HomeLab Everywhere — Expose homelab services to the internet with built-in SSO
Project description
HLE Client
HomeLab Everywhere — Expose homelab services to the internet with built-in SSO authentication, WebSocket support, and webhook forwarding.
One command: hle expose --service http://localhost:8080
Your local service gets a public URL like myapp-x7k.hle.world with automatic HTTPS and SSO protection.
Install
Curl installer (recommended)
curl -fsSL https://get.hle.world | sh
Installs via pipx (preferred), uv, or pip-in-venv. Supports --version:
curl -fsSL https://get.hle.world | sh -s -- --version 2604.4
pipx
pipx install hle-client
Homebrew
brew install hle-world/tap/hle-client
Quick Start
-
Sign up at hle.world and create an API key in the dashboard.
-
Save your API key:
hle auth login
This opens the dashboard in your browser. Copy your key and paste it at the prompt. The key is saved to ~/.config/hle/config.toml.
- Expose a service:
hle expose --service http://localhost:8080
# Or forward webhooks from GitHub/Stripe:
hle webhook --path /hook/github --forward-to http://localhost:3000 --label github-hook
CLI Usage
hle expose
Expose a local service to the internet.
hle expose --service http://localhost:8080 # Basic usage
hle expose --service http://localhost:8080 --label ha # Custom subdomain label
hle expose --service http://localhost:3000 --auth none # Disable SSO
hle expose --service http://localhost:8080 --no-websocket # Disable WS proxying
hle expose --service http://localhost:8080 --allow user@gmail.com # Allow a specific user
hle expose --service http://localhost:8080 --allow google:user@gmail.com --allow github:dev@co.com
Options:
--service— Local service URL (required)--label— Service label for the subdomain (e.g.ha→ha-x7k.hle.world)--auth— Auth mode:sso(default) ornone--allow— Allow an email to access the tunnel (repeatable). Format:emailorprovider:email--websocket/--no-websocket— Enable/disable WebSocket proxying (default: enabled)--verify-ssl— Enable SSL certificate verification for the local service (default: off, accepts self-signed)--upstream-basic-auth USER:PASS— Inject Basic Auth into requests forwarded to the local service--forward-host— Forward the browser's Host header to the local service--api-key— API key (also readsHLE_API_KEYenv var, then config file)
hle webhook
Forward incoming webhooks to a local service.
hle webhook --path /hook/github --forward-to http://localhost:3000 --label github-hook
hle webhook --path /hook/stripe --forward-to http://localhost:4000/stripe --label stripe-hook
Options:
--path— Webhook path prefix, e.g./webhook/github(required). Cannot be/--forward-to— Local URL to forward webhooks to (required)--label— Webhook label, e.g.github-hook(required)--api-key— API key (also readsHLE_API_KEYenv var, then config file)--zone— Custom zone domain for routing
Webhook tunnels bypass SSO so external services (GitHub, Stripe, etc.) can deliver payloads without authentication.
Server notices
While a tunnel is connected, the relay can push informational messages that the
client renders to stderr (e.g. ✓ Auto-protect added you@example.com via Google SSO). Wording is server-controlled so new notices do not require a client
release.
hle auth
Manage your API key.
hle auth login # Save key (opens dashboard)
hle auth login --api-key hle_xxx # Save key non-interactively
hle auth status # Show current key source
hle auth logout # Remove saved key
hle tunnels
List your active tunnels.
hle tunnels
hle access
Manage per-tunnel email allow-lists for SSO access.
hle access list myapp-x7k # List access rules
hle access add myapp-x7k friend@example.com # Allow an email
hle access add myapp-x7k dev@co.com --provider github # Require GitHub SSO
hle access remove myapp-x7k 42 # Remove rule by ID
hle pin
Manage PIN-based access control for tunnels.
hle pin set myapp-x7k # Set a PIN (prompts for 4-8 digit PIN)
hle pin status myapp-x7k # Check PIN status
hle pin remove myapp-x7k # Remove PIN
hle share
Create and manage temporary share links.
hle share create myapp-x7k # 24h link (default)
hle share create myapp-x7k --duration 1h # 1-hour link
hle share create myapp-x7k --max-uses 5 # Limited uses
hle share create myapp-x7k --label "demo" # Label for reference
hle share list myapp-x7k # List share links
hle share revoke myapp-x7k 42 # Revoke a link
hle basic-auth
Manage HTTP Basic Auth access control for tunnels.
hle basic-auth set myapp-x7k # Set credentials (prompts for username & password)
hle basic-auth status myapp-x7k # Check Basic Auth status
hle basic-auth remove myapp-x7k # Remove Basic Auth
hle config
Declarative tunnel configuration for IaC / CI/CD. Accepts a label (resolved
to <label>-<user_code>) or a full subdomain.
hle config show ha # full status in one call
hle config auth-mode ha --set sso # SSO gate on
hle config auth-mode ha --set none # tunnel becomes public
hle config access ha --replace google:alice@example.com \
--replace github:dev@co.com # reconcile allow-list
hle config access --replace is declarative — rules in the dashboard but not
in the flags are removed. Use this when the flags should be authoritative.
hle expose --allow remains additive (idempotent, never prunes) for ad-hoc
sessions.
Global Options
hle --version # Show version
hle --debug ... # Enable debug logging
Configuration
The HLE client stores configuration in ~/.config/hle/config.toml:
api_key = "hle_your_key_here"
API key resolution order:
--api-keyCLI flagHLE_API_KEYenvironment variable~/.config/hle/config.toml
Development
git clone https://github.com/hle-world/hle-client.git
cd hle-client
uv venv && source .venv/bin/activate
uv pip install -e ".[dev]"
# Run tests
pytest
# Lint
ruff check src/ tests/
ruff format --check src/ tests/
License
MIT — see LICENSE.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file hle_client-2604.4.tar.gz.
File metadata
- Download URL: hle_client-2604.4.tar.gz
- Upload date:
- Size: 68.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a20157b459eee405f5e02a9fa2b127a7a598f02befb5ec4b0e9abf7efc0de54b
|
|
| MD5 |
46865d43f6b7987dd3ab4fcc4ed85a1b
|
|
| BLAKE2b-256 |
48723ff5512cc33838279337ca88853f7ca92ee11e2325beab9712c19c9a5282
|
File details
Details for the file hle_client-2604.4-py3-none-any.whl.
File metadata
- Download URL: hle_client-2604.4-py3-none-any.whl
- Upload date:
- Size: 34.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e698cc51c8217f8c235072382189932316a37b4147dea732e7213cc9de585fc5
|
|
| MD5 |
6ec46f0e2e0e39545b8e78ac6500fd32
|
|
| BLAKE2b-256 |
c83af2b951819afe6577af4ef618987ee44c2d0c1a39e0e8f9cdbba763b0662a
|
