Overview
The external controller exposes an API that GUI clients, dashboards and automation tools can use to inspect and change Clash runtime state.
Security model
Never expose the controller to an untrusted network without authentication. Treat controller access as sensitive because it can reveal proxies, rules, logs and sometimes allow runtime changes.
Configuration notes
Bind to localhost for local dashboards. If remote access is required, place it behind a trusted tunnel or firewall rule.
Support Checks
If a dashboard needs connection settings confirmed, verify the bind address, port, secret value and whether another process already uses the same port.