Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.noxus.ai/llms.txt

Use this file to discover all available pages before exploring further.

This section is for operators running self-hosted Noxus (VM docker-compose or Kubernetes) who need to define firewall, ingress, and egress rules. On the managed cloud (app.noxus.ai) all of this is handled for you — you only need your users to reach the app over HTTPS. Noxus has two independent connectivity surfaces. Treat them separately when you plan firewall rules:

Inbound

Traffic arriving at your deployment — your users’ browsers and API clients, plus webhooks pushed by external SaaS (Slack, WhatsApp, Teams…).

Outbound

Traffic Noxus initiates — model providers, integration APIs, object storage, and the optional Noxus Control Service.

The mental model

Two kinds of inbound — don’t conflate them

Inbound sourceWhat it reachesCan it be private (LAN/VPN)?
Your users (browser, API clients, SSE streams)Frontend + BackendYes — if all users are on your network/VPN, the app never needs a public address
External SaaS webhooks (Slack events, WhatsApp, Teams, Telegram, generic webhooks)RelaysNo — these are server-to-server calls from the internet and require a publicly reachable endpoint
OAuth sign-in callbacks are browser redirects, not server-to-server calls. They only need to be reachable by your users’ browsers — not by the OAuth provider’s servers. See Inbound connectivity.

What restricted networking costs you

RestrictionStill worksBreaks / degraded
No public inbound (private/VPN only)The full app for internal users; polling channels (Gmail, Outlook, KB sync); Slack via Socket Mode; outbound run webhooksPush channels: WhatsApp, Teams, Telegram, generic webhook triggers, Google Chat in webhook mode
No outbound (air-gapped)Core orchestration, the editor, data already in the systemHosted model providers, hosted integrations, NCS-brokered OAuth & auto-upgrade, telemetry, web search/scrape tools
Outbound to allowlist onlyEverything you allowlistAnything you forgot to allowlist — see the Endpoint reference
A fully air-gapped deployment is supported but constrained: you must point models at an in-network OpenAI-compatible endpoint, use direct (non-NCS) OAuth apps or static credentials, and disable telemetry. The Outbound page walks through the minimal-egress setup.