Skip to content

Network & remote access

Fregata’s default listeners:

PortServiceBound toNotes
8971nginx → Frigate web UI + HTTP API0.0.0.0HTTPS by default (self-signed cert). Set tls.enabled: false in config.yml for plain HTTP.
5000nginx → Frigate API (internal)127.0.0.1 (default) or 0.0.0.0Loopback-only by default. Set FREGATA_EXPOSE_INTERNAL_PORT=1 to expose to your LAN. Plain HTTP, no authentication. If port 5000 is already taken (e.g. by macOS AirPlay Receiver), Fregata automatically uses port 5050 instead — see below.
1984go2rtc admin UI127.0.0.1 (default) or 0.0.0.0Loopback-only by default. Set FREGATA_EXPOSE_GO2RTC_PORT=1 to expose to your LAN. Plain HTTP, no authentication.
8554go2rtc RTSP re-stream0.0.0.0 (default) or 127.0.0.1LAN-exposed by default. Set FREGATA_EXPOSE_RTSP_PORT=0 to lock it to loopback-only. Plain RTSP, no authentication by default — see below to add a username/password.
8555go2rtc WebRTC0.0.0.0Needed for low-latency live view from outside the Mac.

The HA integration only needs 8971. Most users don’t think about the others.

Reaching it from another device on your LAN

Section titled “Reaching it from another device on your LAN”

Fregata is happy to serve 8971 to anything on your LAN. Just open https://<mac-ip>:8971 from a different device — the first visit shows a self-signed-certificate warning (the same one you click through on localhost). To avoid the warning on a trusted LAN, set tls.enabled: false in config.yml and use http://<mac-ip>:8971.

A couple of practical notes:

  • Use a hostname, not an IP. Bonjour gives you <mac-name>.local for free; bookmarking that survives DHCP shuffles. Set the hostname in System Settings → General → Sharing → Local hostname.
  • macOS firewall. If you’ve enabled it (System Settings → Network → Firewall), the first inbound connection to Fregata triggers the standard “allow incoming connections” prompt. Allow it once and the rule sticks.

A common setup: Caddy or Traefik on a NAS or small Linux box, terminating TLS, and proxying to the Mac. The minimum Caddyfile:

cameras.your-house.example {
reverse_proxy http://10.0.1.42:8971
}

Caddy gets you a Let’s Encrypt cert, HTTP/2, websocket upgrade (needed for live MSE/WebRTC), and a clean URL.

Short answer: don’t, unless you absolutely mean to.

Long answer: if you do, the bare minimum:

  1. Put it behind a real reverse proxy with TLS (Caddy, Traefik, Cloudflare Tunnel).
  2. Keep Frigate’s authentication on. It’s enabled by default, and the admin password was set in the welcome wizard (see Your dashboard sign-in). You can confirm it in config.yml:
    auth:
    enabled: true
  3. Restrict by source IP at the proxy if you can.
  4. Don’t expose 8554 (RTSP) or 1984 (go2rtc admin) to the internet under any circumstance. Neither has authentication by default.

The reasonable middle path for “I want to check my cameras from my phone” is Tailscale or a similar mesh VPN: install on the Mac and on your phone, hit https://<tailscale-ip>:8971 from anywhere (click through the self-signed warning once). The Tailscale tunnel is already encrypted end-to-end, so if you’d rather skip the warning, set tls.enabled: false and use http://<tailscale-ip>:8971. No public exposure, near-zero attack surface.

Fregata keeps the system awake while it’s running. As soon as the menu-bar status reads Running, the supervisor takes a ProcessInfo activity assertion with .idleSystemSleepDisabled and holds it until Frigate stops, errors out, or you quit the app. You don’t need to touch System Settings; the display is still free to sleep, only the system itself stays awake.

This means the boring 24/7 install case — Mac mini in a closet, Fregata launched at login, never restarted — just works.

Caveats worth knowing about:

  • A laptop that closes its lid still sleeps. Lid closure is a hardware-level signal that overrides every software assertion. If you need 24/7 detection, run on a desktop or use clamshell mode with an external display attached.
  • The activity is released on .error and .stopping. A Fregata that crashed or was stopped by you doesn’t strand the Mac awake.
  • Belt-and-braces: if you want the same behavior even when Fregata isn’t running, System Settings → Energy Saver / Battery → “Prevent automatic sleeping when display is off” (desktop) or “Prevent automatic sleeping on power adapter” (laptop).
  • caffeinate command or the Amphetamine app are still useful to prevent your Mac from sleeping when Fregata isn’t yet running.

Tools like Node-RED or custom scripts that run on your LAN can talk to Fregata’s HTTP API. There are two ways to do it:

Section titled “Option A — Port 8971 with a Bearer token (recommended)”

This is the standard path and keeps authentication in place.

  1. POST to http://<mac-ip>:8971/api/login with your credentials:
    { "user": "admin", "password": "your-password" }
  2. The response body contains a JWT. Store it in a Node-RED flow variable or script environment.
  3. Add Authorization: Bearer <token> to every subsequent request.

Tokens are valid for 24 hours by default. To keep a script running indefinitely, re-POST to /api/login on a timer (every 23 hours is safe).

Alternatively, set auth.enabled: false in config.yml — port 8971 then requires no credentials at all, which may be simpler if the network is fully trusted.

Option B — Port 5000 with FREGATA_EXPOSE_INTERNAL_PORT=1

Section titled “Option B — Port 5000 with FREGATA_EXPOSE_INTERNAL_PORT=1”

Port 5000 is nginx’s internal proxy. It has no authentication middleware — requests arrive at the API already labelled as admin. By default it only accepts connections from the same Mac. Setting the environment variable opens it to your whole LAN.

To enable, add FREGATA_EXPOSE_INTERNAL_PORT=1 in Settings → Environment Variables and restart Fregata. A warning appears in the Fregata log every time Fregata starts while the flag is set, so you always have a visible reminder that the port is open.

Point your automation tool at http://<mac-ip>:5000/api/… — no Authorization header needed.

Option C — Port 1984 with FREGATA_EXPOSE_GO2RTC_PORT=1

Section titled “Option C — Port 1984 with FREGATA_EXPOSE_GO2RTC_PORT=1”

This one’s for tools that need to talk to go2rtc directly — reading or changing restream config, or pulling an RTSP/WebRTC feed — rather than going through Frigate’s API. Most automation should use Option A or B instead; reach for this only if go2rtc itself is what you need.

To enable, add FREGATA_EXPOSE_GO2RTC_PORT=1 in Settings → Environment Variables and restart Fregata, then point your tool at http://<mac-ip>:1984/api/…. Unlike port 5000, there’s no conflict fallback to worry about — go2rtc runs as its own process, so a failed bind only affects go2rtc, and port 1984 isn’t known to collide with anything on macOS.

Option D — Port 8554, locking it down with FREGATA_EXPOSE_RTSP_PORT=0

Section titled “Option D — Port 8554, locking it down with FREGATA_EXPOSE_RTSP_PORT=0”

Port 8554 is go2rtc’s RTSP restream, and unlike the other ports on this page it’s open to your LAN by default — tools that want to pull the RTSP restream directly (VLC, Home Assistant’s RTSP camera platform, another NVR) can connect to rtsp://<mac-ip>:8554/<camera_name> with no extra configuration.

To restrict it to loopback-only, add FREGATA_EXPOSE_RTSP_PORT=0 in Settings → Environment Variables and restart Fregata. A warning appears in the Fregata log every time Fregata starts while the port is locked down, so you always have a visible reminder. Same posture as port 1984 — no conflict fallback to worry about, since go2rtc runs as its own process and port 8554 isn’t known to collide with anything on macOS.

To add a username/password instead of locking the port down entirely, set go2rtc.rtsp.username/password in config.yml:

go2rtc:
rtsp:
username: "admin"
password: "pass"

Clients then connect with rtsp://admin:pass@<mac-ip>:8554/<camera_name>. This is go2rtc’s own credential check, independent of Frigate’s auth.enabled and separate from the username/password your cameras use upstream.

If you’re running HA on a different host, see the Home Assistant guide — the integration needs to reach 8971 and (if you’ve enabled it) MQTT on whatever broker you’re using.