Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.tinfoil.sh/llms.txt

Use this file to discover all available pages before exploring further.

tinfoil-proxy

Run the same verified proxy as Tinfoil Proxy as a plain foreground process. GitHub: tinfoilsh/tinfoil-proxy
tinfoil-proxy is a small Go binary that serves the same http://127.0.0.1:3301/v1 endpoint as the menu-bar app. It’s the right pick for scripts, CI runners, headless servers, or any workflow where you don’t want a GUI.

Install

Pre-built binaries

Each release publishes standalone tinfoil-proxy binaries for macOS, Linux, and Windows alongside the Electron installers. Grab the one for your OS from the releases page.

From source

go install github.com/tinfoilsh/tinfoil-proxy@latest
This drops tinfoil-proxy into $GOPATH/bin (usually $HOME/go/bin). Make sure that’s on your PATH.

Run it

tinfoil-proxy
The defaults are sensible: tinfoil-proxy listens on http://127.0.0.1:3301 and auto-selects a Tinfoil router enclave, verifies its attestation against the public transparency log, and pins the attested public-key fingerprint for upstream TLS connections. If the enclave rotates its TLS certificate later, the underlying Go client re-runs attestation before trusting the new key. Point any OpenAI-compatible client at: 
Base URL: http://127.0.0.1:3301/v1

Pin a specific enclave

--host and --repo are an all-or-nothing pair — leave both empty for auto-discovery, or set both to pin a particular enclave + config repo: 
tinfoil-proxy \
  -r tinfoilsh/confidential-model-router \
  -e inference.tinfoil.sh \
  -p 3301

Choose a custom port

tinfoil-proxy -p 9443
# clients now use http://127.0.0.1:9443/v1

Command options

FlagDescriptionDefault
-p, --portPort to listen on3301
-b, --bindAddress to bind to127.0.0.1
-e, --hostPin a specific enclave hostnameauto
-r, --repoPin a specific config repoauto
--log-formattext or jsontext
-v, --verboseVerbose outputoff
-t, --traceTrace outputoff

Use it from any tool

Once tinfoil-proxy is running, the local endpoint is just a regular OpenAI-compatible base URL. See the coding agents tutorial for plug-and-play setups for Cline, Factory Droid, OpenCode, Hermes, and more.

Compare to the menu-bar app

tinfoil-proxy (CLI) and Tinfoil Proxy (menu-bar app) ship from the same repo. Both expose the same local endpoint (http://127.0.0.1:3301/v1 by default) and run identical attestation against the Tinfoil router enclave they forward to upstream. Pick whichever fits your workflow:
CLI (tinfoil-proxy)Menu-bar app (Tinfoil Proxy)
Best forScripts, CI, headless serversDay-to-day use on your laptop
Installgo install … or pre-built binary.pkg / .deb / .exe
Stays runningForeground processMenu-bar (opt in to Open at Login)
Auto-updateManualBuilt in (macOS & Windows)
Verification UILogsLive status