Yeah, the API and GUI is the same thing from an authentication point of view. And we can’t separate authentication vs not-authentication for different source IP:s currently. If you want to protect the API from outside access, you need to enable authentication (and then use API keys in the management thing).
@canton7, @Eddy2909: you’re talking around each other. Be more patient. 
please read that post again 
your solutions don’t fit my needs - thats the problem
my thought wasnt to separate auth for different sources. my thought was to seperate auth of api and gui on different ports…
is my english really such a **** ? 
In what way? Both provide a means of authenticating the REST API, and being able to access the GUI without entering a password.
I know
Then you’re stuck. If you’re willing to be slightly flexible on those points, then you can put a solution together and continue work with your project.
its not a question of “will it work” - it’s a question of “could it be more comfortable”
…you could also try ssh’ing into a machine as means of authentication and do some port forwarding. That should do the trick as well. Not sure how feasible that is for windows, but at least for Mac and Linux that could be a solution.
Right. That would be technically doable, but isn’t currently supported. What we would do in that case is support multiple instances of the combined API+GUI, with separate listen ports and auth settings. However this seems like a rather niche thing, so I suspect we wouldn’t get around to it for a while.