Skip to main content


Transcription:Batch   Deployments:Virtual Appliance

The Appliance is designed to be installed within your own security perimeter. It has its own firewall installed to only allow ingress to ports that are required for its Management, Monitoring and Speech APIs.


The Appliance uses a Kubernetes architecture running on a customized Ubuntu machine. AppArmor default security policies are used to protect the OS and running applications on the Appliance.

Data on the Appliance (including audio and video data that is submitted via the Speech API, logs, and output transcripts) are encrypted on disk if the hypervisor is configured to manage at-rest encryption. The OVA you import is not encrypted by default if you require at-rest encryption you should follow the instructions specific to your hypervisor.

Securing the Management API

All requests to the Management API require authentication unless it is explicitly turned off. The default username and password are 'admin' and 'admin'.

To disable HTTP authentication against the Management API, run this command:

curl -L -u admin:$PWD -X 'DELETE' \

To configure your own password (advised), run:

curl -L -u admin:$PWD -X 'POST' \
  "http://${APPLIANCE_HOST}/v2/security/adminpassword" \
  -H 'Content-Type: application/json' \
  -d '{
  "password": "yourpassword"

or perform these operations from the Management Web UI running on http(s)://${APPLIANCE_HOST}/.

Configuring a Token for the Jobs API

Versions of the Appliance before 6.0.0 required no authentication to use the ASR API. This version requires no authentication by default, but you can configure a token of your choice to protect the jobs endpoint using the Management API.

curl -L -u admin:$PWD -X 'POST' \
  "https://${APPLIANCE_HOST}/v2/security/jobtoken" \
  -H 'Content-Type: application/json' \
  -d '{"user_token": "<your token>"}'

To remove the token, run a DELETE command

curl -L -u admin:$PWD -X 'DELETE' \

When a token is in use, requests to the jobs API will require an authentication header identical to the kind used in the Speechmatics SaaS.

curl -s -L -X 'POST' "https://${APPLIANCE_HOST}/v2/jobs/" \
   -H "Authorization: Bearer <your token>" \
   -F data_file=@sample.wav \
   -d 'config={ "type": "transcription",
         "transcription_config": { "language": "en" }

Ports and Protocols

There are several firewall rules that may need to be enabled to ensure the communication can be made to the Virtual Appliance. If you set up HTTPS as described in the 'SSL Configuration' section of these docs then you only need to expose port 443.

22/TCPSSH access
80/TCPUsed for the Management API to manage the Appliance, and for submitting jobs
443/TCPUsed for HTTPS communication with all of the above services
9001/TCPPrometheus metrics
3100/TCPLoki logs endpoint *

*: External Access blocked by default see Loki