Remote Access
FlowLayer can be accessed remotely with the official TUI:
flowlayer-client-tui -addr <host>:6999 -token <token>
Treat this as sensitive runtime access. The /ws endpoint can control running services, so remote access should be restricted like any operational control plane.
Recommended access posture
Prioritize these controls:
- private network paths first
- VPN for remote operators
- SSH tunnels for point-to-point access
- host firewall rules limiting who can reach the session port
In most setups, keep session.bind private and expose access only through controlled network paths.
Avoid direct Internet exposure
Do not expose the FlowLayer session port directly on the public Internet.
FlowLayer is designed for development and runtime control workflows, not for open public endpoint exposure.
SSH tunnel example
Forward local port 6999 to the server session port:
ssh -L 6999:127.0.0.1:6999 user@server
flowlayer-client-tui -addr 127.0.0.1:6999 -token <token>
This keeps the session endpoint private on the server while still allowing remote operation from your local TUI.
Product boundaries
FlowLayer is not:
- a reverse proxy
- an IAM system
- a multi-tenant platform
Use external network and identity controls around FlowLayer when operating across distributed infrastructure.