How to self-host OpenACP securely?

[0xMag1ci4n]

I want to self-host OpenACP on my server. What security settings should I configure to restrict access and protect my codebase?

[jasondbranding]

OpenACP runs entirely on your machine — your data never leaves your server.

Security settings in ~/.openacp/config.json:

{
  "security": {
    "allowedUserIds": ["123456789", "987654321"],
    "maxConcurrentSessions": 20,
    "sessionTimeoutMinutes": 60
  }
}

allowedUserIds: Only allow specific user IDs to use the bot. Empty array = allow everyone.
maxConcurrentSessions: Limit concurrent running sessions (default: 20). New sessions are rejected when limit is reached.
sessionTimeoutMinutes: Automatically end inactive sessions after the specified time (default: 60 minutes).
Permission Gate: Every agent action (read file, write file, run command) requires your approval via buttons on Telegram/Discord/Slack. Permission timeout: 10 minutes — no response = auto-reject. See Thread 14 — Permission auto-approve for dangerous mode.

REST API security: API server runs at 127.0.0.1:21420 (localhost only). Authentication via Bearer token stored at ~/.openacp/api-secret.

Run in daemon mode for background service:

openacp start    # Start daemon
openacp status   # Check status
openacp stop     # Stop daemon