How do I access my PhotoStructure library on other computers?
PhotoStructure’s interface runs in a web browser. You can make it reachable from another computer, but network exposure and user authentication are different controls.
These instructions are for advanced users.
Let another computer reach PhotoStructure
PhotoStructure normally listens only on the computer where it runs. Set the
exposeNetworkWithoutAuth system setting to true to listen on the host’s
network interfaces:
exposeNetworkWithoutAuth = true
The setting’s name is historical. It controls the listener’s bind scope. It is
not permission to serve a future auth-enabled library without sign-in. A
loopback bind also does not prove that a browser is local because a reverse
proxy can forward public traffic to 127.0.0.1.
You can set the current system setting through an environment variable:
PS_EXPOSE_NETWORK_WITHOUT_AUTH=true
See advanced settings and environment variables for platform-specific configuration.
Docker published ports
Docker’s -p or --publish flag exposes a container port through the host.
This common form publishes PhotoStructure on every host interface by default:
--publish 1787:1787
Binding the host side to loopback keeps it on the Docker host:
--publish 127.0.0.1:1787:1787
The Docker Compose Wizard calls this choice Expose to network. Clear it for a host-only published port.
Publishing only to loopback is useful, but it is not authentication. A reverse proxy on the same host can still forward remote traffic to that port.
Open PhotoStructure on your LAN
On another device on the same local network, open:
http://HOST_ADDRESS:1787
Replace HOST_ADDRESS with the hostname or IP address of the computer running
PhotoStructure. For example, a Mac named photos may be available at
http://photos.local:1787.
You may need to allow TCP port 1787 through the host firewall. See the Windows troubleshooting guide for Windows firewall notes.
The current release has no login screen. Anyone who can reach this address can use the library, so enable LAN access only on a network you trust.
Access PhotoStructure over the internet
Do not forward port 1787 directly to the internet with the current release. Use one of these approaches.
VPN
A VPN such as Tailscale limits PhotoStructure to the devices you authorize. This is usually the safest choice for personal remote access.
Each device needs the VPN software and an invitation or access key. That setup can be inconvenient for relatives.
HTTPS reverse proxy with authentication
A reverse proxy gives PhotoStructure an HTTPS address and can require a login before forwarding requests. Common choices include:
For the current release, configure authentication at the proxy. HTTPS encrypts traffic but does not decide who may enter.
Example Caddy configuration
This example gives PhotoStructure HTTPS and requires Caddy basic
authentication. On Ubuntu, Caddy’s configuration normally lives at
/etc/caddy/Caddyfile.
Replace:
EMAILwith your email address;DOMAIN_NAMEwith the public hostname, such asphotos.example.com;127.0.0.1:1787with PhotoStructure’s address from the Caddy host;USERwith the proxy username; andHASHwith the output fromcaddy hash-password.
{
email EMAIL
}
DOMAIN_NAME {
basic_auth {
USER HASH
}
reverse_proxy 127.0.0.1:1787
}
Read Caddy’s basic authentication and reverse proxy documentation before exposing the service.
What changes when built-in sign-in arrives
Built-in authentication is planned for a future PhotoStructure release. It keeps listener scope and library access mode separate.
Each library uses exactly one configured mode:
noneserves the ordinary library without sign-in;emailsigns in enrolled users with typed six-digit email codes; oroidcsigns in enrolled users through one configured identity provider.
Email and OIDC are never simultaneous login methods. Missing, invalid,
conflicting, or incomplete configuration derives authSetupRequired and fails
closed. It does not fall back to none.
Docker treats environment variables as its auth control plane and ignores TOML
auth mode, bootstrap email, and provider settings. A Docker library opens
without sign-in only when the destination explicitly sets
PS_AUTH_MODE=none.
Every non-loopback deployment declares its exact browser-facing origin with
PS_EXTERNAL_ORIGIN. email and oidc require HTTPS. An explicit none
deployment may use HTTP only after a strong privacy warning.
Exact loopback Desktop and loopback-only Node are the only planned plain-HTTP sign-in profiles. A reverse proxy forwarding to a loopback backend is an external deployment and must declare its HTTPS origin.
After built-in sign-in ships, proxy authentication can remain as a second lock. It does not replace PhotoStructure’s own first-owner, callback, role, session, origin, or request-forgery checks. Until that release, proxy authentication or a VPN remains required for internet access.
See library users, sign-in, and permissions for the approved pre-release design. That page intentionally omits unfinished commands and screens.
Security boundary
Built-in web authentication will not isolate someone with equivalent host, Docker-daemon, deployment-configuration, operating-system account, or Desktop session control. Anyone with that level of access can read files or change the service outside the browser.
What if I do not have a computer at home?
PhotoStructure can run on a virtual private server, or VPS, but an internet server needs HTTPS, backups, updates, and authentication. The current release should not be exposed there without an authenticated reverse proxy.
If you are new to server administration, start with PhotoStructure on a local computer or private VPN.

