Skip to content

Security

OpenChamber gives access to your machine and your code, so lock it down before anyone but you can reach it. This page covers the UI password, passkeys, and what to know before exposing OpenChamber to a network.

Set a UI password

Start OpenChamber with a password and the browser UI asks for it:

Terminal window
openchamber --ui-password be-creative-here

You can also set it with the OPENCHAMBER_UI_PASSWORD environment variable instead of putting it on the command line. After signing in, OpenChamber remembers the device for a while so you’re not asked every time.

Always set a password if the instance is reachable by anyone else — especially over a tunnel or the public internet.

Passkeys

Once a password is set, you can add passkeys (Face ID, Touch ID, a security key) for quicker sign-in. Add them at Settings → OpenChamber → Passkeys.

Passkeys are tied to the current password. If you change or remove the password, saved passkeys are cleared and you’ll add them again.

Device tokens

Devices paired through Connect a Device authenticate with their own per-device tokens, not the UI password. Pairing links are single-use and expire if unused; every paired device is listed at Settings → Remote Instances → Connect to this server, where you can revoke any of them at any time. Away-from-home connections go through the Private Relay, which is end-to-end encrypted and cannot read your traffic.

Before you expose it

  • By default OpenChamber only listens on your own machine (127.0.0.1). It takes a deliberate change to listen more widely, and you should set a password first.
  • For your own devices, prefer pairing with the Private Relay — nothing is exposed publicly at all.
  • If you need a public URL, prefer a tunnel or a private network (like a VPN) over opening a port to the internet.
  • If you put OpenChamber behind your own HTTPS server, see Reverse Proxy.