---
title: "Bypass Rules"
description: "Community bypass rules for common self hosted apps"
---
import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx";
This table compiles paths that need to be allowed for various apps to work with Pangolin authentication.
| App | Required Bypass Rules |
| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Media Management** | |
| Radarr | `/api/*` |
| Sonarr | `/api/*` |
| Lidarr | `/api/*` |
| **Media Servers** | |
| Jellyfin (iOS) | `/system/info/public` |
| Jellyfin (Roku) | `/System/Info/Public`
`/Users/AuthenticateByName`
`/Users/Public`
`/QuickConnect/Initiate`
`/QuickConnect/Connect`
`/Users/AuthenticateWithQuickConnect` |
| Audiobookshelf | Audiobookshelf also supports `/audiobookshelf` by default. Each rule should also be applied to this path.
`/api/*`
`/login`
`/auth/*`
`/feed/*`
`/socket.io/`
`/status`
`/logout`
`/ping`
`/public/*`
The following is needed for public shares and is optional for clients:
`/share/*`
`/_nuxt/*.js`
`/_nuxt/fonts/*` |
| **Management & Monitoring** | |
| Tautulli | `/api/*` |
| Harbour | `/api/*` |
| Hoarder App | `/api/*` |
| Uptime Kuma Manager | `/api/*`
`/socket.io/*` |
| Beszel | `/api/beszel/agent-connect` |
| MeshCentral | `/api/*`
`/meshrelay.ashx`
`/agent.ashx` |
| **Security & Privacy** | |
| AdGuard Home | `/api/*` |
| Ente Auth | `*api*` |
| Vaultwarden/Bitwarden | `/api/*`
`/identity/*`
`/wl/*`
Always Deny - Path - `/admin/*` |
| **Cloud & Sync** | |
| Nextcloud | `/` (Main interface)
`/index.php` (Core handler)
`/remote.php` (Remote access)
`/status.php` (Status checks)
`/ocs` (Collaboration Services API)
`/apps` (Applications)
`/remote.php/webdav` (WebDAV endpoint)
`/remote.php/dav` (CalDAV/CardDAV)
`/remote.php/caldav` (Calendar sync)
`/remote.php/carddav` (Contacts sync)
`/ocs/v1.php` (API endpoints)
`/ocs/v2.php` (API v2 endpoints)
`/login` (Authentication)
`/.well-known/*` (Service discovery)
`/.well-known/webfinger` (WebFinger protocol)
`/s/*` (Shared files/folders) |
| Onlyoffice | `/cache/*`
`*/CommandService.ashx`
`*/converter/*`
`*/doc/*`
`*/downloadas/*`
`/downloadfile/*`
`*/fonts/*`
`/healthcheck`
`/methodology/*`
`*/plugins.json`
`*/sdkjs/*`
`*/sdkjs-plugins/*`
`*/themes.json`
`*/web-apps/*` |
| **Photo Management** | |
| Ente Photos | `*api*` |
| Immich | `/api/*`
`/.well-known/immich` |
| **File Management** | |
| Filebrowser | `/static/*`
`/share/*`
`/api/public/dl/*`
`/api/public/share/*` |
| **Notes & Knowledge Management** | |
| Joplin Notes Server | `/api/*`
`/shares/*`
`/css/*`
`/images/*`
Always Deny - Path - `/login/*` (optional) |
| Erugo | `/api/*`
`/shares/*`
`/build/*`
`/get-logo` |
| Memos | `/api/*`
`/assets/*`
`/explore*`
`/memos.api.v1.*`
`/auth/callback*`
`/auth`
`/site.webmanifest`
`/logo.webp`
`/full-logo.webp`
`/android-chrome-192x192.png` |
| Linkding | `/api/*`
`/bookmarks/*`
Always Deny - Path - `/admin/*` |
| **Communication** | |
| Matrix/Synapse (Clients) | `/_matrix/*`
`/_synapse/client/*` |
| Matrix/Synapse (Federation) | `/_matrix/*` |
| **Notifications** | |
| Gotify | `/version`
`/message`
`/application`
`/client`
`/stream`
`/plugin`
`/health` |
| **Home Automation** | |
| Home Assistant | `/api/*`
`/auth/*`
`/frontend_latest/*`
`/lovelace/*`
`/static/*`
`/hacsfiles/*`
`/local/*`
`/manifest.json`
`/sw-modern.js` |
| n8n | `/webhook-test/*/webhook`
`/webhook/*/webhook` |
| **Project Management** | |
| Jetbrains Youtrack | `/api/*`
`/hub/api/*`
|
| **Genealogy** | |
| Gramps Web | `/api/*` |
| **Analytics** | |
| Liwan | `/script.js`
`/api/send` |
| Umami | `/script.js`
`/api/send` |
These rules are examples and may need to be adjusted based on your specific
app configuration and version.