How to secure REST Api and still use HABPanel (in Android App)?

Hello all,

I have successfully set up OpenHAB 3.4.0 for our Home Automation.
It is running smoothly. Everyone can access it on her/his phone (via the Android App) to set controls for heatings, power plugs, etc.

The android app is authenticated by a jointly used API token.
Main interface is HABPanel,

The next step would be to set up remote access to our OpenHAB server, in order to set up heating or light in advance before coming home.

I have seen that without securing the access to the REST-API anyone from the internet could set any parameter to my items. But when securing the REST-API, the HABPanel is not working any more.

However I have not found any hint how to setup the HABPanel to use the predefined API Token? I found a dangling forum contribution here: HABPanel connection lost using api security .

Is there any way to resolve this dilemma?

Best regards


Do not make openHAB directly accessible to the Internet, even with the REST API security settings.

In order:

  1. use and the openHAB Cloud Connector add-on
  2. set up a VPN (Tailscale is quick and easy to set up and configure though there are other options as well)
  3. deploy your own version of the openHAB Cloud Server on a VPS somewhere
  4. set up and configure a reverse proxy which implements good authentication before reaching your OH instance.

The further down the list you go, the more work it is now and ongoing to keep it working and safe.

As far as I’m aware. without the “explicit user role” enabled, HABPanel cannot access the parts of the REST API it needs to work (i.e. the Items). But even if it could get HABPanel to work with the API token, you still should do one of the above. OH does not have enough built in security to be directly exposed to the Internet.

Hello Rich,

Thank you for your extensive answer. I will check the options, however this will obviously take some time.

Best regards