API Reference

The doxx.net API provides comprehensive endpoints for authentication, account management, tunnel creation and configuration, domain and DNS management, SSL certificate signing, firewall rules, proxy configuration, and network topology management.

Base URL: https://setup.doxx.net

Protocol: All API requests use POST method with form-encoded data

Authentication: Token-based authentication system (no usernames/passwords)

Authentication
Account Management
Tunnel Management
Server Management
Domain Management
DNS Management
SSL Certificate Management
Firewall Management
Proxy Configuration
Profile Management
Account Recovery
Terms of Service
Error Handling

Authentication

Authenticate User

Endpoint: POST /

Verifies a user’s authentication token and updates last login timestamp.

Parameters:

Parameter	Type	Required	Description
`auth`	string	Yes	Must be set to any value to trigger authentication
`token`	string	Yes	User authentication token (32-character URL-safe base64 string)

Example Request:

curl -X POST https://setup.doxx.net \
  -d "auth=1" \
  -d "token=YOUR_TOKEN_HERE"

Success Response:

{
  "status": "success",
  "message": "Authentication successful"
}

Error Responses:

{
  "status": "error",
  "message": "Missing authentication token"
}

{
  "status": "error",
  "message": "Invalid authentication token"
}

Account Management

Create Account

Endpoint: POST /

Creates a new user account. Accounts are token-based with no email or password required. The API supports both regular user accounts and backbone infrastructure accounts.

Parameters:

Parameter	Type	Required	Description
`create_account`	string	Yes	Must be set to any value to trigger account creation

Example Request:

curl -X POST https://setup.doxx.net \
  -d "create_account=1"

Success Response (Regular Account):

{
  "status": "success",
  "action": "account_created",
  "token": "dGhpc2lzYXRlc3R0b2tlbmZvcmRveHhuZXQ",
  "welcome_message": "Your account has been created successfully!",
  "security_notes": [
    "doxx.net does not use usernames or passwords and does not store your email or other personal account data.",
    "Your token is unique to you and is the only way to access your account. Do not share it with anyone.",
    "Store it securely: write it down, take a photo, and save it in a password manager or secure notes.",
    "On your first login, your browser may prompt you to save it in your password wallet — accept this to avoid losing it.",
    "Anyone with this token has full access to your account. Treat it like a password."
  ],
  "usage_info": [
    "Web: visit https://a0x13.doxx.net and paste your token to sign in.",
    "API: include your token as the 'token' parameter in POST requests to https://setup.doxx.net"
  ]
}

Notes:

Tokens are URL-safe base64-encoded random strings (32 bytes → 43 characters without padding)
Tokens use - and _ instead of + and / for URL safety

Delete Account

Endpoint: POST /

Permanently deletes a user account and all associated data including tunnels, domains, DNS records, firewall rules, and proxy configurations.

Parameters:

Parameter	Type	Required	Description
`delete_account`	string	Yes	Must be set to any value to trigger account deletion
`token`	string	Yes	User authentication token

Example Request:

curl -X POST https://setup.doxx.net \
  -d "delete_account=1" \
  -d "token=YOUR_TOKEN_HERE"

Success Response:

{
  "status": "success",
  "message": "Account deleted successfully"
}

Deletion Process:

Deletes all DNS records from PowerDNS
Deletes all domains from PowerDNS
Removes domain ownership records
Deletes all firewall rules
Deletes all tunnel configurations
Frees all IPv4 allocations
Deletes user proxy configurations
Removes recovery codes
Deletes profile data
Deletes TOS acceptance records
Finally removes user account

Notes:

This operation is irreversible
All tunnels are disconnected before deletion
DNS records are cleaned up from PowerDNS
IPv4 allocations are returned to the pool

Tunnel Management

Create Tunnel

Endpoint: POST /

Creates a new VPN tunnel with specified configuration. Automatically allocates IPv4 (/31) and optionally IPv6 (/127) address pairs.

Parameters:

Parameter	Type	Required	Default	Description
`create_tunnel`	string	Yes	-	Must be set to any value to trigger tunnel creation
`token`	string	Yes	-	User authentication token
`type`	string	Yes	-	Tunnel type: `wireguard`, `tcp-encrypted`, `https`, or `cdn`
`name`	string	No	null	Tunnel name (max 64 characters)
`server`	string	No	null	Target server name (must exist in servers table)
`bandwidth_stats`	integer	No	0	Enable bandwidth statistics (0 or 1)
`security_stats`	integer	No	0	Enable security statistics (0 or 1)
`block_bad_dns`	integer	No	0	Block malicious DNS queries (0 or 1)
`keep_established_ssh`	integer	No	0	Keep SSH connections alive through tunnel (0 or 1)
`kill_default_route`	integer	No	0	Override default route (0 or 1)
`auto_reconnect`	integer	No	1	Automatically reconnect on failure (0 or 1)
`enable_routing`	integer	No	1	Enable IP routing (0 or 1)
`snarf_dns`	integer	No	1	Intercept and route DNS queries through tunnel (0 or 1)
`firewall`	integer	No	0	Enable firewall (0 or 1)
`ipv6_enabled`	integer	No	1	Enable IPv6 support (0 or 1)

Example Request:

curl -X POST https://setup.doxx.net \
  -d "create_tunnel=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "type=wireguard" \
  -d "name=My VPN Tunnel" \
  -d "server=newyork-us" \
  -d "bandwidth_stats=1" \
  -d "security_stats=1" \
  -d "auto_reconnect=1"

Success Response:

{
  "status": "success",
  "message": "Tunnel created successfully",
  "tunnel_token": "dGVzdHR1bm5lbHRva2VuZm9yZG94eG5ldA",
  "assigned_ip": "10.42.15.200/31",
  "assigned_v6": "2602:f5c1:1::af5:fad6/127",
  "public_key": "wg_public_key_here",
  "private_key": "wg_private_key_here"
}

IPv4 Allocation:

Pool: 10.1.0.0 through 10.255.255.252 (excludes 10.0.0.0/16 reserved for backbone)
Allocation: Random /31 subnets (privacy-preserving)
Format: SERVER_IP/31 where CLIENT_IP = SERVER_IP + 1
Example: 10.42.15.200/31 → Server: 10.42.15.200, Client: 10.42.15.201

IPv6 Allocation:

Pool: Server-specific /48 or /64 subnets
Allocation: Random /127 pairs from server’s IPv6 pool
Format: Similar to IPv4, server gets even address, client gets +1

WireGuard Keys:

Only generated for type=wireguard
Private key: 32-byte Curve25519 key (base64-encoded)
Public key: Derived from private key
Both keys returned in response for client configuration

Error Responses:

{
  "status": "error",
  "message": "Invalid tunnel type specified"
}

{
  "status": "error",
  "message": "Tunnel name must be 64 characters or less"
}

Update Tunnel

Endpoint: POST /

Updates an existing tunnel’s configuration. All parameters are optional except token and tunnel_token.

Parameters:

Parameter	Type	Required	Default	Description
`update_tunnel`	string	Yes	-	Must be set to any value to trigger tunnel update
`token`	string	Yes	-	User authentication token
`tunnel_token`	string	Yes	-	Tunnel identifier to update
`type`	string	No	-	Update tunnel type
`name`	string	No	-	Update tunnel name (max 64 characters)
`server`	string	No	-	Update target server
`bandwidth_stats`	integer	No	-	Update bandwidth statistics setting
`security_stats`	integer	No	-	Update security statistics setting
`block_bad_dns`	integer	No	-	Update DNS blocking setting
`keep_established_ssh`	integer	No	-	Update SSH keep-alive setting
`kill_default_route`	integer	No	-	Update default route setting
`auto_reconnect`	integer	No	-	Update auto-reconnect setting
`enable_routing`	integer	No	-	Update routing setting
`snarf_dns`	integer	No	-	Update DNS interception setting
`firewall`	integer	No	-	Update firewall setting
`ipv6_enabled`	integer	No	-	Update IPv6 setting

Example Request:

curl -X POST https://setup.doxx.net \
  -d "update_tunnel=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "tunnel_token=TUNNEL_TOKEN_HERE" \
  -d "name=Updated Tunnel Name" \
  -d "bandwidth_stats=1" \
  -d "block_bad_dns=1"

Success Response:

{
  "status": "success",
  "message": "Tunnel updated successfully"
}

Notes:

Only specified parameters are updated
Triggers notification to wg-server and dn-proxy for config reload
DNS blocking changes trigger notification to dn-dns service
User must own the tunnel (verified by user_id)

List Tunnels

Endpoint: POST /

Retrieves all tunnels associated with the authenticated user, including connection status and optional proxy configurations.

Parameters:

Parameter	Type	Required	Default	Description
`list_tunnels`	string	Yes	-	Must be set to any value to trigger tunnel listing
`token`	string	Yes	-	User authentication token
`include_proxy_configs`	string	No	0	Include proxy configurations in response (0 or 1)

Example Request:

curl -X POST https://setup.doxx.net \
  -d "list_tunnels=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "include_proxy_configs=1"

Success Response:

{
  "status": "success",
  "tunnels": [
    {
      "tunnel_token": "dGVzdHR1bm5lbA",
      "type": "wireguard",
      "name": "My Primary VPN",
      "server": "newyork-us",
      "assigned_ip": "10.42.15.200/31",
      "assigned_v6": "2602:f5c1:1::af5:fad6/127",
      "public_key": "wg_public_key_here",
      "private_key": "wg_private_key_here",
      "bandwidth_stats": 1,
      "security_stats": 1,
      "block_bad_dns": 1,
      "keep_established_ssh": 0,
      "kill_default_route": 0,
      "auto_reconnect": 1,
      "enable_routing": 1,
      "snarf_dns": 1,
      "firewall": 0,
      "ipv6_enabled": 1,
      "created_at": "2024-01-15 10:30:00",
      "active": 1,
      "is_connected": true,
      "connection_status": "connected",
      "proxy_config": {
        "enabled": true,
        "location": "newyork-us",
        "browser": "chrome",
        "custom_lat": null,
        "custom_lon": null,
        "custom_timezone": null,
        "custom_language": null
      }
    }
  ]
}

Response Fields:

active: Connection status (0=disconnected, 1=connected)
is_connected: Boolean connection status
connection_status: Human-readable status (“connected” or “disconnected”)
proxy_config: Only included if include_proxy_configs=1

Delete Tunnel

Endpoint: POST /

Permanently deletes a tunnel and frees all associated resources (IP allocations, DNS PTR records, firewall rules).

Parameters:

Parameter	Type	Required	Description
`delete_tunnel`	string	Yes	Must be set to any value to trigger tunnel deletion
`token`	string	Yes	User authentication token
`tunnel_token`	string	Yes	Tunnel identifier to delete
`type`	string	Yes	Tunnel type (must match)
`assigned_ip`	string	Yes	Assigned IP prefix (must match)

Example Request:

curl -X POST https://setup.doxx.net \
  -d "delete_tunnel=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "tunnel_token=TUNNEL_TOKEN" \
  -d "type=wireguard" \
  -d "assigned_ip=10.42.15.200/31"

Success Response:

{
  "status": "success",
  "message": "Tunnel deleted successfully"
}

Deletion Process:

Verifies tunnel ownership
Fetches tunnel data for disconnect notification
Deletes PTR records for both IPv4 and IPv6 addresses (server + client IPs)
Deletes firewall rules
Deletes proxy configuration
Frees IPv4 allocation
Sends disconnect notification to wg-server and dn-proxy
Deletes tunnel configuration

Notes:

PTR records deleted for both IPs in the /31 pair (server + client)
Disconnect notification sent before tunnel deletion
IPv4 allocation returned to available pool

Get WireGuard Configuration

Endpoint: POST /

Retrieves complete WireGuard configuration for a specific tunnel, including client and server settings.

Parameters:

Parameter	Type	Required	Description
`wireguard`	string	Yes	Must be set to any value to trigger config retrieval
`token`	string	Yes	User authentication token
`tunnel_token`	string	Yes	Tunnel identifier

Example Request:

curl -X POST https://setup.doxx.net \
  -d "wireguard=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "tunnel_token=TUNNEL_TOKEN"

Success Response:

{
  "status": "success",
  "config": {
    "client": {
      "private_key": "client_private_key_base64",
      "address": "10.42.15.201/31",
      "address_v6": "2602:f5c1:1::af5:fad7/127",
      "dns": "10.42.15.200, 2602:f5c1:1::af5:fad6"
    },
    "server": {
      "public_key": "server_public_key_base64",
      "endpoint": "newyork-us.doxx.net:51820",
      "allowed_ips": "0.0.0.0/0, ::/0",
      "persistent_keepalive": 25
    }
  }
}

Notes:

Only works for type=wireguard tunnels
Client address is server address + 1
DNS servers use tunnel IPs
Keepalive set to 25 seconds for NAT traversal

Server Management

List Servers

Endpoint: POST /

Retrieves list of available VPN servers, optionally filtered by type. This is a public endpoint that does not require authentication.

Parameters:

Parameter	Type	Required	Description
`servers`	string	Yes	Must be set to any value to trigger server listing
`type`	string	No	Filter by server type: `wireguard`, `tcp-encrypted`, `https`, or `cdn`

Example Request:

curl -X POST https://setup.doxx.net \
  -d "servers=1" \
  -d "type=wireguard"

Success Response:

{
  "status": "success",
  "servers": [
    {
      "server_name": "newyork-us",
      "type": "wireguard",
      "location": "New York, USA",
      "description": "Primary US East Coast server",
      "public_key": "server_wireguard_public_key_base64"
    },
    {
      "server_name": "london-uk",
      "type": "wireguard",
      "location": "London, UK",
      "description": "Primary UK server",
      "public_key": "server_wireguard_public_key_base64"
    }
  ]
}

Server Types:

wireguard: WireGuard VPN servers
tcp-encrypted: TCP-encrypted tunnel servers
https: HTTPS-based tunnel servers
cdn: CDN-proxied servers

Notes:

No authentication required
Hostname is excluded from public API response for security
Results ordered by type, then location

Domain Management

Create Domain

Endpoint: POST /

Registers a new .doxx domain for the authenticated user. Automatically creates SOA and NS records.

Parameters:

Parameter	Type	Required	Description
`create_domain`	string	Yes	Must be set to any value to trigger domain creation
`token`	string	Yes	User authentication token
`domain`	string	Yes	Domain name (automatically appended with `.doxx` if not present)

Example Request:

curl -X POST https://setup.doxx.net \
  -d "create_domain=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "domain=mysite"

Success Response:

{
  "status": "success",
  "message": "Domain 'mysite.doxx' created successfully",
  "domain": "mysite.doxx",
  "domain_id": 12345
}

Domain Rules:

Only .doxx TLD allowed
Automatically appends .doxx if not present
Strips other TLDs if mistakenly added
Wildcard domains allowed (e.g., *.example.doxx)
Max length: 253 characters (RFC 1035)
Allowed characters: a-z, 0-9, -, ., * (at start only)
Reserved domains are blocked

Automatic Record Creation:

SOA Record: ns1.doxx.net. hostmaster.doxx.net. 1 10800 3600 604800 3600
NS Records: ns1.doxx.net, ns2.doxx.net

Error Responses:

{
  "status": "error",
  "message": "Only .doxx domains are allowed. Your domain will be: example.doxx"
}

{
  "status": "error",
  "message": "Domain already exists"
}

{
  "status": "error",
  "message": "This domain is reserved: <reason>. If you would like to register this domain, please discuss with the team on Discord: https://discord.gg/Gr9rByrEzZ"
}

List Domains

Endpoint: POST /

Retrieves all domains owned by the authenticated user.

Parameters:

Parameter	Type	Required	Description
`list_domains`	string	Yes	Must be set to any value to trigger domain listing
`token`	string	Yes	User authentication token

Example Request:

curl -X POST https://setup.doxx.net \
  -d "list_domains=1" \
  -d "token=YOUR_TOKEN_HERE"

Success Response:

{
  "status": "success",
  "domains": [
    {
      "name": "mysite.doxx",
      "id": 12345
    },
    {
      "name": "another.doxx",
      "id": 12346
    }
  ]
}

Delete Domain

Endpoint: POST /

Permanently deletes a domain and all associated DNS records.

Parameters:

Parameter	Type	Required	Description
`delete_domain`	string	Yes	Must be set to any value to trigger domain deletion
`token`	string	Yes	User authentication token
`domain`	string	Yes	Domain name to delete

Example Request:

curl -X POST https://setup.doxx.net \
  -d "delete_domain=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "domain=mysite.doxx"

Success Response:

{
  "status": "success",
  "message": "Domain deleted successfully"
}

Deletion Process:

Verifies domain ownership
Deletes all DNS records for the domain
Deletes domain from PowerDNS
Removes domain ownership record

DNS Management

Create DNS Record

Endpoint: POST /

Creates a new DNS record for a domain owned by the authenticated user.

Parameters:

Parameter	Type	Required	Default	Description
`create_dns_record`	string	Yes	-	Must be set to any value to trigger DNS record creation
`token`	string	Yes	-	User authentication token
`domain`	string	Yes	-	Domain name (must be owned by user)
`name`	string	Yes	-	Record name (use `@` for root domain)
`type`	string	Yes	-	Record type: `A`, `AAAA`, `CNAME`, `MX`, `TXT`, `NS`, `SRV`, `PTR`
`content`	string	Yes*	-	Record value (*required for all types except SRV)
`ttl`	integer	No	3600	Time to live in seconds
`prio`	integer	No	0	Priority (for MX and SRV records)

SRV Record Additional Parameters:

Parameter	Type	Required	Description
`srv_priority`	integer	Yes	Priority (lower is higher priority)
`srv_weight`	integer	Yes	Weight for load balancing
`srv_port`	integer	Yes	Service port number
`srv_target`	string	Yes	Target hostname

Example Request (A Record):

curl -X POST https://setup.doxx.net \
  -d "create_dns_record=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "domain=mysite.doxx" \
  -d "name=www" \
  -d "type=A" \
  -d "content=203.0.113.1" \
  -d "ttl=3600"

Example Request (SRV Record):

curl -X POST https://setup.doxx.net \
  -d "create_dns_record=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "domain=mysite.doxx" \
  -d "name=_sip._tcp" \
  -d "type=SRV" \
  -d "srv_priority=10" \
  -d "srv_weight=60" \
  -d "srv_port=5060" \
  -d "srv_target=sipserver.mysite.doxx"

Example Request (PTR Record):

curl -X POST https://setup.doxx.net \
  -d "create_dns_record=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "domain=mysite.doxx" \
  -d "name=1.0.168.192.in-addr.arpa" \
  -d "type=PTR" \
  -d "content=server1.mysite.doxx"

Success Response:

{
  "status": "success",
  "message": "DNS record created successfully"
}

Record Type Validation:

A: IPv4 address (e.g., 203.0.113.1)
AAAA: IPv6 address (e.g., 2001:db8::1)
CNAME: Canonical name (must end with .)
MX: Mail server (requires prio, must end with .)
TXT: Text record (any string)
NS: Name server (must end with .)
SRV: Service record (uses separate fields)
PTR: Pointer record (for reverse DNS, can point to any IP owned by user)

PTR Record Notes:

Format: <reversed-ip>.in-addr.arpa (IPv4) or <nibbles>.ip6.arpa (IPv6)
User must own the IP address (verified against tunnel assignments)
Both server and client IPs in /31 or /127 pairs are allowed
IPv4 example: 200.15.42.10.in-addr.arpa for IP 10.42.15.200
IPv6 example: nibble-reversed format for reverse lookup

Error Responses:

{
  "status": "error",
  "message": "Invalid record type. Allowed types are: A, AAAA, CNAME, MX, TXT, NS, SRV, PTR"
}

{
  "status": "error",
  "message": "You do not have permission to modify this domain"
}

{
  "status": "error",
  "message": "You do not own the IP address in this PTR record"
}

List DNS Records

Endpoint: POST /

Retrieves all DNS records for a specified domain owned by the authenticated user.

Parameters:

Parameter	Type	Required	Description
`list_dns`	string	Yes	Must be set to any value to trigger DNS record listing
`token`	string	Yes	User authentication token
`domain`	string	Yes	Domain name

Example Request:

curl -X POST https://setup.doxx.net \
  -d "list_dns=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "domain=mysite.doxx"

Success Response:

{
  "status": "success",
  "records": [
    {
      "name": "mysite.doxx",
      "type": "SOA",
      "content": "ns1.doxx.net. hostmaster.doxx.net. 1 10800 3600 604800 3600",
      "ttl": 3600,
      "prio": 0
    },
    {
      "name": "mysite.doxx",
      "type": "NS",
      "content": "ns1.doxx.net.",
      "ttl": 3600,
      "prio": 0
    },
    {
      "name": "www.mysite.doxx",
      "type": "A",
      "content": "203.0.113.1",
      "ttl": 3600,
      "prio": 0
    }
  ]
}

Update DNS Record

Endpoint: POST /

Updates an existing DNS record. Uses old record values to identify the record to update.

Parameters:

Parameter	Type	Required	Description
`update_dns_record`	string	Yes	Must be set to any value to trigger DNS record update
`token`	string	Yes	User authentication token
`domain`	string	Yes	Domain name
`old_name`	string	Yes	Current record name
`old_type`	string	Yes	Current record type
`old_content`	string	Yes	Current record content
`new_name`	string	No	New record name
`new_type`	string	No	New record type
`new_content`	string	No	New record content
`new_ttl`	integer	No	New TTL value
`new_prio`	integer	No	New priority value

Example Request:

curl -X POST https://setup.doxx.net \
  -d "update_dns_record=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "domain=mysite.doxx" \
  -d "old_name=www.mysite.doxx" \
  -d "old_type=A" \
  -d "old_content=203.0.113.1" \
  -d "new_content=203.0.113.2" \
  -d "new_ttl=7200"

Success Response:

{
  "status": "success",
  "message": "DNS record updated successfully"
}

Delete DNS Record

Endpoint: POST /

Deletes a specific DNS record from a domain.

Parameters:

Parameter	Type	Required	Description
`delete_dns_record`	string	Yes	Must be set to any value to trigger DNS record deletion
`token`	string	Yes	User authentication token
`domain`	string	Yes	Domain name
`name`	string	Yes	Record name
`type`	string	Yes	Record type
`content`	string	Yes	Record content

Example Request:

curl -X POST https://setup.doxx.net \
  -d "delete_dns_record=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "domain=mysite.doxx" \
  -d "name=www.mysite.doxx" \
  -d "type=A" \
  -d "content=203.0.113.1"

Success Response:

{
  "status": "success",
  "message": "DNS record deleted successfully"
}

SSL Certificate Management

Sign Certificate

Endpoint: POST /

Signs an SSL certificate for a domain owned by the authenticated user. Automatically upgrades to wildcard certificates for better coverage.

Parameters:

Parameter	Type	Required	Description
`sign_certificate`	string	Yes	Must be set to any value to trigger certificate signing
`token`	string	Yes	User authentication token
`domain`	string	Yes	Domain name (supports wildcard: `*.example.doxx`)
`csr`	string	Yes	Certificate Signing Request in PEM format

Example Request:

curl -X POST https://setup.doxx.net \
  -d "sign_certificate=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "domain=mysite.doxx" \
  --data-urlencode "csr=$(cat domain.csr)"

CSR Format:

-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMREw
...
-----END CERTIFICATE REQUEST-----

Success Response:

{
  "status": "success",
  "certificate": "-----BEGIN CERTIFICATE-----\nMIIFXTCCBEWgAwIBAgISBNdz...\n-----END CERTIFICATE-----",
  "message": "Certificate signed successfully for *.mysite.doxx",
  "domain": "*.mysite.doxx"
}

Certificate Details:

Validity: 825 days (maximum browser-accepted duration)
Signature Algorithm: SHA256 with RSA
Key Usage: Digital Signature, Key Encipherment
Extended Key Usage: TLS Web Server Authentication
Subject Alternative Names: Wildcard and base domain
Auto-upgrade: Non-wildcard requests automatically upgraded to wildcard

Wildcard Certificate:

Automatically includes both *.example.doxx and example.doxx
Provides coverage for all subdomains
Single certificate for entire domain

Error Responses:

{
  "status": "error",
  "message": "Access denied: You do not own the domain 'example.doxx'"
}

{
  "status": "error",
  "message": "Invalid CSR: Could not extract certificate request content"
}

Notes:

CSR must be valid PEM format
Domain ownership verified before signing
Uses doxx.net internal CA
Certificates suitable for HTTPS/TLS

Firewall Management

Add Firewall Rule

Endpoint: POST /

Creates a 1:1 firewall rule between two tunnels owned by the user.

Parameters:

Parameter	Type	Required	Default	Description
`firewall_rule_add`	string	Yes	-	Must be set to any value to trigger rule creation
`token`	string	Yes	-	User authentication token
`tunnel_token`	string	Yes	-	Source tunnel token
`protocol`	string	No	ALL	Protocol: `ALL`, `TCP`, `UDP`, `ICMP`
`src_ip`	string	Yes	-	Source IP (must be owned by user, or `ALL`)
`src_port`	string	No	ALL	Source port or `ALL`
`dst_ip`	string	Yes	-	Destination IP
`dst_port`	string	No	ALL	Destination port or `ALL`
`enabled`	integer	No	1	Enable rule (0 or 1)

Example Request:

curl -X POST https://setup.doxx.net \
  -d "firewall_rule_add=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "tunnel_token=SOURCE_TUNNEL_TOKEN" \
  -d "protocol=TCP" \
  -d "src_ip=10.42.15.200/31" \
  -d "src_port=ALL" \
  -d "dst_ip=10.42.20.100/31" \
  -d "dst_port=443" \
  -d "enabled=1"

Success Response:

{
  "status": "success",
  "message": "Firewall rule added successfully"
}

Rule Validation:

Source IP must be owned by user
Protocol must be: ALL, TCP, UDP, or ICMP
Ports can be specific numbers or ALL
Cannot create 1:1 rules when “Link All Tunnels” is enabled

Error Responses:

{
  "status": "error",
  "message": "Cannot create 1:1 firewall links when 'Link All Tunnels' is enabled. Please disable it first."
}

{
  "status": "error",
  "message": "Source IP does not belong to your account"
}

Delete Firewall Rule

Endpoint: POST /

Deletes a specific firewall rule.

Parameters:

Parameter	Type	Required	Description
`firewall_rule_delete`	string	Yes	Must be set to any value to trigger rule deletion
`token`	string	Yes	User authentication token
`tunnel_token`	string	Yes	Source tunnel token
`protocol`	string	Yes	Protocol to match
`src_ip`	string	Yes	Source IP to match
`src_port`	string	Yes	Source port to match
`dst_ip`	string	Yes	Destination IP to match
`dst_port`	string	Yes	Destination port to match

Example Request:

curl -X POST https://setup.doxx.net \
  -d "firewall_rule_delete=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "tunnel_token=SOURCE_TUNNEL_TOKEN" \
  -d "protocol=TCP" \
  -d "src_ip=10.42.15.200/31" \
  -d "src_port=ALL" \
  -d "dst_ip=10.42.20.100/31" \
  -d "dst_port=443"

Success Response:

{
  "status": "success",
  "message": "Firewall rule deleted successfully"
}

List Firewall Rules

Endpoint: POST /

Retrieves all firewall rules for a specific tunnel.

Parameters:

Parameter	Type	Required	Description
`firewall_rule_list`	string	Yes	Must be set to any value to trigger rule listing
`token`	string	Yes	User authentication token
`tunnel_token`	string	Yes	Tunnel token to list rules for

Example Request:

curl -X POST https://setup.doxx.net \
  -d "firewall_rule_list=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "tunnel_token=TUNNEL_TOKEN"

Success Response:

{
  "status": "success",
  "rules": [
    {
      "tunnel_token": "SOURCE_TUNNEL_TOKEN",
      "protocol": "TCP",
      "src_ip": "10.42.15.200/31",
      "src_port": "ALL",
      "dst_ip": "10.42.20.100/31",
      "dst_port": "443",
      "enabled": 1
    }
  ]
}

Toggle Link All Tunnels

Endpoint: POST /

Enables or disables automatic linking of all user’s tunnels (mesh mode). When enabled, all 1:1 firewall rules are deleted.

Parameters:

Parameter	Type	Required	Description
`firewall_link_all_toggle`	string	Yes	Must be set to any value to trigger toggle
`token`	string	Yes	User authentication token
`enabled`	integer	Yes	Enable (1) or disable (0) link all tunnels

Example Request:

curl -X POST https://setup.doxx.net \
  -d "firewall_link_all_toggle=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "enabled=1"

Success Response:

{
  "status": "success",
  "message": "Link all tunnels enabled successfully"
}

Notes:

When enabling, all existing 1:1 firewall rules are automatically deleted
Creates a full mesh network between all user’s tunnels
Mutually exclusive with 1:1 firewall rules

Get Link All Status

Endpoint: POST /

Retrieves the current status of the “Link All Tunnels” setting.

Parameters:

Parameter	Type	Required	Description
`firewall_link_all_status`	string	Yes	Must be set to any value to trigger status check
`token`	string	Yes	User authentication token

Example Request:

curl -X POST https://setup.doxx.net \
  -d "firewall_link_all_status=1" \
  -d "token=YOUR_TOKEN_HERE"

Success Response:

{
  "status": "success",
  "link_all_tunnels": 1
}

Proxy Configuration

Get Proxy Configuration

Endpoint: POST /

Retrieves proxy configuration for a specific tunnel.

Parameters:

Parameter	Type	Required	Description
`get_proxy_config`	string	Yes	Must be set to any value to trigger config retrieval
`token`	string	Yes	User authentication token
`tunnel_ip`	string	Yes	Tunnel IP prefix (e.g., `10.42.15.200/31`)

Example Request:

curl -X POST https://setup.doxx.net \
  -d "get_proxy_config=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "tunnel_ip=10.42.15.200/31"

Success Response:

{
  "status": "success",
  "config": {
    "enabled": true,
    "location": "newyork-us",
    "browser": "chrome",
    "custom_lat": 40.7128,
    "custom_lon": -74.0060,
    "custom_timezone": "America/New_York",
    "custom_language": "en-US"
  }
}

Default Response (No Config):

{
  "status": "success",
  "config": {
    "enabled": false,
    "location": "newyork-us",
    "browser": "",
    "custom_lat": null,
    "custom_lon": null,
    "custom_timezone": null,
    "custom_language": null
  }
}

Update Proxy Configuration

Endpoint: POST /

Updates proxy configuration for a specific tunnel. All parameters are optional except token and tunnel_ip.

Parameters:

Parameter	Type	Required	Description
`update_proxy_config`	string	Yes	Must be set to any value to trigger config update
`token`	string	Yes	User authentication token
`tunnel_ip`	string	Yes	Tunnel IP prefix
`enabled`	boolean	No	Enable proxy (true/false)
`location`	string	No	Proxy location (e.g., `newyork-us`, `london-uk`)
`browser`	string	No	Browser fingerprint (e.g., `chrome`, `firefox`, `safari`)
`custom_lat`	float	No	Custom latitude
`custom_lon`	float	No	Custom longitude
`custom_timezone`	string	No	Custom timezone (e.g., `America/New_York`)
`custom_language`	string	No	Custom language (e.g., `en-US`, `fr-FR`)

Example Request:

curl -X POST https://setup.doxx.net \
  -d "update_proxy_config=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "tunnel_ip=10.42.15.200/31" \
  -d "enabled=true" \
  -d "location=newyork-us" \
  -d "browser=chrome" \
  -d "custom_lat=40.7128" \
  -d "custom_lon=-74.0060"

Success Response:

{
  "status": "success",
  "message": "Proxy configuration updated successfully"
}

Proxy Locations:

newyork-us: New York, USA
london-uk: London, UK
tokyo-jp: Tokyo, Japan
sydney-au: Sydney, Australia
(Additional locations based on server availability)

Browser Fingerprints:

chrome: Chrome browser fingerprint
firefox: Firefox browser fingerprint
safari: Safari browser fingerprint
edge: Edge browser fingerprint

Profile Management

Get Profile

Endpoint: POST /

Retrieves user profile information including recovery options and notification settings.

Parameters:

Parameter	Type	Required	Description
`get_profile`	string	Yes	Must be set to any value to trigger profile retrieval
`token`	string	Yes	User authentication token

Example Request:

curl -X POST https://setup.doxx.net \
  -d "get_profile=1" \
  -d "token=YOUR_TOKEN_HERE"

Success Response:

{
  "status": "success",
  "profile": {
    "recovery_email": "[email protected]",
    "recovery_phone": "+1234567890",
    "email_notifications": 1,
    "sms_notifications": 0,
    "created_at": "2024-01-15 10:30:00",
    "updated_at": "2024-01-20 14:45:00"
  },
  "recovery_codes_count": 8
}

Default Response (No Profile):

{
  "status": "success",
  "profile": {
    "recovery_email": null,
    "recovery_phone": null,
    "email_notifications": 0,
    "sms_notifications": 0,
    "created_at": null,
    "updated_at": null
  },
  "recovery_codes_count": 0
}

Update Profile

Endpoint: POST /

Updates user profile information. All fields are optional except token.

Parameters:

Parameter	Type	Required	Description
`update_profile`	string	Yes	Must be set to any value to trigger profile update
`token`	string	Yes	User authentication token
`recovery_email`	string	No	Recovery email address
`recovery_phone`	string	No	Recovery phone number
`email_notifications`	integer	No	Enable email notifications (0 or 1)
`sms_notifications`	integer	No	Enable SMS notifications (0 or 1)

Example Request:

curl -X POST https://setup.doxx.net \
  -d "update_profile=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "[email protected]" \
  -d "email_notifications=1"

Success Response:

{
  "status": "success",
  "message": "Profile updated successfully"
}

Account Recovery

Create Recovery Codes

Endpoint: POST /

Generates a new set of 10 recovery codes for account recovery. Deletes any existing codes.

Parameters:

Parameter	Type	Required	Description
`create_account_recovery`	string	Yes	Must be set to any value to trigger recovery code generation
`token`	string	Yes	User authentication token

Example Request:

curl -X POST https://setup.doxx.net \
  -d "create_account_recovery=1" \
  -d "token=YOUR_TOKEN_HERE"

Success Response:

{
  "status": "success",
  "message": "Recovery codes generated successfully",
  "codes": [
    "ABCD-EFGH-JKLM-NPQR",
    "1234-5678-90AB-CDEF",
    "AAAA-BBBB-CCCC-DDDD",
    "1111-2222-3333-4444",
    "FFFF-EEEE-DDDD-CCCC",
    "9876-5432-1098-7654",
    "AABC-DDEF-GHIJ-KLMN",
    "1A2B-3C4D-5E6F-7G8H",
    "ZZZZ-YYYY-XXXX-WWWW",
    "0000-1111-2222-3333"
  ],
  "set_id": "a1b2c3d4e5f6789012345678901234567890abcd",
  "created_at": "2024-01-20 15:30:00"
}

Recovery Code Format:

16 hexadecimal characters
Grouped as: XXXX-XXXX-XXXX-XXXX
Case-insensitive
Single-use only

Notes:

Generates exactly 10 codes
Previous codes are deleted when new set is created
Codes are hashed before storage (password_hash)
Code IDs use HMAC for privacy
Each set has unique set_id

Verify Recovery Code

Endpoint: POST /

Verifies a recovery code and returns the associated user token.

Parameters:

Parameter	Type	Required	Description
`verify_account_recovery`	string	Yes	Must be set to any value to trigger verification
`recovery_code`	string	Yes	Recovery code in format XXXX-XXXX-XXXX-XXXX

Example Request:

curl -X POST https://setup.doxx.net \
  -d "verify_account_recovery=1" \
  -d "recovery_code=ABCD-EFGH-JKLM-NPQR"

Success Response:

{
  "status": "success",
  "message": "Recovery code verified successfully",
  "token": "dGhpc2lzYXRlc3R0b2tlbmZvcmRveHhuZXQ"
}

Error Responses:

{
  "status": "error",
  "message": "Invalid or already used recovery code"
}

Notes:

Recovery code is marked as used after successful verification
Code cannot be reused
Case-insensitive verification
User token returned on success

Terms of Service

Check TOS Status

Endpoint: POST /

Checks if user has accepted the Terms of Service.

Parameters:

Parameter	Type	Required	Description
`tos_status`	string	Yes	Must be set to any value to trigger TOS status check
`token`	string	Yes	User authentication token

Example Request:

curl -X POST https://setup.doxx.net \
  -d "tos_status=1" \
  -d "token=YOUR_TOKEN_HERE"

Success Response (Accepted):

{
  "status": "success",
  "tos_accepted": true,
  "accepted_at": "2024-01-15 10:30:00",
  "version": "1.0"
}

Success Response (Not Accepted):

{
  "status": "success",
  "tos_accepted": false,
  "current_version": "1.0"
}

Accept TOS

Endpoint: POST /

Records user’s acceptance of the Terms of Service.

Parameters:

Parameter	Type	Required	Description
`accept_tos`	string	Yes	Must be set to any value to trigger TOS acceptance
`token`	string	Yes	User authentication token
`tos_version`	string	Yes	TOS version being accepted (e.g., “1.0”)

Example Request:

curl -X POST https://setup.doxx.net \
  -d "accept_tos=1" \
  -d "token=YOUR_TOKEN_HERE" \
  -d "tos_version=1.0"

Success Response:

{
  "status": "success",
  "message": "Terms of Service accepted successfully"
}

Recorded Information:

User ID
TOS version
IP address (including Cloudflare proxy handling)
User agent
Acceptance timestamp

Error Handling

Standard Error Response

All endpoints return a consistent error response format:

{
  "status": "error",
  "message": "Description of the error"
}

Common Error Messages

Authentication Errors:

{
  "status": "error",
  "message": "Missing authentication token"
}

{
  "status": "error",
  "message": "Invalid authentication token"
}

Validation Errors:

{
  "status": "error",
  "message": "Missing required parameter: <parameter_name>"
}

{
  "status": "error",
  "message": "Invalid <parameter_name> specified"
}

Authorization Errors:

{
  "status": "error",
  "message": "Access denied: You do not have permission to <action>"
}

{
  "status": "error",
  "message": "Tunnel not found or access denied"
}

Resource Errors:

{
  "status": "error",
  "message": "<Resource> not found"
}

{
  "status": "error",
  "message": "<Resource> already exists"
}

System Errors:

{
  "status": "error",
  "message": "Database connection error"
}

{
  "status": "error",
  "message": "Internal server error"
}

HTTP Status Codes

While all responses are JSON with status field, errors may also include appropriate HTTP status codes:

200 OK: Success (with "status": "success")
200 OK: Error (with "status": "error")
302 Found: Invalid endpoint redirects to GitHub

Security Notes

Token Security:
- Tokens are the only authentication mechanism
- Treat tokens like passwords
- Never share tokens publicly
- Store securely in environment variables or secure vaults
Input Sanitization:
- All inputs are automatically sanitized
- HTML special characters escaped
- SQL injection prevention via prepared statements
- XSS protection via output encoding
HTTPS Required:
- All API requests must use HTTPS
- Plain HTTP redirects to HTTPS
CORS Policy:
- Only authorized origins allowed
- Custom headers restricted
- Credentials not included
Notification System:
- UDP notifications to backend services
- HMAC signatures for authenticity
- Separate secrets for different services

Support

Documentation: https://docs.doxx.net
Discord: https://discord.gg/Gr9rByrEzZ
Website: https://www.doxx.net

Code Examples

Python Example (Create Tunnel):

import requests

url = "https://setup.doxx.net"
data = {
    "create_tunnel": "1",
    "token": "YOUR_TOKEN_HERE",
    "type": "wireguard",
    "name": "My VPN",
    "server": "newyork-us",
    "bandwidth_stats": "1"
}

response = requests.post(url, data=data)
print(response.json())

JavaScript Example (List Tunnels):

const url = "https://setup.doxx.net";
const formData = new FormData();
formData.append("list_tunnels", "1");
formData.append("token", "YOUR_TOKEN_HERE");

fetch(url, {
    method: "POST",
    body: formData
})
.then(response => response.json())
.then(data => console.log(data));

Bash Example (Authenticate):

curl -X POST https://setup.doxx.net \
  -d "auth=1" \
  -d "token=YOUR_TOKEN_HERE"

Last Updated: October 23, 2025

API Reference

Table of Contents

Authentication

Authenticate User

Parameters:

Example Request:

Success Response:

Error Responses:

Account Management

Create Account

Parameters:

Example Request:

Success Response (Regular Account):

Notes:

Delete Account

Parameters:

Example Request:

Success Response:

Deletion Process:

Notes:

Tunnel Management

Create Tunnel

Parameters:

Example Request:

Success Response:

IPv4 Allocation:

IPv6 Allocation:

WireGuard Keys:

Error Responses:

Update Tunnel

Parameters:

Example Request:

Success Response:

Notes:

List Tunnels

Parameters:

Example Request:

Success Response:

Response Fields:

Delete Tunnel

Parameters:

Example Request:

Success Response:

Deletion Process:

Notes:

Get WireGuard Configuration

Parameters:

Example Request:

Success Response:

Notes:

Server Management

List Servers

Parameters:

Example Request:

Success Response:

Server Types:

Notes:

Domain Management

Create Domain

Parameters:

Example Request:

Success Response:

Domain Rules:

Automatic Record Creation:

Error Responses:

List Domains

Parameters:

Example Request:

Success Response:

Delete Domain

Parameters:

Example Request:

Success Response:

Deletion Process:

DNS Management

Create DNS Record

Parameters:

SRV Record Additional Parameters:

Example Request (A Record):

Example Request (SRV Record):