Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Emanuele-web04/dpcode/llms.txt

Use this file to discover all available pages before exploring further.

DP Code supports optional token-based authentication for its WebSocket endpoint. When no token is configured, the server accepts all incoming connections. When a token is set, every WebSocket connection must present it or the server rejects the upgrade. Authentication is transport-level — it controls access to the WebSocket connection itself. It is not a user account system.

Enabling authentication

Start the server with --auth-token or set the T3CODE_AUTH_TOKEN environment variable: 
node dist/index.js --auth-token your-secret-token
Generate a strong random token with: 
openssl rand -hex 24
Treat the auth token like a password. Do not commit it to source control or log it. The server deliberately omits the token value from its startup log.

Connecting with a token

Pass the token as a token query parameter on the WebSocket URL: 
ws://localhost:3773/ws?token=your-secret-token
For a remote server over TLS: 
wss://your-server.example.com/ws?token=your-secret-token
If the token is missing or does not match, the server rejects the WebSocket upgrade with an AuthError before the connection opens.

How it works

1

Server starts with a token configured

You pass --auth-token <token> or set T3CODE_AUTH_TOKEN. The server stores the token in memory and marks authentication as required.
2

Client initiates a WebSocket upgrade

The client connects to /ws and includes ?token=<token> in the URL query string.
3

Server validates the token

The server reads the token query parameter and compares it to the configured value. A mismatch results in an AuthError and the upgrade is rejected.
4

Connection opens

On a valid token, the WebSocket upgrade completes and the server sends the server.welcome push event.

When no token is configured

If you start the server without --auth-token, authentication is disabled and all WebSocket connections are accepted without credentials. This is the default behavior and is appropriate for local-only use.

Security recommendations

Restrict the bind interface

Use --host 127.0.0.1 to accept connections from the local machine only. Combine with a reverse proxy (nginx, Caddy) when you need remote access over HTTPS/WSS.

Always set a token for remote access

Any time the server is reachable outside localhost, set --auth-token with a strong random value. Without it, anyone who can reach the port has full access to your agent sessions.

Use a trusted network

Prefer binding to a Tailscale or VPN IP rather than 0.0.0.0. This limits the attack surface to devices on your private network.

Rotate the token when needed

Restart the server with a new --auth-token value to invalidate all existing connections. There is no token rotation API — a server restart is required.

Build docs developers (and LLMs) love

Get started for freeTalk to us