Remote access

Reach your instance from other devices with a tunnel — no reverse proxy needed

By default OpenAcme listens on 127.0.0.1 only — reachable from the machine it runs on, nothing else. To use it from your phone or share it with a teammate, you don't need a reverse proxy, TLS certificates, DNS records, or open ports. A tunnel handles all of that: your machine makes an outbound connection and hands back a public HTTPS URL.

Require a login first

On your own machine OpenAcme skips the login — 127.0.0.1 is trusted, so you land straight in. The moment you share it, you want a login. Turn that on:

openacme expose

This requires an account for everyone reaching the instance (and opens the port so a tunnel or proxy can forward to it). On first run it prints a one-time setup link to its log:

openacme claim       # print the setup link to create your account
openacme logs        # or look for "Claim this instance at …/setup?token=…"

Open that link and set an email + password. The token proves you can read the server's log — i.e. that you're the person who deployed it — so a stranger who opens your tunnel URL first can't claim the instance. (Run openacme expose --off to turn sharing back off.) After claiming, any of the tunnels below drops every device at the sign-in screen:

The OpenAcme sign-in screen prompting for email and password
What anyone opening your tunnel URL sees first — the sign-in prompt.

To let a teammate in, mint them a one-time invite link and hand it over however you like (no email is sent):

openacme invite      # prints a one-time …/enroll?token=… link

They open it, pick their own email + password, and they're in. Everyone has the same full access — accounts exist so each person has their own login, not to grant different permissions. Remove someone with openacme members revoke <email>, which also invalidates their active sessions.

Cloudflare Tunnel

Install cloudflared (download):

brew install cloudflared   # macOS;  apt/yum/binary on Linux

Point it at the running daemon:

cloudflared tunnel --url http://localhost:3456

It prints a https://<random>.trycloudflare.com URL — open it on any device and sign in. That URL is ephemeral. For a permanent URL on your own domain, create a named tunnel and route DNS to http://localhost:3456 (guide).

ngrok

Install ngrok, then after a free signup and ngrok config add-authtoken <token>:

ngrok http 3456

It prints a public https://<id>.ngrok-free.app URL. Open it and sign in. Free URLs are ephemeral and show a one-time interstitial page; a paid plan gives a fixed subdomain.

Tailscale (private, no public URL)

If you only need your own devices — not public sharing — Tailscale is the simplest path and exposes nothing publicly. Install it on the OpenAcme machine and your phone/laptop, then reach the instance at http://<machine-name>:3456 over your private tailnet. Use tailscale funnel if you later want a public URL.

Any other tunnel works

The pattern is always the same — point the tunnel at http://localhost:3456 and your account login protects whatever public URL it hands back. localtunnel, bore, an SSH reverse tunnel, or your own reverse proxy all work the same way.

Why no reverse proxy?

The tunnel forwards straight to :3456 and terminates HTTPS at its edge — so you skip nginx/Caddy, certificate renewal, DNS setup, and firewall/port forwarding entirely. Your account sign-in is what keeps the public URL protected.

Self-hosting

Run OpenAcme on a server or VM — it's a normal background service

CLI reference

Every openacme command