The Gateway serves a small browser Control UI (Vite + Lit) from the same port as the Gateway WebSocket:
http://<host>:18789/gateway.controlUi.basePath (e.g. /coderclaw)Capabilities live in Control UI. This page focuses on bind modes, security, and web-facing surfaces.
When hooks.enabled=true, the Gateway also exposes a small webhook endpoint on the same HTTP server.
See Gateway configuration → hooks for auth + payloads.
The Control UI is enabled by default when assets are present (dist/control-ui).
You can control it via config:
{
gateway: {
controlUi: { enabled: true, basePath: "/coderclaw" }, // basePath optional
},
}
Keep the Gateway on loopback and let Tailscale Serve proxy it:
{
gateway: {
bind: "loopback",
tailscale: { mode: "serve" },
},
}
Then start the gateway:
coderclaw gateway
Open:
https://<magicdns>/ (or your configured gateway.controlUi.basePath){
gateway: {
bind: "tailnet",
controlUi: { enabled: true },
auth: { mode: "token", token: "your-token" },
},
}
Then start the gateway (token required for non-loopback binds):
coderclaw gateway
Open:
http://<tailscale-ip>:18789/ (or your configured gateway.controlUi.basePath){
gateway: {
bind: "loopback",
tailscale: { mode: "funnel" },
auth: { mode: "password" }, // or CODERCLAW_GATEWAY_PASSWORD
},
}
gateway.auth or env).connect.params.auth.token or connect.params.auth.password.gateway.controlUi.allowedOrigins is set.gateway.auth.allowTailscale is true (no token/password required). Set
gateway.auth.allowTailscale: false to require explicit credentials. See
Tailscale and Security.gateway.tailscale.mode: "funnel" requires gateway.auth.mode: "password" (shared password).The Gateway serves static files from dist/control-ui. Build them with:
pnpm ui:build # auto-installs UI deps on first run