Skip to main content
Version: 10

Authenticating the Web Endpoints

By default the MoveIt Pro web endpoints (the REST API, the rosbridge WebSocket, the video stream, and the terminal) are unauthenticated — access is gated only by your network and firewall. When a deployment is reachable from a wider network (for example, when using the network backend picker to connect to it from another machine), you can require a shared secret on every request by setting a single environment variable.

Enabling authentication

Set MOVEIT_API_TOKEN to a strong secret before launching MoveIt Pro:

export MOVEIT_API_TOKEN="$(python3 -c 'import secrets; print(secrets.token_urlsafe(32))')"
moveit_pro run

When MOVEIT_API_TOKEN is set, the REST API, rosbridge, video, and terminal endpoints all require the token. When it is unset (the default), authentication is disabled and the endpoints respond exactly as before.

Distribute the token to the people and tools that need to reach the deployment. The same token guards every endpoint.

Using the web interface

Open the web UI as usual. The first time the app connects to a backend that requires a token, it shows an API token required screen. Paste the token and select Connect; it is stored in your browser (per backend) and reused on subsequent visits. If a stored token is rejected (for example, after the operator rotates it), the screen reappears so you can enter the new one.

Using the endpoints directly

Direct (non-browser) clients must present the token too when one is set:

  • REST API — send an Authorization: Bearer <token> header, or append ?token=<token> to the URL:

    curl -H "Authorization: Bearer $MOVEIT_API_TOKEN" http://<host>:3200/objectives

  • rosbridge / roslibpy and other WebSocket clients — append the token to the connection URL as a query parameter, since WebSocket clients cannot set request headers:

    ws://<host>:3201/?token=<token>

  • Video stream — append &token=<token> to the stream URL.

Security notes

  • The token is a bearer secret: anyone who has it can reach the endpoints. It travels in request headers and, for WebSocket and video requests, in the URL query string.
  • This adds authentication, not encryption. The token and all traffic cross the network in cleartext. On an untrusted network, place the deployment behind a TLS-terminating reverse proxy.
  • An unset or blank MOVEIT_API_TOKEN disables authentication entirely; this is appropriate only on a trusted, firewalled network.