The key value is shown once — save it immediately. Per key row you can
“Register as OAuth client” (issues client_id / client_secret once) and
“Revoke”. Keys are prefixed ah- and sent as a Bearer token (see
Swagger).
External access
The “External access” screen configures reverse-proxy operation and public
addresses in four blocks:
Public address — AIHUMMER_PUBLIC_URL (required), plus the public addresses
for Telegram, the iOS proxy and the pocket agent.
HTTPS only — AIHUMMER_REQUIRE_SECURE.
Behind a proxy — trusted proxies, CORS origins, CSP.
Web UI listener — enabling, address and origin of the private Web UI port.
Each field is text or a toggle; on save you’re told whether the change applied
live or needs a restart.
IP allowlist
The “IP allowlist” screen is a single textarea of CIDRs, one per line, that
restricts admin-API access to specific networks. An empty list means no
restriction.
[!TIP]
The IP allowlist is a blunt but reliable barrier. Combine it with
RBAC and “HTTPS only” to allow access only from the
office/VPN.
This page covers three Web UI screens that govern access to the instance from
outside: **API keys**, **External access** and **IP allowlist**.
## API keys
The **"API keys"** screen issues control-plane and chat keys. "+ Issue":
- **user_ref** — the user (pick from local users or type freely);
- the key **name**;
- **scopes** — checkboxes: `chat`, `admin:read`, `admin:write`, `mcp`, `a2a`, `*`
(all);
- an **RPM limit**.
The key value is shown **once** — save it immediately. Per key row you can
**"Register as OAuth client"** (issues client_id / client_secret once) and
**"Revoke"**. Keys are prefixed `ah-` and sent as a Bearer token (see
[Swagger](/en/v1.0/api/swagger)).
## External access
The **"External access"** screen configures reverse-proxy operation and public
addresses in four blocks:
- **Public address** — `AIHUMMER_PUBLIC_URL` (required), plus the public addresses
for Telegram, the iOS proxy and the pocket agent.
- **HTTPS only** — `AIHUMMER_REQUIRE_SECURE`.
- **Behind a proxy** — trusted proxies, CORS origins, CSP.
- **Web UI listener** — enabling, address and origin of the private Web UI port.
Each field is text or a toggle; on save you're told whether the change applied
live or needs a restart.
## IP allowlist
The **"IP allowlist"** screen is a single textarea of CIDRs, one per line, that
restricts admin-API access to specific networks. An empty list means no
restriction.
> [!TIP]
> The IP allowlist is a blunt but reliable barrier. Combine it with
> [RBAC](/en/v1.0/webui/security) and "HTTPS only" to allow access only from the
> office/VPN.
## Next
- [Swagger](/en/v1.0/api/swagger) — the API explorer and key authorization.
- [Network, audit & air-gapped](/en/v1.0/security/network-audit-airgapped).
- [Port model](/en/v1.0/architecture/gateway-turn-engine) — public vs private.