@dcprotocol/proxy
Lightweight proxy that creates a local DCP endpoint on VPS or cloud servers. Forwards all vault requests to your local machine via encrypted relay. Zero key material on server.
Installation
npm install -g @dcprotocol/proxyOr run directly with npx (no installation needed):
npx @dcprotocol/proxy --token YOUR_PAIRING_TOKENQuick Start
Step 1: Generate Pairing Token (Local Machine)
# On your local machine (where vault is) dcp pairing generate --name production-bot --ttl 60 # Output: # ✓ Generated pairing token # # Token (expires in 60 minutes): # dcp_pair_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6 # # On your VPS, run: # npx @dcprotocol/proxy --token dcp_pair_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
Step 2: Run Proxy on VPS
# SSH into your VPS ssh user@your-vps.com # Run proxy with pairing token npx @dcprotocol/proxy --token dcp_pair_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6 # Output: # ✓ Connecting to relay... # ✓ Connected to vault # ✓ Proxy server running on http://127.0.0.1:8420 # # Your agents can now access the vault!
Step 3: Use in Your Agent
// On VPS - your agent code
import { createDCPClient } from '@dcprotocol/client';
const client = await createDCPClient({
agentName: 'production-bot'
// Client auto-detects proxy on localhost:8420
});
const { address } = await client.getAddress('solana');
console.log(`Solana: ${address}`);How It Works
YOUR MACHINE: RELAY: VPS:
┌──────────────┐ ┌──────────┐ ┌─────────────┐
│ DCP Vault │ │ Relay │ │ Proxy │
│ ~/.dcp │◀─────────▶│ Server │◀────────▶│ 127.0.0.1 │
└──────────────┘ WSS └──────────┘ WSS │ :8420 │
HPKE HPKE └──────┬──────┘
│
▼
┌─────────────┐
│ Your Agent │
└─────────────┘
1. Proxy connects to relay using pairing token
2. Your vault (on local machine) also connects to relay
3. Relay routes messages between vault and proxy
4. All data encrypted end-to-end with HPKE
5. Relay cannot read vault data (transport encryption only)Features
- Zero key material: No private keys or secrets stored on VPS
- End-to-end encryption: HPKE encryption from VPS to vault
- Secure pairing: Token expires after TTL (reusable until expiry)
- Auto-reconnect: Reconnects on network interruptions
- Identical API: Same localhost:8420 interface as local server
Command-Line Options
| Option | Description |
|---|---|
--token TOKEN | Pairing token from dcp pairing generate |
--port PORT | Local proxy port (default: 8420) |
--relay URL | Relay server URL (default: wss://relay.dcp.1ly.store) |
--verbose | Enable debug logging |
Examples
# Basic usage npx @dcprotocol/proxy --token dcp_pair_... # Custom port npx @dcprotocol/proxy --token dcp_pair_... --port 3000 # Self-hosted relay npx @dcprotocol/proxy --token dcp_pair_... --relay wss://relay.mycompany.com # Debug mode npx @dcprotocol/proxy --token dcp_pair_... --verbose
Environment Variables
| Variable | Default | Description |
|---|---|---|
DCP_PAIRING_TOKEN | undefined | Pairing token (alternative to --token) |
DCP_PROXY_PORT | 8420 | Proxy server port |
DCP_RELAY_URL | wss://relay.dcp.1ly.store | Relay server URL |
Using Environment Variables
# Set token via environment variable export DCP_PAIRING_TOKEN=dcp_pair_a1b2c3d4... npx @dcprotocol/proxy # Or in .env file echo "DCP_PAIRING_TOKEN=dcp_pair_..." > .env npx dotenv @dcprotocol/proxy
Production Deployment
systemd Service (Linux VPS)
# /etc/systemd/system/dcp-proxy.service [Unit] Description=DCP Proxy After=network.target [Service] Type=simple User=ubuntu Environment="DCP_PAIRING_TOKEN=dcp_pair_..." ExecStart=/usr/bin/npx @dcprotocol/proxy Restart=always RestartSec=10 [Install] WantedBy=multi-user.target # Enable and start sudo systemctl daemon-reload sudo systemctl enable dcp-proxy sudo systemctl start dcp-proxy # Check status sudo systemctl status dcp-proxy # View logs sudo journalctl -u dcp-proxy -f
Docker
# Dockerfile FROM node:18-alpine RUN npm install -g @dcprotocol/proxy CMD ["dcp-proxy"] # Build docker build -t dcp-proxy . # Run docker run -d \ --name dcp-proxy \ -p 127.0.0.1:8420:8420 \ -e DCP_PAIRING_TOKEN=dcp_pair_... \ dcp-proxy # View logs docker logs -f dcp-proxy
PM2 (Process Manager)
# Install PM2
npm install -g pm2
# ecosystem.config.js
module.exports = {
apps: [{
name: 'dcp-proxy',
script: 'npx',
args: '@dcprotocol/proxy',
env: {
DCP_PAIRING_TOKEN: 'dcp_pair_...'
},
autorestart: true,
watch: false
}]
};
# Start with PM2
pm2 start ecosystem.config.js
# Monitor
pm2 monit
# Logs
pm2 logs dcp-proxy
# Auto-start on boot
pm2 startup
pm2 saveSecurity Best Practices
- Rotate tokens: Generate new tokens periodically
- Short TTL: Use 15-60 minute token expiry
- Secure storage: Store tokens in environment variables, not code
- Firewall: Only allow localhost connections to proxy port
- Monitor logs: Watch for unauthorized connection attempts
- Update regularly: Keep proxy package up to date
Firewall Configuration
# UFW (Ubuntu) sudo ufw allow 22/tcp # SSH sudo ufw allow 443/tcp # HTTPS (if needed) sudo ufw enable # Ensure proxy port is NOT exposed # (It binds to 127.0.0.1 by default, but verify) sudo ufw status # iptables sudo iptables -A INPUT -p tcp --dport 8420 -s 127.0.0.1 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 8420 -j DROP
Token Rotation
Best practice: Rotate pairing tokens regularly to minimize exposure if VPS is compromised.
# Step 1: On local machine, generate new token dcp pairing generate --name production-bot --ttl 60 # Step 2: Update token on VPS ssh your-vps export DCP_PAIRING_TOKEN=NEW_TOKEN sudo systemctl restart dcp-proxy # Step 3: Revoke old agent session (optional) dcp agents revoke production-bot-old
Automated Rotation
#!/bin/bash
# rotate-token.sh - Run this periodically (cron)
# Generate new token
NEW_TOKEN=$(dcp pairing generate --name production-bot --ttl 60 | grep "dcp_pair" | awk '{print $1}')
# Update VPS via SSH
ssh your-vps "echo 'DCP_PAIRING_TOKEN=$NEW_TOKEN' > /etc/dcp-proxy.env && systemctl restart dcp-proxy"
echo "Token rotated successfully"Monitoring and Debugging
Health Check
# Check if proxy is running
curl http://127.0.0.1:8420/health
# Expected response:
# {"status":"ok","mode":"relay","connected":true}
# If not connected:
# {"status":"error","mode":"relay","connected":false,"error":"..."}
# Monitor continuously
watch -n 5 'curl -s http://127.0.0.1:8420/health | jq'Debug Logging
# Run with verbose logging npx @dcprotocol/proxy --token dcp_pair_... --verbose # Output shows: # [DEBUG] Connecting to relay... # [DEBUG] WebSocket connected # [DEBUG] Sending handshake # [DEBUG] Handshake successful # [DEBUG] Relay connection established
Common Issues
Connection Failed
# Error: Cannot connect to relay # # Possible causes: # 1. Network firewall blocking WebSocket (port 443) # 2. Relay server down # 3. Invalid pairing token # # Debug: curl -I https://relay.dcp.1ly.store/health # Test WebSocket wscat -c wss://relay.dcp.1ly.store
Token Expired
# Error: Pairing token expired # # Solution: Generate new token with longer TTL dcp pairing generate --name production-bot --ttl 120 # Update VPS with new token export DCP_PAIRING_TOKEN=new_token sudo systemctl restart dcp-proxy
Vault Not Responding
# Error: Vault not connected to relay # # Check on local machine: dcp status # Ensure vault is unlocked and relay client is running # Desktop app handles this automatically # CLI users may need to keep a session active
Use Cases
1. Cloud Trading Bot
# Deploy trading bot to VPS with proxy # Bot has vault access without exposing keys VPS Setup: 1. npx @dcprotocol/proxy --token dcp_pair_... 2. Run bot: python trading_bot.py 3. Bot calls localhost:8420 for signatures 4. Vault (on your machine) signs transactions
2. GitHub Actions CI/CD
# Deploy to production with access to vault
# .github/workflows/deploy.yml
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Start DCP Proxy
run: npx @dcprotocol/proxy --token ${{ secrets.DCP_PAIRING_TOKEN }} &
- name: Deploy with vault access
run: ./deploy.sh
# deploy.sh can now call localhost:8420 for signatures3. Multi-Server Setup
# Multiple VPS instances sharing one vault # Each gets its own pairing token # VPS 1: Trading Bot dcp pairing generate --name trading-bot-1 --ttl 120 # Use token on VPS 1 # VPS 2: Monitoring Bot dcp pairing generate --name monitor-bot --ttl 120 # Use token on VPS 2 # View all connected agents dcp agents list
Comparison with Alternatives
| Approach | Pros | Cons |
|---|---|---|
| @dcprotocol/proxy | No keys on VPS, encrypted relay | Requires local machine online |
| Copy vault to VPS | Self-contained | Keys exposed if VPS compromised |
| API keys in env vars | Simple | No signing, no secrets rotation |
See Also
- @dcprotocol/relay - Relay server documentation
- @dcprotocol/client - Client SDK
- @dcprotocol/cli - Generate pairing tokens
- @dcprotocol/server - Local server alternative