# Running behind a reverse proxy Optimisarr is a single HTTP service on port `8787`. It can sit behind any reverse proxy. The one thing you **must** get right is **WebSocket upgrades**: the live Queue progress, CPU/GPU graphs, and job updates use a SignalR hub at `/hubs/jobs`, which upgrades to a WebSocket. If the proxy doesn't forward the `Upgrade`/`Connection` headers, the UI still works but falls back to slower polling and live updates feel laggy. Put Optimisarr behind your proxy's authentication (or a trusted network) if it is reachable from outside. You can also set `OPTIMISARR_ADMIN_TOKEN` for a built-in bearer-token backstop on the UI, API, and SignalR hub, but it is not a replacement for TLS, proxy authentication, IP allow-lists, or your normal internet-facing access controls. Assume the container is reachable from the proxy as `http://optimisarr:8787` (Docker network) or `http://127.0.0.1:8787` (host). Adjust the upstream to match. ## Built-in admin token Set `OPTIMISARR_ADMIN_TOKEN` on the container to require the same token in the web UI and on API calls. Health probes remain unauthenticated: - `GET /api/health` - `GET /api/ready` - `GET /api/auth/status` API clients should send: ```bash curl -H "Authorization: Bearer change-this-long-random-token" \ https://optimisarr.example.com/api/settings ``` After the UI validates a bearer token, Optimisarr issues a derived HttpOnly, same-site session cookie for native `