The System Terminal gives you a real interactive shell on the host, streamed to the browser over a WebSocket. It is a true PTY (it supports interactive programs and resizing), not a one-shot command box.
This is host access. The session runs on the server itself, not inside a
container. Treat it like SSH: anyone who can open it can affect the whole machine. Restrict it
with terminal protection and user permissions.
Connecting
- Open the System Terminal page.
- Click Connect. The browser opens a WebSocket session and authenticates with your token.
- Use the shell as you would over SSH.
- Click Disconnect to close the session.
Terminal Protection
Access is governed by the terminal protection settings under Settings → Terminal:
- Disable terminal — blocks all shell access entirely.
- Blocked command rules — patterns that are rejected before they run. Each rule matches by contains, equals, prefix, suffix, or regex, with optional case sensitivity.
Permission required. Opening a session requires system write permission, and
the configured blocked-command rules are enforced server-side, so they apply even to direct API use.
Container Shells
To get a shell inside a container rather than on the host, use the exec action on a container from the Containers page or a deployment's services. Those sessions are scoped to the container, not the host.