I asked back in June 2025, but the issue remains unresolved. Being able to access the WebUI from an iPad would help me, but handling the necessary TLS certificate in iOS still eludes me.
If you happen to have any suggestions, I would really appreciate you sharing them with me. Thank you.
It should work fine if you setup login through OIDC.
I was hoping to avoid the added complexity of setting up an OIDC service. Oh well, I guess I will have to try this route if I can’t get TLS certificate based authentication to work on iOS. 
You can use this forum for OIDC authentication.
The IncusOS download form lets you set that up. You can then re-use those values on a regular Incus installation without needing to deploy IncusOS.
IncusOS image downloader (look for the OIDC section, click the click here to use it and then take values that get populated from that).
There are many OIDC providers you can run yourself too, some of the popular ones are Authentik, Pocket ID, Authelia, Zitadel, Dex and Keycloak. You can also use cloud ones like Auth0 or in many cases even use existing systems like Google Workspace, Microsoft 365, … as your OIDC provider.
I guess I was a bit unlucky in my starting choices, then. Gluu doesn’t support modern Linux distributions; OpenAM requires either Docker or a custom Tomcat installation, and seems rather resource hungry (hello Java, you haven’t improved much in that regard).
I am thankful for your suggestions, knowing what to look for helps. I already found packages for Authentik and Pocket-ID in the Nix stable branch, which is reassuring. I use NixOS where I can, also as the platform for Incus. Nix included Incus 7.0 in the brand new release 26.05.
Before OIDC, I have another suggestion: What about using an iOS terminal, like https://ish.app/ . iSH runs an Alpine Linux container in it. Inside it, you can install the Incus command line client, set up certs, etc, and connect it. Then, you can run incus webui to launch the webserver on localhost, and then you can access that from your browser, on the same phone. This method of accessing the webui uses a one time auth token, in the url itself, so no need to worry about certs.
If you do decide to go the route of OIDC:
Authentik has a package in the nix stable branch, but it doesn’t have services/options. There is a flake that provides a service (and a way to consume it without flakes) but I wouldn’t really recommend authentik for this fairly minimal usecase. Pocket ID is packaged as a service in Nixos, but is also a little bit to small.
I would recommend looking into KanIDM for this usecase, which is much smaller, and lightweight than authentik, but also supports LDAP. Ofc, there is a Nix package and service module for it.
iSH using an embedded Alpine Linux at its core is conceptually fascinating. Looking at the Git repository, I do however wonder why there has not been an iSH release for three years, what with the evolution of iOS during that time. Still, I find your idea of running Incus’ own web UI locally intriguing. Have you done this yourself? Your description reads pretty specific.
I don’t have an iPhone, but I do similar stuff with termux on android a lot (has it’s own package manager and repos, can also run an alpine/debian/arch container inside).
Sometimes the easiest way to do something on mobile is to use Linux.
For you, I did do a web search on how to do it. I did have to check some stuff, and I might have even been wrong (or maybe newer iOS changed things), like whether or not the iSH alpine is accessible from localhost via the browser.
It does look like iSH is getting updated: Commits · ish-app/ish · GitHub, and there are new preleases which you could install via testflight: Releases · ish-app/ish · GitHub
But it looks like they got removed from the app store: About iSH’s pending removal from the App Store — iSH , which is why the main releases are so old.
If testflight or whatever you are doing to sideload apps on iOS nowadays is too annoying, another option is to use a different SSH app, or one of the browser based versions of SSH (but it would have to support port forwarding/proxying), and then do a tunnel to your server via SSH, where you then run the web ui.
Thank you for the research you have conducted on my behalf. I was not idle either. The iSH release available via AppStore is running here on iPadOS 26.5, and outbound connections work as expected.
However, I have not been able to establish any inbound connections to the embedded Alpine. I have for example tried mini_http within iSH, but the service always fails to initialise, complaining that it cannot bind to any network interfaces. There is no /proc available, which could be either cause or symptom of the problems. I guess I should take a break and hope for a muse to kiss me in my sleep. 
Sleep eluded me, I couldn’t stop thinking about this issue. I then decided to try OIDC for a change, and the experience was pretty nice.
I’ve set up Pocket ID behind NGINX as a proxy, both on NixOS, which would have gone even quicker if not for a typo I made. After adding a user account and an OIDC client configuration for Incus in Pocket ID and matching oidc.* settings on in Incus, login from my iPad worked on the first attempt. With passkeys, because Pocket ID doesn’t support other methods. I like passkeys anyway, so the limitation does not bother me at all.
Thanks for your help, and I mean both of you. The iSH route may not have worked, but it was a cool idea nonetheless. OIDC turned out to be smooth sailing, so I marked this forum topic as solved.