From 10658d076a9b90ca9e78ec22382ca0033eab95f2 Mon Sep 17 00:00:00 2001
From: cogwheel0 <172976095+cogwheel0@users.noreply.github.com>
Date: Thu, 9 Oct 2025 00:58:13 +0530
Subject: [PATCH] docs: update README with custom headers and endpoint
 allowlist details

- Clarified the usage of custom headers during login, linking to the new Endpoint Allowlist section for reverse proxy whitelisting.
- Added a new section on Endpoint Allowlist for custom authentication, detailing necessary path prefixes for SSO and reverse proxy configurations.
- Included specific paths that need to be whitelisted for successful login and streaming flows.
---
 README.md | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index eb07697..d018fd8 100644
--- a/README.md
+++ b/README.md
@@ -74,7 +74,7 @@ flutter run -d ios   # or: -d android
 Conduit supports multiple authentication flows when connecting to your Open‑WebUI:
 - **Username + Password**: Sign in directly against servers that expose a login endpoint. Credentials are stored securely using platform keychains.
 - **API Key**: Paste a server‑issued API token for stateless auth.
-- **Custom Headers**: Add headers during login (e.g., `X-API-Key`, `Authorization`, `X-Org`, or self‑hosted SSO headers) that Conduit will include on all HTTP/WebSocket requests.
+- **Custom Headers**: Add headers during login (e.g., `X-API-Key`, `Authorization`, `X-Org`, or self‑hosted SSO headers) that Conduit will include on all HTTP/WebSocket requests (see [Endpoint Allowlist](#endpoint-allowlist-custom-auth) for reverse proxy whitelisting).
 
 ## Screenshots
 
@@ -220,6 +220,19 @@ flutter pub run build_runner build --delete-conflicting-outputs
 - No analytics or telemetry are collected.
 - Network calls are only made to your configured Open‑WebUI server.
 
+### Endpoint Allowlist (Custom Auth)
+
+If you protect Open‑WebUI with SSO or a reverse proxy (Authlia, Authentik,
+etc.), whitelist these path prefixes so Conduit can complete login, sync, and
+streaming flows. Paths are relative to your server base URL; replace tokens like
+`{chatId}` with actual identifiers.
+
+- `/health`
+- `/api/*`
+
+WebSocket connections use the Socket.IO handshake on `/ws/socket.io`. Ensure the
+same headers (or allowlist rules) apply there as well.
+
 ## License
 
 This project is licensed under the GPL3 License - see the LICENSE file for details.