Skip to main content

Overview

Perplexica currently does not require authentication for API requests. The application is designed for self-hosted deployments where security is managed at the network and infrastructure level.
Authentication is planned as an upcoming feature. Check the GitHub repository for updates on authentication implementation.

Current security model

Since Perplexica is self-hosted, you control the security perimeter:

Network isolation

Run Perplexica on a private network accessible only to trusted users

Reverse proxy

Use nginx or Caddy with basic auth or OAuth for access control

Firewall rules

Configure firewall to restrict access to port 3000

VPN access

Require VPN connection to access your Perplexica instance

Making API requests

Without authentication, you can make direct requests to any endpoint: 
curl -X POST http://localhost:3000/api/search \
  -H "Content-Type: application/json" \
  -d '{
    "chatModel": {
      "providerId": "550e8400-e29b-41d4-a716-446655440000",
      "key": "gpt-4o-mini"
    },
    "embeddingModel": {
      "providerId": "550e8400-e29b-41d4-a716-446655440000",
      "key": "text-embedding-3-large"
    },
    "optimizationMode": "balanced",
    "sources": ["web"],
    "query": "What is Perplexica?"
  }'
Replace localhost:3000 with your Perplexica instance URL if accessing remotely.

Security best practices

Network-level protection

When exposing Perplexica to the internet, implement security measures:
1

Use a reverse proxy

Configure nginx, Apache, or Caddy to handle SSL/TLS and add authentication:
server {
    listen 443 ssl;
    server_name perplexica.example.com;

    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    # Basic authentication
    auth_basic "Perplexica Access";
    auth_basic_user_file /etc/nginx/.htpasswd;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}
2

Enable HTTPS

Use Let’s Encrypt or your certificate provider to enable HTTPS for encrypted communication.
3

Configure CORS

If accessing the API from web applications, configure appropriate CORS policies at the reverse proxy level.
4

Monitor access logs

Review access logs regularly to detect unauthorized access attempts.

Docker security

When running Perplexica with Docker:
  • Bind to localhost only: Use -p 127.0.0.1:3000:3000 instead of -p 3000:3000
  • Use Docker networks: Create isolated networks for Perplexica and SearxNG
  • Set resource limits: Prevent resource exhaustion with --memory and --cpus flags
  • Run as non-root: The Perplexica Docker image runs as a non-root user by default
# Example: Secure Docker deployment
docker run -d \
  -p 127.0.0.1:3000:3000 \
  --memory="2g" \
  --cpus="2" \
  -v perplexica-data:/home/perplexica/data \
  --name perplexica \
  itzcrazykns1337/perplexica:latest

API key protection

While Perplexica doesn’t require authentication, it stores sensitive API keys for LLM providers:
Never expose your Perplexica instance publicly without additional security measures. Your configured API keys (OpenAI, Claude, etc.) could be misused.
  • Store API keys in environment variables, not in configuration files
  • Use read-only file permissions for configuration files
  • Rotate API keys periodically
  • Monitor API usage on provider dashboards

Future authentication

Authentication is planned as an upcoming feature. The implementation may include:
  • User accounts and session management
  • API key generation for programmatic access
  • Role-based access control (admin, user, read-only)
  • Integration with external authentication providers (OAuth, SAML)
Follow the GitHub repository and join the Discord community to stay updated on authentication implementation progress.

Rate limiting

Currently, Perplexica does not implement built-in rate limiting. For production deployments:
  1. Reverse proxy rate limiting: Use nginx limit_req module or similar
  2. Cloud load balancers: AWS ALB, Cloudflare, etc. provide rate limiting features
  3. Provider limits: Be aware of rate limits from your LLM providers (OpenAI, Anthropic, etc.)
Example nginx rate limiting: 
http {
    limit_req_zone $binary_remote_addr zone=perplexica:10m rate=10r/s;

    server {
        location /api/ {
            limit_req zone=perplexica burst=20 nodelay;
            proxy_pass http://localhost:3000;
        }
    }
}

API overview

Learn about API endpoints and usage

Deployment

Deploy Perplexica securely

Configuration

Configure environment variables

Troubleshooting

Resolve common issues

Build docs developers (and LLMs) love

Get started for freeTalk to us