Start a server
Generate a token and launch the server. Bind to loopback for local-only use, or to all interfaces for remote access.127.0.0.1:9100 by default. Print the token you generated and keep it safe — clients need it verbatim.
Configuration
The server reads its settings from environment variables.
When a certificate and key are set, the server accepts secure
wss:// connections; otherwise it speaks plain ws://.
Enable TLS
1
Obtain a certificate and key
Use a trusted certificate (for example from Let’s Encrypt) for public hosts, or a self-signed pair for private networks.
2
Point the server at them
3
Connect over wss://
Clients now use a
wss:// URL. For a self-signed certificate, clients must trust your CA with SYNTI_TLS_CA.Connect a client
- Terminal (synti-cli)
- Thin desktop client
- Browser
Deployment notes
Put TLS termination at a reverse proxy
Put TLS termination at a reverse proxy
For production, front the server with nginx, Caddy, or a Cloudflare Tunnel and let it handle TLS. The server can then bind to loopback while the proxy faces the network.
Prefer a private network
Prefer a private network
Tailscale, a WireGuard mesh, or an SSH tunnel keeps the server off the public internet entirely while still allowing remote clients.
Rotate the token
Rotate the token
Treat
SYNTI_SERVER_TOKEN like a password. Rotate it by restarting the server with a new value and updating clients.Related
Terminal Client
Connect and drive the server from the shell.
CLI Reference
Every synti-cli command and flag.
Environment Variables
All server-mode variables.
Network Proxy
Reach a server through a proxy or CA.