Open Laboratory Docs
Core Concepts

Core Concepts

The Container

Laboratory OS runs in a single Docker container.

You own the container and run it on your own compute.

The Laboratory OS container has many responsibilities:

  • Establish and maintain secure tunnel connections.
  • Manage subdomains for each installed app.
  • Serve system utilies such as the file browser, terminal, and VSCode.
  • Provide seamless one-click installations of any software in the App Library.
  • Serve the web desktop UI behind strong authentication/authorization gates.

State

The container persists state in a mounted volume (/workspace). Your installed apps, downloaded models, desktop settings, and configuration all live there. Stopping and restarting the container leaves everything intact.

See persistence for more details.

Tunnels

Laboratory OS uses an outbound tunnel to make your instance accessible to authenticated clients. No inbound ports, no firewall rules, no reverse proxy.

When the container starts, it connects outward to Open Laboratory’s tunnel infrastructure. Traffic to your *.tunnels.laboratory.computer subdomain is routed through this tunnel to your container. Laboratory OS is designed to be aggresively portable; the same container setup works identically whether you’re running it on your laptop, a home server, or a cloud VM.

App Subdomains

Every app you install and run gets its own dedicated subdomain, derived from your slug and the app name:

https://{slug}--{app}.tunnels.laboratory.computer

For example, if your slug is abcde and you’re running ComfyUI and Open WebUI:

https://abcde--comfyui.tunnels.laboratory.computer
https://abcde--openwebui.tunnels.laboratory.computer

These subdomains are created automatically when an app is started and torn down when it’s stopped. They’re fully independent URLs — you can bookmark them, share them (with caution, see Auth below), or open them on any device.

Security Model

Access is split by surface:

  • openlaboratory.com uses your OpenLaboratory account session.
  • the lab’s managed edge authenticates each visitor with your OpenLaboratory account (SSO) before any request reaches the container — there’s no launch token or shared password.
  • privileged base-host routes like VS Code, terminals, and filebrowser are restricted to that signed-in account.
  • protected published app routes use separate route-scoped external access tokens that can be independently generated, shared, and revoked.

See the full Security Architecture page for a deeper user-facing explanation of what is protected, how sharing works, and what the current limits are.

Accounts

An Open Laboratory account is free and the only credential the container needs. Get your laboratory key from your dashboard at app.laboratory.computer — it also builds the exact docker run command for you.

The key is passed to the container via the UPLINK_API_KEY environment variable. On startup the container logs into the control plane with it; the control plane assigns the device and a *.laboratory.computer edge. Without a valid key the tunnel will not connect and the desktop will not be accessible.

Each running container registers as its own laboratory under your account, with its own subdomain.