Architecture
The relay acts as a message broker between:- Browser client - Connects via WebSocket (
/ws/client) with JWT cookie auth - Local daemon - Connects via WebSocket (
/ws/daemon) and registers the device
Authentication
Login
Logout
Status
Authentication Methods
Google OAuth
Browser-based OAuth flow with CSRF protection via single-use nonce state parameter.Device Code Flow
For headless environments (Docker, servers, CI/CD):POST /auth/device- Start device code flow, get a user code- User visits verification URL and enters the code
POST /auth/device/poll- CLI polls until authorized- JWT token issued on success
Dev Mode
For testing and development (requiresRELAY_DEV_SECRET):
POST /auth/dev- Browser dev login (sets HttpOnly cookie)POST /auth/dev/token- Raw JWT for daemon/CLI
E2E Encrypted REST Tunnel
The relay supports end-to-end encrypted REST requests where the relay cannot see the payload:Security
- Rate limiting - Per-IP sliding window for auth endpoints
- CSRF protection - OAuth state parameter with single-use nonce
- Boot ID - All tokens invalidated when relay restarts
- Periodic pings - 30-second keepalive to prevent timeout
- E2E encryption - X25519 key exchange + AES-GCM payload encryption
Connection Flow
- User logs in via browser (Google OAuth or device code)
- Local daemon connects to relay and registers device
- Browser opens WebSocket to relay, receives connection ID
- All subsequent messages route through relay
- E2E encrypted payloads are forwarded opaquely