Configuration

13. Managing Admin UI access

13.1 Users & roles

Page: Sidebar → Users (Pro) or Settings (Community).

Admin — can do everything. Admin password mandatory for web UI login.
User — limited client usage; in the client app only sees the routes for which they are listed in Visible to users.

Per user:

Username, display name, email
Password (mandatory for admin; for user optional if only accessed via API token)
API tokens (see 13.2)
Peers this user owns (from the web UI perspective: filter on My peers)

13.2 API tokens

Page: Sidebar → Users → select user → Add token, or directly in the token wizard (4 steps). Grouped into three areas:

Access level — Full access (everything) or Read only.
Server administration — resource scopes: peers, routes, settings, webhooks, logs, system, backup.
Client app — scopes required by the official client app: client (mandatory: connect/config/heartbeat), client:services (sees server routes), client:traffic (traffic stats), client:dns (DNS leak test), client:rdp (RDP route access).

Optional:

Bind to machine — the token is bound to the hardware fingerprint on first connect. Stolen tokens are then worthless on other machines.
Bind to peer — the user already has a peer in the system; on connect with this token this peer should automatically be used (no new peer creation).
Expiry — Never / 30d / 90d / 1 year / custom.

After creation the token is shown exactly once in plaintext. Missed → revoke and create a new one.

13.3 Login lockout

Settings → Security → Account lockout: Max failed attempts, lockout duration. Affects both the admin UI login and route auth. Locked accounts are listable in the same tab and can be unlocked manually.

13.4 Password policy

In the same tab: minimum length, mandatory upper/lower/digit/special characters. Applies to new passwords — existing ones remain unchanged.

14. Webhooks & Automation

Page: Sidebar → Settings → Webhooks. Sends an HTTP POST with a JSON body to your URL on events.

14.1 Create a webhook

Per webhook you need:

URL — http or https, must not point to private/loopback addresses (SSRF protection; the resolver also checks DNS results).
Events — * for all, or comma-separated specific ones (peer_created, route_updated, route_monitor_down, gateway_offline, gateway_recovered, …).
Description — free.

14.2 Payload format

{
  "event": "route_monitor_down",
  "message": "Route nas.example.com is no longer reachable",
  "timestamp": "2026-04-21T14:12:03.000Z",
  "details": {
    "route_id": 12,
    "domain": "nas.example.com",
    "status": "down"
  }
}

Max. 64 KB — larger payloads are truncated server-side and marked with _truncated: true. Rejected requests (non-2xx) lead to a warning in the activity log but are not automatically retried.

14.3 Test button

In the webhook listing: Test sends a dummy payload with event webhook_test. Perfect for setting up Slack, Discord, Home-Assistant webhook triggers.

14.4 Note on authenticity

GateControl does not sign webhook payloads with HMAC. If you need to secure authenticity, restrict the receiving URL (firewall, token in the path) or use a tunnel with basic auth.

16. License & feature gates

16.1 Three modes

Unlicensed — no key set. Very narrow feature set, see COMMUNITY_FALLBACK in src/services/license.js. Banner at the top of the dashboard: "You are using GateControl without a license key. Register for a free community license…"
Community (with key) — free account at callmetechie.de. Opens basic near-Pro features, but with limits (e.g. 3 peers, 1 HTTP route, 1 gateway).
Pro / Lifetime — full feature scope, limits depending on product.

The current values are under Settings → License: plan, expiry date, activations, feature list. Refresh button forces revalidation against the license server (otherwise every 7 days in the background).

16.2 How gating works

Features:

Boolean (e.g. circuit_breaker, request_mirroring, remote_desktop) — UI shows the toggle with a lock icon (🔒-style SVG) and tooltip "Requires Pro or Lifetime license". Clicking does nothing.
Numeric (e.g. vpn_peers: 3, http_routes: 1, gateway_peers: 1) — badge at the top of the page: X / Y, red when the limit is reached. Attempts to create more fail with an error message.

If you downgrade the license (e.g. Pro → Community after expiry), excess entries are deactivated by age (not deleted) — you get a warning in the activity log and optionally by email. On re-upgrade you simply activate them again.

16.3 Hardware binding

Pro/Lifetime licenses are bound to a hardware fingerprint (DMI product UUID + CPU model + RAM size, SHA-256 hashed). On online refresh the device is registered with this fingerprint. On hardware change (move to a new host) you need a new activation — existing ones can be released via the callmetechie admin panel.

Offline operation: after a one-time online validation, a JWT token is cached locally (/data/license.token). The cache holds until the expiry date; afterwards the server attempts a refresh, falls back to the cached token on network outage.

16.4 Feature matrix (excerpt)

Instead of a complete table, here are the rough groups — concrete values for your plan are under Settings → License:

Core (always available): peers (limit), HTTP routes (limit), traffic history, backup/restore, internal activity logs, WireGuard CLI support.
Community: + tags, peer groups, L4 routes with limited count, home gateway (limit 1), internal_dns, basic auth.
Pro: + unlimited HTTP/L4 routes, route auth incl. 2FA, rate limiting, compression, custom headers, load balancing, sticky sessions, retry, circuit breaker, request mirroring, uptime monitoring, Prometheus, log export, scheduled backups, email alerts, webhooks, API tokens, debug, AI bot blocker, Remote Desktop (RDP routes), split-tunnel preset, RDP-via-gateway, gateway TCP routing, gateway WoL, custom branding.

The current canonical list can be found in src/services/license.js::COMMUNITY_FALLBACK.