AiHummer
English
Log in
v1.0.x
{ }Swagger

API keys, external access & IP allowlist

v1.0.x · updated 2026-07-08

This page covers three Web UI screens that govern access to the instance from outside: API keys, External access and IP allowlist.

API keys

The “API keys” screen issues control-plane and chat keys. “+ Issue”:

  • user_ref — the user (pick from local users or type freely);
  • the key name;
  • scopes — checkboxes: chat, admin:read, admin:write, mcp, a2a, * (all);
  • an RPM limit.

The key value is shown once — save it immediately. Per key row you can “Register as OAuth client” (issues client_id / client_secret once) and “Revoke”. Keys are prefixed ah- and sent as a Bearer token (see Swagger).

External access

The “External access” screen configures reverse-proxy operation and public addresses in four blocks:

  • Public addressAIHUMMER_PUBLIC_URL (required), plus the public addresses for Telegram, the iOS proxy and the pocket agent.
  • HTTPS onlyAIHUMMER_REQUIRE_SECURE.
  • Behind a proxy — trusted proxies, CORS origins, CSP.
  • Web UI listener — enabling, address and origin of the private Web UI port.

Each field is text or a toggle; on save you’re told whether the change applied live or needs a restart.

IP allowlist

The “IP allowlist” screen is a single textarea of CIDRs, one per line, that restricts admin-API access to specific networks. An empty list means no restriction.

[!TIP] The IP allowlist is a blunt but reliable barrier. Combine it with RBAC and “HTTPS only” to allow access only from the office/VPN.

Next