WebUI Dashboard - Teleton Agent Documentation

Getting Started

1. Enable WebUI in config.yaml

config.yaml

webui:
  enabled: true
  port: 7777                # default HTTP port
  host: "127.0.0.1"         # localhost only for security
  auth_token: null           # auto-generated if omitted

If you leave auth_token as null, the agent generates a random token on every startup.

2. Start the agent

On startup the agent prints a one-click authentication URL to the console:

Console output

WebUI server running
URL: http://127.0.0.1:7777/auth/exchange?token=<TOKEN>
Token: abcd...wxyz (use Bearer header for API access)

3. Open the URL in your browser

Clicking the URL calls /auth/exchange, which sets an HttpOnly session cookie and redirects you to the dashboard homepage. You are now authenticated and can browse all pages.

Authentication

All /api/* routes require a valid token. The middleware checks three methods in order:

Priority	Method	How it works	Best for
1	HttpOnly cookie	Cookie `teleton_session` set via `/auth/exchange`. Max age 7 days.	Browser / SPA
2	Bearer header	`Authorization: Bearer <token>`	curl / API clients
3	Query parameter	`?token=<token>`	Backward compat / quick testing

Auth endpoints (no token required)

Method	Path	Description
`GET`	`/auth/exchange?token=TOKEN`	Exchange token for HttpOnly session cookie, redirects to `/`
`POST`	`/auth/login`	POST `{"token":"..."}` to receive session cookie (JSON API)
`POST`	`/auth/logout`	Clear session cookie
`GET`	`/auth/check`	Returns `{"authenticated": true/false}` (useful for SPA route guards)
`GET`	`/health`	Health check -- always returns 200 (no auth required)

Cookie settings

httpOnly: true -- prevents JavaScript access (XSS protection)
sameSite: Strict -- prevents CSRF
secure: false -- localhost does not require HTTPS
maxAge: 7 days -- cookie lifetime

Example: cURL with Bearer token

Terminal

curl -H "Authorization: Bearer $TOKEN" http://127.0.0.1:7777/api/status

Dashboard Pages

Each page in the WebUI corresponds to one or more API endpoints. Below is a page-by-page reference of what each screen shows and what you can do.

Dashboard

The main landing page after login. Provides real-time visibility into the running agent via Server-Sent Events.

What it shows:

Agent uptime, status (running/stopped), and a Run/Stop button
Metrics: sessions, tools count, knowledge chunks, messages, chats, total tokens, estimated cost
Current LLM provider and model
AgentSettingsPanel: switch provider, model, max_tokens, temperature
TelegramSettingsPanel: DM policy, group policy, admin IDs, bot token
ExecSettingsPanel: enable/disable exec tools, set scope and allowlist (Linux only)
Live Logs: real-time log stream via SSE, inline on the Dashboard

Method	Endpoint	Description
`GET`	`/api/status/`	Returns uptime, model, provider, active sessions, total tools
`GET`	`/api/agent/events`	SSE stream for live agent status and log events
`POST`	`/api/agent/start`	Start the agent
`POST`	`/api/agent/stop`	Stop the agent gracefully

Tools Page

Browse, filter, and configure every tool the agent has access to. Tools are grouped by module: telegram, ton, stonfi, dedust, dns, deals, journal, workspace, web, mcp_*, and plugins.

What it shows:

Each tool's name, description, module, scope, category, and enabled status
Tool RAG status: whether RAG-based tool selection is enabled, how many tools are indexed, the topK value, total tool count, and always-include patterns

What you can do:

Enable or disable individual tools
Override a tool's scope (always, dm-only, group-only, admin-only)
Toggle Tool RAG on/off and adjust the topK setting

Method	Endpoint	Description
`GET`	`/api/tools/`	List all tools grouped by module
`GET`	`/api/tools/rag`	Tool RAG status: enabled, indexed, topK, totalTools, alwaysInclude patterns
`PUT`	`/api/tools/rag`	Update Tool RAG settings (enabled, topK)
`GET`	`/api/tools/:name/config`	Get configuration for a specific tool
`PUT`	`/api/tools/:name`	Update tool: `enabled` (true/false), `scope` override

Memory Page

Search the agent's knowledge base and inspect active chat sessions.

What it shows:

Knowledge base statistics: total knowledge chunks, sessions, messages, chats
Active chat sessions with chatId, sessionId, messageCount, and contextTokens
Full-text + vector search results over stored knowledge

What you can do:

Search the knowledge base with a free-text query (combined full-text and vector search)
Browse active sessions to see which chats are in progress and how many tokens they consume

Method	Endpoint	Description
`GET`	`/api/memory/search?q=...&limit=10`	Full-text + vector search over knowledge base
`GET`	`/api/memory/sessions`	List active chat sessions (chatId, sessionId, messageCount, contextTokens)
`GET`	`/api/memory/stats`	Knowledge base stats: knowledge chunks, sessions, messages, chats

No standalone Logs page. Logs are streamed inline on the Dashboard via SSE (/api/agent/events). There is no separate logs page. The /api/logs/ endpoint exists for API consumers that need to fetch a batch of recent log entries.

Method	Endpoint	Description
`GET`	`/api/logs/`	Recent logs (API only) — optional `level` filter and `limit` parameter. Logs are displayed live on the Dashboard via SSE.

Config Page

Read and update the agent's config.yaml from the browser. Changes are written back to the YAML file on disk.

What it shows:

A structured key-value editor organized by section (agent, telegram, webui, etc.) with typed fields and hot-reload indicators

What you can do:

View the full configuration or a specific section
Update any section — changes persist to config.yaml

Method	Endpoint	Description
`GET`	`/api/config/`	Read full current config.yaml
`GET`	`/api/config/:section`	Get a specific section (e.g. `agent`, `telegram`, `webui`)
`PUT`	`/api/config/:section`	Update a section (writes back to YAML on disk)

Soul Page

View and edit the agent's personality and behavioral instructions (the "soul" files).

What it shows:

Current soul/personality settings that define how the agent behaves and responds

What you can do:

Read the current soul configuration
Update the soul settings to change the agent's personality, tone, or behavioral guidelines

Method	Endpoint	Description
`GET`	`/api/soul/`	Get agent personality/soul settings
`PUT`	`/api/soul/`	Update soul settings

Plugins Page

See which plugins are currently loaded into the agent.

What it shows:

Each loaded plugin's name and version

Method	Endpoint	Description
`GET`	`/api/plugins/`	List loaded plugins (name, version)

MCP Servers Page

Manage Model Context Protocol (MCP) server connections. Add, inspect, or remove external tool servers.

What it shows:

Each server's name, type (stdio or sse), target (package or URL), scope, enabled status, connected status, toolCount, individual tool names, and env key names

What you can do:

Add a new MCP server (provide name, package, args, url, scope, env as needed)
Remove an existing MCP server by name

Restart required. Adding or removing MCP servers takes effect after restarting the agent.

Method	Endpoint	Description
`GET`	`/api/mcp/`	List MCP servers with connection info and tool details
`POST`	`/api/mcp/`	Add server: `{name, package?, args?, url?, scope?, env?}`
`DELETE`	`/api/mcp/:name`	Remove server by name

Tasks Page

View and manage scheduled tasks (cron-like jobs the agent executes automatically).

What it shows:

All scheduled tasks with their current status

What you can do:

Create a new scheduled task
Update a task's status

Method	Endpoint	Description
`GET`	`/api/tasks/`	List all scheduled tasks
`POST`	`/api/tasks/`	Create a new task
`PUT`	`/api/tasks/:taskId`	Update task status

Workspace Page

Browse, read, create, edit, and delete files in the agent's workspace directory.

What it shows:

File listing for the workspace directory
File contents when a file is selected

What you can do:

List workspace files
Read file contents
Create or upload new files
Update existing files
Delete files

Method	Endpoint	Description
`GET`	`/api/workspace/files`	List workspace files
`GET`	`/api/workspace/files/:path`	Get file contents
`POST`	`/api/workspace/files`	Create / upload a file
`PUT`	`/api/workspace/files/:path`	Update a file
`DELETE`	`/api/workspace/files/:path`	Delete a file

Marketplace (API only)

The plugin marketplace is accessible via API endpoints only. There is no dedicated frontend marketplace page in the WebUI. Plugin installation and update checking are performed via the REST API below.

Method	Endpoint	Description
`GET`	`/api/marketplace/plugins`	Browse available plugins (API)
`POST`	`/api/marketplace/install`	Install a plugin (API)
`GET`	`/api/marketplace/check-updates`	Check for plugin updates (API)

Setup Wizard

The WebUI includes a first-run setup wizard accessible at /setup. It guides you through all required configuration in a step-by-step flow. Launch it with teleton setup --ui or teleton start --webui on a fresh install.

Step	What it configures
1. Welcome	Introduction and prerequisites overview
2. Telegram	API ID, API Hash, phone number — Telegram client credentials
3. Provider	LLM provider selection, API key entry, and model selection
4. Connect	Telegram OTP authentication (sends code to your phone)
5. Config	Optional settings: DM policy, admin IDs, workspace, webui port
6. Wallet	TON wallet setup (generate new or import existing mnemonic)

ExecSettingsPanel is shown on Linux hosts only. It allows enabling the exec tool category, setting the scope (admin-only recommended), and configuring a command allowlist.

Configuration Reference

Complete list of all WebUI configuration keys and their defaults:

config.yaml

webui:
  enabled: false              # Enable WebUI server
  port: 7777                  # HTTP port
  host: "127.0.0.1"           # Bind address (localhost only by default)
  auth_token: null             # Auto-generated if omitted
  cors_origins:                # Allowed CORS origins
    - "http://localhost:5173"
    - "http://localhost:7777"
  log_requests: false          # Log all HTTP requests

Key	Type	Default	Description
`enabled`	boolean	`false`	Whether to start the WebUI HTTP server
`port`	number	`7777`	TCP port the server listens on
`host`	string	`"127.0.0.1"`	Bind address. Keep as localhost unless behind a reverse proxy.
`auth_token`	string \| null	`null`	Bearer token for API access. Auto-generated if `null`.
`cors_origins`	string[]	(see above)	Origins allowed to make cross-origin requests
`log_requests`	boolean	`false`	Log every incoming HTTP request to the console

Security

Warning: Never expose the WebUI to the public internet without proper security measures.

The WebUI is designed with a defense-in-depth approach:

Localhost only -- default bind address 127.0.0.1 rejects all non-local connections
Token secrecy -- the auth token is never fully exposed in logs (only the last 4 characters are shown)
HttpOnly cookies -- session cookies cannot be read by JavaScript, preventing XSS token theft
CORS restricted -- only configured origins may make cross-origin requests
Body limit -- 2 MB maximum request body to prevent abuse
Security headers -- every response includes X-Content-Type-Options: nosniff, X-Frame-Options: DENY, and Referrer-Policy: strict-origin-when-cross-origin

Remote access

For remote access, use an nginx reverse proxy with SSL termination, or an SSH tunnel:

SSH tunnel

# Forward local port 7777 to the server's localhost:7777
ssh -L 7777:localhost:7777 user@your-server

# Then open in browser (sets session cookie automatically)
open http://localhost:7777/auth/exchange?token=YOUR_TOKEN

If you use an nginx reverse proxy, ensure the upstream points to 127.0.0.1:7777 and enable HTTPS with a valid certificate. Keep the WebUI host as 127.0.0.1 so the server never listens on a public interface directly.

API Error Format

All API errors follow a consistent JSON envelope:

Error response

{
  "success": false,
  "error": "Error message describing what went wrong"
}

Successful responses use the same envelope with "success": true and a "data" field containing the result.