access through a Cloudflare Tunnel with Supabase authentication.

Access Modes

The dashboard automatically detects its access context and adjusts its behavior accordingly. On your local network, it operates with zero authentication overhead. Through a remote tunnel, it enforces full user authentication before granting access to any functionality.

Direct IP access on your local network. No authentication required.

Best for: development workstations, shared offices, home labs.

URL: http://192.168.188.11:3004 or http://localhost:3004

LAN Mode

In LAN mode, the dashboard connects directly to your LMX server by IP address. All API calls go straight to the LMX endpoint without any authentication layer. The auth UI components (sign-in page, account settings) are hidden entirely.

LAN mode is the default when the dashboard detects it is running on the same network as the LMX server. No configuration is needed beyond ensuring the LMX host address is correct.

Network security
LAN mode trusts your local network. Make sure your network is secured and that the LMX port is not exposed to the public internet. Use firewall rules to restrict access to trusted devices only.

WAN Mode (Cloudflare Tunnel)

For remote access, Opta Local Web can be served through a Cloudflare Tunnel. This creates a secure, encrypted connection from the public internet to your local server without opening any ports on your router or firewall.

Cloudflare Tunnel Setup
# Install cloudflared
brew install cloudflared

# Authenticate with Cloudflare
cloudflared tunnel login

# Create a tunnel
cloudflared tunnel create opta-local

# Run the tunnel (proxies to local web)
cloudflared tunnel --url http://localhost:3004 run opta-local

Once the tunnel is running, the dashboard is accessible at your configured Cloudflare domain. All traffic is encrypted end-to-end by Cloudflare, and Supabase authentication is enforced for every request.

Supabase Authentication

When accessed through a Cloudflare Tunnel, the dashboard requires Supabase authentication. The sign-in flow uses the Supabase SSR pattern with a client/server/middleware split:

  • Sign in -- email/password or OAuth (Google, GitHub)
  • Session management -- JWT tokens stored in secure cookies
  • Route protection -- unauthenticated users are redirected to the sign-in page

All Opta apps share a single Supabase project, so a user account created for the web dashboard also works with Opta Accounts and other cloud-enabled Opta services.

Environment variables
WAN mode requires NEXT_PUBLIC_SUPABASE_URL and NEXT_PUBLIC_SUPABASE_ANON_KEY to be set. Without these, the dashboard will fall back to LAN mode behavior even when accessed through a tunnel.

QR Pairing

The pairing page (/pair) generates a QR code that encodes the LMX server address and an optional admin key. Scan the QR code from a phone or tablet to instantly configure the dashboard on that device without manually entering connection details.

QR pairing is particularly useful for mobile devices on your LAN. Open the pairing page on your workstation, scan from your phone, and the phone browser navigates directly to the dashboard with the correct server address pre-filled.

Admin Key

Protected LMX endpoints (model loading, unloading, server configuration) require an admin key. This key is stored in the macOS Keychain on the server host and must be provided as a header for administrative API calls.

Admin Request
POST /admin/models/load
Authorization: Bearer <admin-key>
Content-Type: application/json

{ "model": "qwen3-72b" }

The web dashboard prompts for the admin key when you first attempt a protected operation. Once entered, it is stored in the browser's local storage for the duration of the session.

Previous
Chat
Next
Overview