Skip to main content

API Authentication & Security

Since GoingMerry runs locally on your loopback interface (127.0.0.1), standard local operations do not require API tokens or headers.


1. Local Security Bounds

By default, the server is only accessible from localhost. This ensures that other devices on your local network cannot send queries or read your active models.


2. Secure Remote Access

If you expose GoingMerry globally by binding to 0.0.0.0, you must secure the endpoint to prevent unauthorized utilization:

  • Reverse Proxy: Place a proxy (like Nginx or Caddy) in front of GoingMerry to handle TLS certificates and Basic Auth or Bearer tokens.
  • SSH Tunneling: Forward ports securely across connections:
    ssh -L 11434:localhost:11434 user@remote-server

3. Registry Authentication

When pulling or pushing models from/to a custom developer registry, GoingMerry manages verification automatically using SSH keys. By default, it generates and looks for verification files under ~/.merry/id_ed25519.