Whoevever she is, she probably isn’t writing a client which uses the REST API, so it isn’t an issue for her 
.
The GUI and REST API do the same thing. They are covered by the same authentication mechanisms.
Besides, you should really be using SyncTrayzor, which handles the GUI authentication without you having to input anything.
but she is able to run syncthing on her home devices…
yes sure but why “opening” the Gui if I only need the api and vice versa?
also remote devices?
…and Syncthing will listen on 127.0.0.1, and no-one else will be able to connect to it. Therefore she won’t need a password. Therefore everything is fine.
It is ONLY when you want to connect to Syncthing from another machine that you need to mess around with passwords, and ‘emily b. from a.’ won’t be doing this, so this entire discussion is completely irrelevant for her.
That’s not English, and I don’t understand it.
You misunderstand. With SyncTrayor you can set a GUI password, and you’ll never have to type it into anywhere.
I’m not really following the stuff above, but the GUI is only a thin layer on top of the API. Basically the GUI is just the API + some static files. If you don’t load those static files, there’s no cost to the GUI. So disabling the GUI and keeping the API doesn’t make much sense to me.
ok… maybe you misunderstood… my plan is to build up a little platform to manage all my (not emilys) devices remote from one place. for that purpose I need the api - and only the api. I would not like to setup a GUI password only to use the api for remote access via forwarded port…
He wants:
I understand all of that. Now please read what I said.
I did - and it doesn’t makes it better 
I think you did not get my intents 
my idea is to use my local GUI without setting up a pw, syntrayzor or any other stuff. I’m fine with it like it is! why installing nginx, synctrayzor or other stuff?
I just thought of forwaring a port up to use the api 
Well it obviously isn’t fine the way it is, otherwise you wouldn’t be asking for things
harhar… 
I’m serious though. You’ve got a problem. I’m suggesting solutions. Then you come back with “I’m fine like it is! I don’t need solutions”.
If you’ve got a problem, why don’t you need a solution to it?
Yeah, the API and GUI is the same thing from an authentication point of view. And we can’t separate authentication vs not-authentication for different source IP:s currently. If you want to protect the API from outside access, you need to enable authentication (and then use API keys in the management thing).
@canton7, @Eddy2909: you’re talking around each other. Be more patient. 
please read that post again
your solutions don’t fit my needs - thats the problem
my thought wasnt to separate auth for different sources. my thought was to seperate auth of api and gui on different ports…
is my english really such a **** ? 
In what way? Both provide a means of authenticating the REST API, and being able to access the GUI without entering a password.
I know
Then you’re stuck. If you’re willing to be slightly flexible on those points, then you can put a solution together and continue work with your project.
its not a question of “will it work” - it’s a question of “could it be more comfortable” 
…you could also try ssh’ing into a machine as means of authentication and do some port forwarding. That should do the trick as well. Not sure how feasible that is for windows, but at least for Mac and Linux that could be a solution.
Right. That would be technically doable, but isn’t currently supported. What we would do in that case is support multiple instances of the combined API+GUI, with separate listen ports and auth settings. However this seems like a rather niche thing, so I suspect we wouldn’t get around to it for a while.