Skip to content
Kit service URLs + http-PORT for anything you bind
HTTP/1.1 · HTTP/2 · HTTP/3 · WebSocket
Wildcard TLS on *.containers.hoody.com
Real client IP at socket level
Proxy runs on your bare metal
JWT · Basic · IP · Bearer auth
Kit service URLs + http-PORT for anything you bind
HTTP/1.1 · HTTP/2 · HTTP/3 · WebSocket
Wildcard TLS on *.containers.hoody.com
Real client IP at socket level
Proxy runs on your bare metal
JWT · Basic · IP · Bearer auth
Kit service URLs + http-PORT for anything you bind
HTTP/1.1 · HTTP/2 · HTTP/3 · WebSocket
Wildcard TLS on *.containers.hoody.com
Real client IP at socket level
Proxy runs on your bare metal
JWT · Basic · IP · Bearer auth
Kit service URLs + http-PORT for anything you bind
HTTP/1.1 · HTTP/2 · HTTP/3 · WebSocket
Wildcard TLS on *.containers.hoody.com
Real client IP at socket level
Proxy runs on your bare metal
JWT · Basic · IP · Bearer auth
home / platform / proxy
Hoody Platform

Every service is a URL. The proxy is how.

One container exposes every Hoody Kit service at its own HTTPS URL, plus an http-PORT slug for anything you bind yourself. Ports, auth, TLS, and real client IPs all resolve at the URL layer.

Proxy runs on your bare metal. Hoody sees management API calls — container traffic never leaves your server.

2^192 keyspaceSame-machine routingReal IP at socket
Read the Proxy guide
https://PROJECT_ID-CONTAINER_ID-service-N.SERVER.containers.hoody.com
projectId
24-hex project identifier
containerId
24-hex container identifier
service
Kit service slug (terminal, display, files…)
instance
1, 2, 3… for services that support many
serverName
Your bare metal server

*.containers.hoody.com — wildcard TLS · no Certificate Transparency log exposure

home / platform / proxy / grammar
URL grammar

One grammar, many patterns

Every Kit service resolves through the same proxy, but the URL slug reveals what it is. Same grammar, different shape per service.

Pattern
https://PROJECT_ID-CONTAINER_ID-slug.SERVER.containers.hoody.com
ServiceURL slugNotes
Terminalterminal-NPer-instance shell; maps to display-N
Displaydisplay-NGUI / X11 desktop per instance
Browserbrowser-NRemote Chrome instance
Codecode-NVS Code instance per index
Filesfiles-NFile manager per instance
SQLitesqlite-NOne slug per database service
Execexec-NScripts-as-APIs
Workspacesworkspaces-NPer-agent LLM instance
cURLcurl-NOutbound HTTP proxy
Daemondaemon-NProcess manager
Croncron-NScheduled jobs per instance
Notificationsn-N · notification-server-NBrowser bridge + API
Pipepipe-NByte-stream relay per instance

Project 24-hex × container 24-hex = 2^192 pair combinations. Infeasible to brute-force.

home / platform / proxy / ports
Ports → URLs

Run a server on any port. It gets a URL.

http-PORT prefixes route the proxy to your container's internal port. No nginx server block. No ingress YAML.

Inside the container

# listening sockets

$ ss -ltnp

 

LISTEN0.0.0.0:4000node server.js(react-dev)
LISTEN0.0.0.0:5173vite(admin-ui)
LISTEN0.0.0.0:7070python api.py(payments)
Public URL

https://PROJECT_ID-CONTAINER_ID-http-4000.containers.hoody.com

https://PROJECT_ID-CONTAINER_ID-http-5173.containers.hoody.com

https://PROJECT_ID-CONTAINER_ID-http-7070.containers.hoody.com

Hoody-kit ports are reserved for the platform's own services; everything else is yours. App-side, bind on any port and expose it via http-PORT.

Apps must bind to 0.0.0.0, not localhost — the socket has to be reachable from the proxy container.

Proxies HTTP/1.1, HTTP/2, HTTP/3, and WebSocket end-to-end. Arbitrary user UDP is not routed — use a dedicated IPv4 if you need raw UDP.

home / platform / proxy / auth
Auth at the gate

Auth is a JSON policy, not application middleware.

The proxy validates JWT claims, password hashes, IP CIDR ranges, and bearer tokens before a request reaches your container. Your app stays vanilla.

PATCH /api/v1/containers/ID/proxy/permissions
{
  "project": "abc123",
  "container": "def456",
  "enable_proxy": true,
  "default": "deny",
  "groups": {
    "dashboard": {
      "type": "jwt",
      "algorithm": "HS256",
      "sources": ["header:Authorization"],
      "secret": "<hmac-secret>",
      "claims": { "role": ["admin", "viewer"] }
    },
    "office-only": {
      "type": "ip",
      "range": "203.0.113.0/24"
    }
  },
  "permissions": {
    "dashboard": { "ui": true, "terminal": [1, 2] },
    "office-only": { "ssh": true, "terminal": true }
  }
}
clientproxy (policy check)container (vanilla HTTP)

JWT

HS256 · RS256 · ES256 · header / cookie / query · claim validation

Password

HTTP Basic · SHA-256 + salt · URL-embeddable

IP

IPv4 CIDR match · real client IP at socket level

Bearer Token

Multiple tokens per group · API-friendly

Container-level permissions replace project-level permissions — they do not merge. Set both scopes explicitly if you rely on inheritance.

home / platform / proxy / aliases
Aliases & domains

Memorable URLs on top of cryptographic URLs

One API call turns the long cryptographic URL into a memorable Hoody subdomain like myapp.node-us-1.containers.hoody.com — served under Hoody's wildcard *.containers.hoody.com TLS, with no certificate to provision.

Generated at container create

https://abc123-def456-http-4000.node-us-1.containers.hoody.com

POST /api/v1/proxy/aliases
Memorable alias · wildcard TLS, no cert setup

https://myapp.node-us-1.containers.hoody.com

Path routing
target_path + allow_path_override
expires_at
Time-limited access
Multi-service alias
One alias → many programs
Custom domain
CNAME · Let's Encrypt auto

Alias naming: 3–61 chars, lowercase alphanumeric plus hyphens, must start and end with a letter or number. Auto-generated aliases are 48-char hex.

home / platform / proxy / vs
Self-hosted vs Hoody Proxy

What you would otherwise stitch together

The proxy replaces a stack most teams assemble from scratch: reverse proxy + cert manager + VPN or tunnel + per-app auth + audit log. The axioms the self-hosted column fails — URL-as-route, URL-as-auth-scope, URL-as-embeddable — are what the proxy supplies natively.

ConcernHoody ProxySelf-hosted equivalent
Wildcard HTTPSsupported nativelyNativecertbot + renewal cron + cert rotation
Routing to internal portsupported nativelyNativenginx server block per service
Real client IPsupported nativelyNativeParse X-Forwarded-For per app
JWT · Basic · IP · Token authsupported nativelyNativeMiddleware per app + session libs
Custom domain + TLSsupported nativelyNativeCloudflare / DNS-01 / nginx reload
Centralized request auditsupported nativelyNativenginx logs + log shipper + index
Iframe-embeddable URLssupported nativelyNativeManual CORS / CSP / TLS per app
Runs on your hardwaresupported nativelyNativeYou run it yourself anyway

If you're already on Kubernetes with an ingress controller, Cloudflare Tunnels for SSO to Okta, or Tailscale for L3 private access, those tools stay better for their specific niches. The proxy earns its place when you want URL-addressable container services as the primary abstraction.

home / platform / proxy / build
What this unlocks

Six workflows the URL-first model makes trivial

Drawn from patterns teams actually ship with the Hoody Proxy.

Ship an API with no reverse proxy

Bind to 0.0.0.0:4000. Get abc123-def456-http-4000.node-us-1.containers.hoody.com. Skip the nginx, cert, and DNS song.

Memorable subdomain, zero cert setup

POST /api/v1/proxy/aliases turns the crypto URL into a memorable subdomain like myapp.node-us-1.containers.hoody.com, served instantly under Hoody's wildcard TLS — no certificate to provision.

Blue/green via alias swap

Point myapp.node-us-1.containers.hoody.com at container B, test, swap the alias back. No config reload, no downtime.

Give an AI agent a container to drive

Agent gets a JWT, proxy validates per-request, agent writes files, runs commands, queries sqlite over HTTPS.

Multi-tenant SaaS subdomains

One container per tenant; alias each to tenant.node-us-1.containers.hoody.com. Tenant isolation enforced at the URL layer.

Instant revocation

One DELETE call to the Control Plane and the URL is dead within a second. No cache poisoning.

home / platform / proxy / start
Start

Your first URL is one API call away.

Create a project, create a container, and every service is already online. No infrastructure to stand up first.

Proxy guide

See also — /platform/control-plane for proxy alias, permission, and log APIs.