Remote Access

Run the ShioriCode server on a remote machine and connect from any browser. Useful for powerful dev machines, cloud instances, or shared workstations.

Quick Setup

Build the project on your remote machine
Start the server bound to all interfaces with an auth token:
bun run start -- --host 0.0.0.0 --port 3773 --auth-token YOUR_SECRET
Open http://<remote-ip>:3773 in your browser

CLI Flags

Flag	Description
`--mode`	Launcher mode (`web` or `desktop`)
`--port`	Port to listen on (default: 3773)
`--host`	Host to bind to. Use `0.0.0.0` for remote access
`--auth-token`	Require this token for WebSocket connections
`--base-dir`	Override the base data directory (equivalent to `SHIORICODE_HOME`)
`--no-browser`	Disable automatic browser opening on startup

--bootstrap-fd is also available for advanced launchers that want to pass one-time secrets like the auth token over a file descriptor instead of the command line.

Environment Variables

All CLI flags can also be set via environment variables:

Variable	Equivalent Flag
`SHIORICODE_MODE`	`--mode`
`SHIORICODE_PORT`	`--port`
`SHIORICODE_HOST`	`--host`
`SHIORICODE_AUTH_TOKEN`	`--auth-token`
`SHIORICODE_HOME`	`--base-dir`

Tailscale Integration

For the most secure remote setup, use Tailscale to create a private network between your machines. This avoids exposing your server to the public internet.

Install Tailscale on both the server machine and your client device
Start the ShioriCode server bound to your Tailscale IP or 0.0.0.0
Connect from your client using the Tailscale hostname or IP

With Tailscale, traffic is encrypted end-to-end. You can still use an auth token for an additional layer of security.

Security Best Practices

Always use an auth token when exposing the server beyond localhost
Prefer Tailscale or VPN over direct internet exposure
Use --bootstrap-fd if you are wrapping the server in another launcher and want to avoid putting the token in process listings
Firewall the port if you bind to 0.0.0.0 on a public-facing machine
Use HTTPS via a reverse proxy (nginx, Caddy) for production deployments

CLI Flags

Flag

Description

--mode

Launcher mode (web or desktop)

--port

Port to listen on (default: 3773)

--host

Host to bind to. Use 0.0.0.0 for remote access

--auth-token

Require this token for WebSocket connections

--base-dir

Override the base data directory (equivalent to SHIORICODE_HOME)

--no-browser

Disable automatic browser opening on startup

--bootstrap-fd is also available for advanced launchers that want to pass one-time secrets like the auth token over a file descriptor instead of the command line.

Variable

Equivalent Flag

SHIORICODE_MODE

--mode

SHIORICODE_PORT

--port

SHIORICODE_HOST

--host

SHIORICODE_AUTH_TOKEN

--auth-token

SHIORICODE_HOME

--base-dir

Tailscale Integration

For the most secure remote setup, use Tailscale to create a private network between your machines. This avoids exposing your server to the public internet.

Install Tailscale on both the server machine and your client device

Start the ShioriCode server bound to your Tailscale IP or 0.0.0.0

Connect from your client using the Tailscale hostname or IP

With Tailscale, traffic is encrypted end-to-end. You can still use an auth token for an additional layer of security.

Security Best Practices

Always use an auth token when exposing the server beyond localhost

Prefer Tailscale or VPN over direct internet exposure

Use --bootstrap-fd if you are wrapping the server in another launcher and want to avoid putting the token in process listings

Firewall the port if you bind to 0.0.0.0 on a public-facing machine

Use HTTPS via a reverse proxy (nginx, Caddy) for production deployments