Deploying an Open WebUI to Obsidian MCP Integration
The Pen V2
As I’ve been toying with AI in my personal life, I realized that I was doing a lot of copy and pasting– way too much for my own good. For weeks, I’ve been plagued with this thought: “gosh, it’d be so easy if AI could write directly to my notebook!” At the time it was not possible. I was primarily using Nextcloud for notes. I know… I’m not sure why either. Nextcloud just makes organizing all of my documents in one place stupidly simple. I can chuck a markdown file, a docx file, and a spreadsheet in the same folder without thinking twice.
This worked for a while until my needs developed. I needed something with proper tag support; I needed something with keyword searching and a fast, responsive interface; I needed something that could work offline in a pinch. I needed an actual notebook. Enter, Obsidian! I’ve been using Obsidian on and off for about five years now. It’s a great piece of software, don’t get me wrong, but every time I’ve dropped it, it was always because of how manual everything is. To build a proper “second-brain” style vault, you have to do a lot of work keeping up with formatting, tagging, and titling to ensure that all of your notes are cohesive. Don’t even get me started on the nightmare of folder management.
All of these issues are solved (or complicated) by AI, however. I can have AI format my notes for me. I can bang out a quick note on my phone, write something down on my e-ink tablet, and take some AI research chat history and combine them all into one document using a single prompt. Better yet, I can tell AI to put all of that together for me and write it into today’s daily note. No more notes scattered in a million different places!
This guide documents how to integrate Open WebUI with an Obsidian vault so AI can read from and write to notes through the Obsidian Local REST API with MCP plugin. The deployment uses:
- Open WebUI running on a separate Linux host
- Obsidian running on a MacBook Pro
- Tailscale for private network connectivity
- The Obsidian Local REST API with MCP plugin for authenticated vault access
- Open WebUI External Tools configured as an MCP Streamable HTTP connection This procedure was validated with a working remote connection from the Open WebUI host to the Obsidian host over Tailscale.
Prerequisites
Before starting, confirm the following:
- Open WebUI is already deployed and reachable
- Open WebUI is version 0.6.31 or later
- Obsidian is installed and running on a desktop system
- The Local REST API with MCP plugin is installed and enabled in Obsidian
- Both systems are connected to the same Tailscale tailnet
- An Obsidian API key has been generated from the plugin settings
- You have administrative access to Open WebUI External Tools Environment used in this deployment:
- Open WebUI host:
core-services - Obsidian host:
collens-macbook-pro - Obsidian Tailscale IP:
100.93.113.41 - Obsidian HTTP API port:
27123 - Open WebUI data path:
/appdata/openwebui
Important: This guide uses the plugin’s HTTP listener on port
27123over Tailscale to avoid dealing with self-signed HTTPS trust during initial setup. Not recommended for production.
Procedure
Step 1: Install and enable the Obsidian plugin
Open Obsidian and install the Local REST API with MCP community plugin. After installation:
- Enable the plugin.
- Open the plugin settings.
- Copy the generated API key.
- Enable the HTTP server.
- Enable any advanced settings required to expose the bind/listen host option. Expected result:
- In the plugin settings, change the bind/listen host from
127.0.0.1orlocalhostto either:0.0.0.0, or- the Mac’s Tailscale IP
- Restart Obsidian completely. Expected result:
- The API no longer listens only on loopback.
- Remote clients on the tailnet can connect.
Step 3: Verify the API locally on the Obsidian host
Run the following commands on the Mac:
1 2 3 4 5
tailscale ip -4 lsof -nP -iTCP:27123 -sTCP:LISTEN curl http://127.0.0.1:27123/ curl -H "Authorization: Bearer $OBSIDIAN_API_KEY" \ http://127.0.0.1:27123/vault/
Expected result:
- Port
27123is listening. - The root endpoint returns plugin status.
- The authenticated
/vault/request returns vault contents.Step 4: Verify remote connectivity from the Open WebUI host
On the Open WebUI host, export the API key and remote endpoint:
1 2
export OBSIDIAN_API_KEY='REPLACE_WITH_OBSIDIAN_API_KEY' export OBSIDIAN_REMOTE='http://100.93.113.41:27123'
Test connectivity:
1 2 3 4 5 6 7
tailscale status tailscale ping 100.93.113.41 ping -c 3 100.93.113.41 nc -vz 100.93.113.41 27123 curl http://100.93.113.41:27123/ curl -H "Authorization: Bearer $OBSIDIAN_API_KEY" \ http://100.93.113.41:27123/vault/
Expected result:
tailscale pingsucceeds- standard ICMP ping succeeds
ncreports port27123as open- the root endpoint returns API status
- the authenticated
/vault/request returns folder and file listingsStep 5: Confirm the working remote API response
A successful remote validation returned:
- plugin status
OK - plugin name
Local REST API with MCP - plugin version
4.1.3 - Obsidian version
1.12.7 - authenticated vault listing including:
Inbox/Recipe Book/Tasks.mdcjs-cloud.com/This confirms that:
- the Mac is reachable over Tailscale
- the Obsidian API is listening on a remote-accessible interface
- the Bearer token is valid
- the vault can be queried remotely from the Open WebUI host
Step 6: Prepare Open WebUI for MCP
Ensure the Open WebUI container includes a
WEBUI_SECRET_KEYenvironment variable. Example Docker Compose fragment: ```yaml services: openwebui: image: ghcr.io/open-webui/open-webui:main container_name: openwebui restart: unless-stopped environment:
- WEBUI_SECRET_KEY=replace-with-a-long-random-secret volumes:
- /appdata/openwebui:/app/backend/data ports:
- “9766:8080”
1 2 3 4
Redeploy and review logs: ```bash docker compose up -d docker logs --tail=100 openwebui
Expected result:
- Go to Admin Settings
- Open External Tools
- Click Add Server
- Configure the connection with these values: | Field | Value | |—|—| | Type |
MCP (Streamable HTTP)| | URL |http://100.93.113.41:27123/mcp/| | Auth |Bearer| | Key | Obsidian API key | Save the server and run the built-in verification. Expected result: - Open a chat in Open WebUI.
- Open Integrations or Tools.
- Enable the Obsidian tool for the chat or model. Recommended first test prompt:
1
Create a note at Inbox/AI/openwebui-first-note.md with a title, a short summary of this chat, and three action items.
Recommended append test:
1
Append a section called AI Notes to Inbox/AI/openwebui-first-note.md and add two bullet points.
Expected result:
- The model writes directly into the Obsidian vault using structured tool calls.
Validation
Use the following checks to confirm the deployment is complete:
- From the Open WebUI host,
nc -vz 100.93.113.41:27123returnsopen. curl http://100.93.113.41:27123/returns plugin status.curl -H "Authorization: Bearer $OBSIDIAN_API_KEY" http://100.93.113.41:27123/vault/returns vault contents.- Open WebUI verifies the MCP server successfully.
- A chat session can create or append a note in
Inbox/AI/.
Troubleshooting
Symptom: Connection refused from the Open WebUI host
Common cause:
- The Obsidian plugin is listening only on
127.0.0.1Resolution: - Plugin bound only to loopback
- macOS firewall blocking inbound access
- Wrong target IP or port Resolution:
- Wrong connection type
- Wrong path
- Missing or invalid Bearer token Resolution:
- Confirm:
- Tool not enabled in the chat
- Model not allowed to use the tool
- Prompt does not clearly specify a file path or action Resolution:
- Enable the tool in the active chat.
- Use explicit prompts with a full vault path.
- Start with create or append actions in a dedicated test folder.
Security Considerations
- Use Tailscale or another private network path for API access.
- Do not expose the Obsidian API directly to the public internet.
- Restrict initial AI write operations to a controlled folder such as
Inbox/AI/. - Rotate the Obsidian API key after setup if it has been exposed in terminal history, screenshots, or documentation drafts.
- Expand write scope only after validating model behavior.
Warning: The Obsidian plugin can provide broad vault access. Avoid giving unrestricted write access to sensitive notes during initial rollout.
Related Resources
- Open WebUI MCP documentation
- Obsidian Local REST API with MCP plugin documentation
- Internal Open WebUI deployment documentation
- Internal AI knowledge and notebook automation standards by AI
