Skip to content

doxxcorp/config.doxx.net

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
docs
docs
 
 
README.md
README.md
 
 

Repository files navigation

doxx.net

Freedom and Privacy by Design

Portal · Discord · Terms · Privacy

doxx.net API

What is doxx.net?

doxx.net is a Virtual Networking Platform (VNP) built from the ground up for user rights, freedom of speech, flexibility, and privacy. Unlike traditional VPNs that simply tunnel traffic, doxx.net provides a complete networking platform with private mesh networking between devices, custom domain registration with 196 TLDs, authoritative DNS hosting, DNS threat blocking, geo-spoofing proxy, dedicated static IPs, certificate signing, and device-to-device firewall rules. Every component is designed with privacy as a core principle: accounts require no email or personal data, authentication is token-based, and the platform operates its own global DNS infrastructure independent of ICANN.

Overview

API Base URL Purpose
Config API https://config.doxx.net/v1/ Account, tunnels, DNS, domains, firewall, proxy, certificates
Stats API https://secure-wss.doxx.net Real-time bandwidth, security events, threat monitoring

Config API uses POST with application/x-www-form-urlencoded. Endpoints are selected by setting endpoint_name=1 as a parameter.

Regional failover endpoints:

  • https://config-us-east.doxx.net/v1/
  • https://config-us-west.doxx.net/v1/
  • https://config-eu-central.doxx.net/v1/

Detailed Endpoint Reference

For comprehensive parameter tables, response schemas, error handling, and examples per endpoint category, see the detailed docs:

Section Description
Authentication Token types, roles, X-Auth encryption, security restrictions
Token Management Multi-token CRUD, geo/IP fencing, tunnel scoping, expiration
Servers List servers, TLDs, blocklist options
Tunnels Create, list, update, delete tunnels, WireGuard config, connection options
Domains Register, import, link profiles to domains
DNS Records CRUD for A, AAAA, CNAME, TXT, MX, SRV, PTR, NS records, certificate signing
DNS Blocklists Subscriptions, whitelists, blacklists, public DNS hashes
Firewall Per-tunnel rules, Link All mesh mode
Proxy Geo-spoofing location, browser fingerprint, timezone
Devices Device management, rename, delete
Saved Profiles WireGuard vs iOS profiles, static IPs, DNS hostnames
IP Addresses Static IPv4/IPv6, dedicated public IPs, assignment, rotation
Error Codes HTTP status codes, context field, extended error fields

Response Format

All API responses include a context field that describes the endpoint, its parameters, and what happened. This field is designed for AI agents and programmatic consumers to understand the API without external documentation.

{
  "status": "success",
  "context": "servers: Lists available VPN servers with location, type, public key, and geographic region...",
  "servers": [...]
}

Error responses include what went wrong and how to fix it:

{
  "status": "error",
  "message": "A subscription is required to create tunnels",
  "context": "create_tunnel: Creates a new WireGuard tunnel... Error: subscription required. Fix: subscribe at...",
  "error_code": "feature_required",
  "upgrade_url": "https://doxx.net/ops/account/subscription"
}

Authentication

doxx.net uses token-based auth. No usernames, no passwords, no email.

Token Type What It Is How You Get It
Auth Token Your account identity. ~43 char base64 string. Human creates account at a0x13.doxx.net
Tunnel Token Identifies a specific VPN tunnel. Returned by list_tunnels or create_tunnel
POW Token One-time human verification. DOXX POW challenge at account creation

You cannot create accounts via API. A human must visit a0x13.doxx.net, complete the proof-of-work challenge, and accept the Terms of Service. The auth token from that process is then used for all API calls.

Token Roles (RBAC)

Each auth token has a role that controls which endpoints it can access:

Role Access Level
admin Full access: account management, token CRUD, geo/IP fencing, plus all net-admin and read-only permissions
net-admin Network changes: tunnels, DNS, domains, firewall, proxy, profiles, IP addresses, plus all read-only permissions
read-only View only: list tunnels, servers, domains, DNS records, firewall rules, profiles, addresses

Roles are hierarchical: admin > net-admin > read-only. The primary token from account creation is always admin. Additional tokens created via create_token default to read-only.

Endpoints that require a specific role return HTTP 403 with {"status":"error","message":"insufficient_role"} when the token's role is insufficient.

Common Workflows

Workflow 1: Set Up a VPN Tunnel

TOKEN="your_auth_token_here"
API="https://config.doxx.net/v1/"

# Step 1: List available servers
curl -s -X POST $API -d "servers=1" | jq '.servers[] | {server_name, location, description}'

# Step 2: Create a tunnel
curl -s -X POST $API -d "create_tunnel=1&token=$TOKEN&name=My+Laptop&server=wireguard.mia.us.doxx.net" | jq .

# Step 3: List your tunnels (get tunnel_token)
curl -s -X POST $API -d "list_tunnels=1&token=$TOKEN" | jq '.tunnels[] | {tunnel_token, name, assigned_ip, server}'

# Step 4: Get WireGuard config
curl -s -X POST $API -d "wireguard=1&token=$TOKEN&tunnel_token=TUNNEL_TOKEN_HERE" | jq .config

Workflow 2: Register a Domain and Add DNS Records

# Step 1: Register domain
curl -s -X POST $API -d "create_domain=1&token=$TOKEN&domain=mysite.doxx" | jq .

# Step 2: Add an A record
curl -s -X POST $API -d "create_dns_record=1&token=$TOKEN&domain=mysite.doxx&name=mysite.doxx&type=A&content=1.2.3.4&ttl=300" | jq .

# Step 3: Add a wildcard
curl -s -X POST $API -d "create_dns_record=1&token=$TOKEN&domain=mysite.doxx&name=*.mysite.doxx&type=A&content=1.2.3.4&ttl=300" | jq .

# Step 4: Sign a TLS certificate
openssl ecparam -genkey -name prime256v1 -out mysite.key
openssl req -new -key mysite.key -out mysite.csr -subj "/CN=mysite.doxx"
curl -s -X POST $API -d "sign_certificate=1&token=$TOKEN&domain=mysite.doxx" --data-urlencode "csr=$(cat mysite.csr)" -o mysite.crt

# Step 5: Verify DNS is live
dig A mysite.doxx @a.root-dx.net +short

Workflow 3: Configure DNS Blocking

# Step 1: See available blocklists
curl -s -X POST $API -d "dns_get_options=1" | jq '.options[] | {name, display_name, category, domain_count}'

# Step 2: Enable a blocklist on your tunnel
curl -s -X POST $API -d "dns_set_subscription=1&token=$TOKEN&tunnel_token=TUNNEL_TOKEN&subscription=ads&enabled=1" | jq .

# Step 3: Check tunnel DNS config
curl -s -X POST $API -d "dns_get_tunnel_config=1&token=$TOKEN&tunnel_token=TUNNEL_TOKEN" | jq .

# Step 4: Add a custom whitelist entry
curl -s -X POST $API -d "dns_add_whitelist=1&token=$TOKEN&tunnel_token=TUNNEL_TOKEN&domain=example.com" | jq .

Workflow 4: Monitor Your Network (Stats API)

# Real-time events via WebSocket
websocat "wss://secure-wss.doxx.net/ws?token=$TOKEN"

# Historical bandwidth (last hour)
curl -s "https://secure-wss.doxx.net/api/stats/bandwidth?token=$TOKEN&start=$(date -u -v-1H +%Y-%m-%dT%H:%M:%SZ)&end=$(date -u +%Y-%m-%dT%H:%M:%SZ)" | jq .

# Security alerts (last 24h)
curl -s "https://secure-wss.doxx.net/api/stats/alerts?token=$TOKEN&last=1d" | jq '.totals'

Workflow 5: Install WireGuard and Connect

The API gives you the WireGuard configuration. You need WireGuard installed on your system to use it.

TOKEN="your_auth_token_here"
API="https://config.doxx.net/v1/"

# Step 1: Create a tunnel on a server near you
curl -s -X POST $API -d "servers=1" | jq '.servers[] | {server_name, location}'
curl -s -X POST $API -d "create_tunnel=1&token=$TOKEN&name=My+Server&server=wireguard.mia.us.doxx.net"

# Step 2: Get tunnel_token from list
TUNNEL=$(curl -s -X POST $API -d "list_tunnels=1&token=$TOKEN" | jq -r '.tunnels[-1].tunnel_token')

# Step 3: Get WireGuard config
CONFIG=$(curl -s -X POST $API -d "wireguard=1&token=$TOKEN&tunnel_token=$TUNNEL")

# Step 4: Build the .conf file
PRIVATE_KEY=$(echo $CONFIG | jq -r '.config.interface.private_key')
ADDRESS=$(echo $CONFIG | jq -r '.config.interface.address')
DNS=$(echo $CONFIG | jq -r '.config.interface.dns')
PEER_KEY=$(echo $CONFIG | jq -r '.config.peer.public_key')
ENDPOINT=$(echo $CONFIG | jq -r '.config.peer.endpoint')
ALLOWED_IPS=$(echo $CONFIG | jq -r '.config.peer.allowed_ips')

cat > /etc/wireguard/doxx.conf << EOF
[Interface]
PrivateKey = $PRIVATE_KEY
Address = $ADDRESS
DNS = $DNS

[Peer]
PublicKey = $PEER_KEY
AllowedIPs = $ALLOWED_IPS
Endpoint = $ENDPOINT
PersistentKeepalive = 25
EOF

# Step 5: Connect
sudo wg-quick up doxx

# Step 6: Verify - you should now resolve .doxx domains
dig A doxx.net @10.10.10.10 +short

To disconnect: sudo wg-quick down doxx

To auto-start on boot: sudo systemctl enable wg-quick@doxx

Workflow 6: Link Tunnels Together (Mesh Networking)

doxx.net firewall rules let your tunnels talk to each other. This creates a private mesh network between your devices.

TOKEN="your_auth_token_here"
API="https://config.doxx.net/v1/"

# Option A: Link ALL tunnels (easiest)
# Every tunnel can reach every other tunnel on your account
curl -s -X POST $API -d "firewall_link_all_toggle=1&token=$TOKEN&enabled=1" | jq .

# Check status
curl -s -X POST $API -d "firewall_link_all_status=1&token=$TOKEN" | jq .

# Option B: Link specific tunnels (1:1 rules)
# Get your tunnel IPs
curl -s -X POST $API -d "list_tunnels=1&token=$TOKEN" | jq '.tunnels[] | {name, tunnel_token, assigned_ip, assigned_v6}'

# Allow Laptop (10.1.0.227) to reach Server (10.1.2.101) on all ports
curl -s -X POST $API -d "firewall_rule_add=1&token=$TOKEN&tunnel_token=SERVER_TUNNEL_TOKEN&protocol=ALL&src_ip=10.1.0.227/32&src_port=ALL&dst_ip=10.1.2.101&dst_port=ALL" | jq .

# Allow Server to reach Laptop (bidirectional)
curl -s -X POST $API -d "firewall_rule_add=1&token=$TOKEN&tunnel_token=LAPTOP_TUNNEL_TOKEN&protocol=ALL&src_ip=10.1.2.101/32&src_port=ALL&dst_ip=10.1.0.227&dst_port=ALL" | jq .

# Now you can SSH from laptop to server via their doxx.net tunnel IPs:
# ssh user@10.1.2.101

Workflow 7: Full Domain Setup with TLS

Complete domain registration, DNS, and TLS certificate in one go.

TOKEN="your_auth_token_here"
API="https://config.doxx.net/v1/"
DOMAIN="myapp.crypto"

# Step 1: Register the domain
curl -s -X POST $API -d "create_domain=1&token=$TOKEN&domain=$DOMAIN" | jq .

# Step 2: Point it to your server
curl -s -X POST $API -d "create_dns_record=1&token=$TOKEN&domain=$DOMAIN&name=$DOMAIN&type=A&content=YOUR_SERVER_IP&ttl=300" | jq .
curl -s -X POST $API -d "create_dns_record=1&token=$TOKEN&domain=$DOMAIN&name=*.$DOMAIN&type=A&content=YOUR_SERVER_IP&ttl=300" | jq .

# Step 3: Generate key + CSR
openssl ecparam -genkey -name prime256v1 -out $DOMAIN.key 2>/dev/null
openssl req -new -key $DOMAIN.key -out $DOMAIN.csr -subj "/CN=$DOMAIN" 2>/dev/null

# Step 4: Sign the certificate (auto-wildcarded to *.domain + domain)
curl -s -X POST $API \
  -d "sign_certificate=1&token=$TOKEN&domain=$DOMAIN" \
  --data-urlencode "csr=$(cat $DOMAIN.csr)" \
  -o $DOMAIN.crt

# Step 5: Download the root CA (clients need to trust this)
curl -s -o doxx-root-ca.crt https://raw.githubusercontent.com/doxxcorp/style/main/logo-png/isotype-black/isotype-black-64.png
# Actually get the CA from your portal or the a0x13 assets:
# https://a0x13.doxx.net/assets/doxx-root-ca.crt

# Step 6: Install in nginx/caddy/etc
# nginx example:
#   ssl_certificate     /path/to/myapp.crypto.crt;
#   ssl_certificate_key /path/to/myapp.crypto.key;

# Step 7: Verify
openssl x509 -in $DOMAIN.crt -noout -subject -ext subjectAltName
# Subject: CN=myapp.crypto
# SAN: DNS:*.myapp.crypto, DNS:myapp.crypto

dig A $DOMAIN @a.root-dx.net +short
# YOUR_SERVER_IP

Important: doxx.net TLS certificates are signed by the doxx.net root CA, not a public CA like Let's Encrypt. Clients connecting to your service need the doxx.net root CA installed in their trust store. VPN users on doxx.net already have it. For non-VPN users, distribute the root CA cert or use it for internal/development services.

Available TLDs (196)

Register domains under any of these top-level domains. Default is .doxx if you don't specify one.

Single Letters (25): .b .c .d .e .f .g .h .i .j .k .l .m .n .o .p .q .r .s .t .u .v .w .x .y .z

Numbers (9): .8 .67 .123 .404 .418 .888 .1337 .6667 .31337

Crypto & Web3: .btc .crypto .cryptoart .dai .dao .degen .doge .eth .fomo .fud .hodl .ltc .ngmi .rekt .rugpull .seed .shib .sol .token .usd .usdc .usdt .wallet .whale .xmr

Hacking & Security: .bitrot .bug .cipher .cyber .debug .decay .dmz .exploit .glitch .hash .onion .owned .phreak .pwnd .salt .spectre .tor .vault .void

Tech & Infrastructure: .access .admin .api .archive .asic .async .audit .auth .backup .block .cache .cert .chain .clone .cod .core .corp .cpu .csv .dhcp .dns .driver .drone .edge .epoch .error .exit .external .fork .fpga .geo .git .govt .gpu .html .http .https .internal .internet .internets .ipsec .ipv4 .ipv6 .js .json .kernel .key .lab .lan .layer .local .log .mail .matrix .mesh .meta .military .mirror .mongo .mysql .nat .node .null .oauth .offline .ops .peer .pem .posix .privacy .proof .pull .push .queue .quic .redis .relay .root .rpc .sandbox .sig .sql .srv .stack .sub .swarm .sync .syscall .term .test .tmp .trace .unix .v1 .v2 .verify .wan .web .wireguard .wg .x86 .xml .yaml

Gaming & Culture: .ape .amd .bear .bull .darwin .dojo .doxx .gamer .gta .gta5 .gta6 .home .slop .vibe .vpn

Examples:

  • mysite.doxx (default)
  • cool.crypto
  • secret.onion
  • dev.cyber
  • trading.eth
  • myapp.vpn
  • game.gta6

Certificate Signing Details

How It Works

  1. You generate a private key and CSR locally (key never leaves your machine)
  2. Submit the CSR to the sign_certificate endpoint
  3. doxx.net signs it with the doxx.net root CA and returns the certificate
  4. The certificate is automatically upgraded to wildcard (*.domain + domain)

Root CA Info

Property Value
Subject CN=doxx.net root CA, O=doxx.net root CA
Validity Jan 2025 - Jan 2035 (10 years)
Key Type RSA
Signed Certs Validity 365 days
SAN Wildcard + base domain automatically

Installing the Root CA

Clients that connect to services using doxx.net-signed certificates need to trust the root CA.

Get the root CA certificate:

curl -o doxx-root-ca.crt https://a0x13.doxx.net/assets/doxx-root-ca.crt

macOS:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain doxx-root-ca.crt

Linux (Debian/Ubuntu):

sudo cp doxx-root-ca.crt /usr/local/share/ca-certificates/doxx-root-ca.crt
sudo update-ca-certificates

Windows:

certutil -addstore root doxx-root-ca.crt

Firefox (uses its own CA store): Settings > Privacy & Security > Certificates > View Certificates > Import

VPN users: If you're connected to doxx.net via WireGuard with DNS set to 10.10.10.10, the root CA is already trusted by the VPN DNS resolver for .doxx domain resolution. But for TLS (HTTPS), you still need to install the root CA in your OS/browser trust store.

DNS Infrastructure

doxx.net runs its own global DNS system. Understanding it is key to using domains and the VPN correctly.

Three DNS Layers

1. VPN Recursive DNS (internal, VPN-only)

Only accessible when connected via WireGuard. Provides personalized DNS blocking, DNSSEC validation, and resolves all .doxx ecosystem TLDs.

Address Protocol
10.10.10.10 UDP/TCP DNS (IPv4)
fd53:: UDP/TCP DNS (IPv6)

These are set automatically when you use the WireGuard config from the wireguard endpoint.

2. Public Recursive DNS (anyone on the internet)

Resolves both standard internet domains AND all doxx.net ecosystem TLDs. Available to anyone, not just VPN users.

Address Protocol
207.207.200.200 UDP/TCP DNS (IPv4)
207.207.201.201 UDP/TCP DNS (IPv4)
2602:f5c1:: UDP/TCP DNS (IPv6 Americas)
2a11:46c0:: UDP/TCP DNS (IPv6 Europe)
https://doxx.net/ DoH (DNS-over-HTTPS)
doxx.net:853 DoT (DNS-over-TLS) 
# Resolve a .doxx domain from anywhere on the internet (no VPN needed)
dig A mysite.doxx @207.207.200.200 +short

# Or use DoH
curl -s -H "accept: application/dns-json" "https://doxx.net/dns-query?name=mysite.doxx&type=A"

3. Authoritative DNS (for hosting domains)

These are the nameservers you point your domain registrar to when importing external domains. They also serve as the root authority for all .doxx ecosystem TLDs.

Nameserver IPv4 IPv6
a.root-dx.net 207.207.200.53, 207.207.201.53 2602:f5c1::53, 2a11:46c0::53
a.root-dx.com 207.207.200.53, 207.207.201.53 2602:f5c1::53, 2a11:46c0::53
a.root-dx.org 207.207.200.53, 207.207.201.53 2602:f5c1::53, 2a11:46c0::53

Resolving .doxx Domains Without the VPN

You don't need to be on the VPN to resolve .doxx, .crypto, .x, or any doxx.net TLD. Use the public recursive DNS:

# Method 1: Direct DNS query
dig A mysite.doxx @207.207.200.200 +short

# Method 2: Configure your system resolver
# Add to /etc/resolv.conf (Linux) or System Preferences > Network > DNS (macOS):
# nameserver 207.207.200.200
# nameserver 207.207.201.201

# Method 3: Use Secure DNS (DoH) with your personalized blocking
# First create a Secure DNS hash via the API:
curl -s -X POST https://config.doxx.net/v1/ \
  -d "public_dns_create_hash=1&token=$TOKEN&tunnel_token=$TUNNEL" | jq .
# Returns: {"host_hash": "gl6nqcbyhsau", "doh_url": "https://gl6nqcbyhsau.sdns.doxx.net/dns-query"}

# Then configure your browser/OS to use that DoH URL
# This gives you your VPN's DNS blocking settings without being on the VPN

# Method 4: In your application code
# Just point DNS queries to 207.207.200.200 for any .doxx domain resolution

Importing External Domains

When you import a .com, .net, .org (etc.) domain, you need to:

  1. Get your verification code: get_domain_validation
  2. Set a TXT record at your current DNS provider: _doxx-verify.yourdomain.com with the code
  3. Import the domain: import_domain
  4. Update your registrar's nameservers to:
a.root-dx.net
a.root-dx.com
a.root-dx.org

DNS propagation for nameserver changes takes up to 48 hours.

Verifying DNS

# Check if your domain is live on doxx.net authoritative DNS
dig A mysite.doxx @a.root-dx.net +short
dig A mysite.doxx @a.root-dx.com +short
dig A mysite.doxx @a.root-dx.org +short

# Check via public recursive DNS
dig A mysite.doxx @207.207.200.200 +short

# Check via VPN DNS (must be connected)
dig A mysite.doxx @10.10.10.10 +short

# Check SOA (zone exists?)
dig SOA mysite.doxx @a.root-dx.net +short

# Check all records
dig ANY mysite.doxx @a.root-dx.net

Secure DNS (DoH/DoT) with Personalized Blocking

Create a Secure DNS hash to get your tunnel's DNS blocking settings available via DoH/DoT, usable from any device (no VPN required).

# Create a Secure DNS hash
curl -s -X POST $API -d "public_dns_create_hash=1&token=$TOKEN&tunnel_token=$TUNNEL" | jq .
{
  "status": "success",
  "host_hash": "gl6nqcbyhsau",
  "doh_url": "https://gl6nqcbyhsau.sdns.doxx.net/dns-query",
  "dot_host": "gl6nqcbyhsau.sdns.doxx.net"
}

Configure on any device:

  • DoH (DNS-over-HTTPS): https://gl6nqcbyhsau.sdns.doxx.net/dns-query
  • DoT (DNS-over-TLS): gl6nqcbyhsau.sdns.doxx.net on port 853
  • iOS: Settings > General > VPN & Device Management > DNS > add DoH URL
  • Android: Settings > Network > Private DNS > enter DoT hostname
  • Chrome: Settings > Security > Use secure DNS > Custom > enter DoH URL
  • Firefox: Settings > Network > DNS over HTTPS > Custom > enter DoH URL

Error Handling

All errors return:

{
  "status": "error",
  "message": "Description of what went wrong"
}
HTTP Code Meaning What To Do
200 Success Parse status field ("success" or "error")
400 Missing/invalid parameter Check required parameters
401 Invalid or missing token Verify your auth token
403 Forbidden POW required or wrong owner
404 Not found Resource doesn't exist
500 Server error Retry or contact support
503 Service degraded Try a different regional endpoint

Important: HTTP 200 can still contain "status": "error" in the JSON body. Always check the status field.

Config API Reference

Account

auth

curl -s -X POST $API -d "auth=1&token=$TOKEN"
{"status": "success", "message": "Authentication successful"}

tos_status

curl -s -X POST $API -d "tos_status=1&token=$TOKEN"
{"status": "success", "tos_accepted": true, "accepted_at": "2026-01-15 10:00:00", "version": "1.0"}

accept_tos

Requires net-admin role.

curl -s -X POST $API -d "accept_tos=1&token=$TOKEN"
{"status": "success", "message": "Terms of Service accepted"}

get_profile

curl -s -X POST $API -d "get_profile=1&token=$TOKEN"
{
  "status": "success",
  "profile": {
    "recovery_email": null,
    "recovery_phone": null,
    "email_notifications": 0,
    "sms_notifications": 0,
    "created_at": "2025-06-01 12:00:00",
    "updated_at": "2026-02-08 10:00:00"
  },
  "recovery_codes_count": 10
}

update_profile

Requires admin role.

Parameter Required
token Yes
email No
name No

create_account_recovery

Requires admin role.

curl -s -X POST $API -d "create_account_recovery=1&token=$TOKEN"
{
  "status": "success",
  "message": "Recovery codes generated successfully",
  "codes": ["abc123", "def456", "..."],
  "set_id": "set_abc",
  "created_at": "2026-02-08T19:00:00Z"
}

verify_account_recovery

Parameter Required
recovery_code Yes 
{"status": "success", "message": "Account recovery successful", "new_token": "new_token_here", "user_id": 123}

delete_account

Requires admin role.

curl -s -X POST $API -d "delete_account=1&token=$TOKEN"
{"status": "success", "message": "Account deleted successfully"}

Servers

servers

No auth required.

curl -s -X POST $API -d "servers=1"
{
  "status": "success",
  "servers": [
    {
      "server_name": "wireguard.mia.us.doxx.net",
      "location": "Miami, FL",
      "description": "US Southeast",
      "type": "wireguard",
      "public_key": "abc123...",
      "best_for": "US East Coast",
      "operator": "doxx.net",
      "bg_image": "miami.jpg",
      "flag_image": "us.svg",
      "continent": "NA"
    }
  ]
}

Tunnels

list_tunnels

curl -s -X POST $API -d "list_tunnels=1&token=$TOKEN"
{
  "status": "success",
  "tunnels": [
    {
      "tunnel_token": "Eh1xwlLd...",
      "name": "My Laptop",
      "server": "wireguard.mia.us.doxx.net",
      "assigned_ip": "10.1.0.226/31",
      "assigned_v6": "2602:f5c1:1::1c0:8916/127",
      "public_key": "abc...",
      "private_key": "xyz...",
      "type": "wireguard",
      "device_hash": "",
      "device_type": "",
      "created_at": "2025-06-01T12:00:00Z",
      "block_bad_dns": 1,
      "firewall": 1,
      "ipv6_enabled": 1,
      "onion_enabled": 0,
      "proxy_enabled": 0,
      "is_connected": true,
      "connection_status": "connected"
    }
  ]
}

create_tunnel

Requires net-admin role.

Parameter Required Description
token Yes Auth token
name No Tunnel name
server Yes Server hostname from servers endpoint 
{"status": "success", "message": "Tunnel created successfully"}

create_tunnel_mobile

Parameter Required Description
token Yes Auth token
server Yes Server hostname
device_hash No Device identifier
device_type No mobile, desktop, server, web 
{
  "status": "success",
  "message": "Mobile tunnel created successfully",
  "tunnel_token": "new_token...",
  "server": "wireguard.mia.us.doxx.net",
  "assigned_ip": "10.1.2.3/31",
  "assigned_v6": "2602:f5c1:1::abc:1234/127",
  "public_key": "abc...",
  "private_key": "xyz..."
}

update_tunnel

Parameter Required Description
token Yes Auth token
tunnel_token Yes Tunnel token
name No New name
server No New server
firewall No 1 or 0
ipv6_enabled No 1 or 0
block_bad_dns No 1 or 0 
{"status": "success", "message": "Tunnel updated successfully"}

delete_tunnel

Requires net-admin role.

Parameter Required
token Yes
tunnel_token Yes 
{"status": "success", "message": "Tunnel deleted successfully"}

wireguard

Get WireGuard configuration file data.

Parameter Required
token Yes
tunnel_token Yes 
{
  "status": "success",
  "config": {
    "interface": {
      "private_key": "your_private_key",
      "address": "10.1.0.227/31, 2602:f5c1:1::1c0:8917/128",
      "dns": "10.10.10.10,fd53::"
    },
    "peer": {
      "public_key": "server_public_key",
      "allowed_ips": "0.0.0.0/0, ::/0",
      "endpoint": "wireguard.mia.us.doxx.net:51820",
      "persistent_keepalive": 25
    }
  }
}

disconnect_peer

Parameter Required
token Yes
tunnel_token Yes

DNS Blocking

dns_get_options

No auth required.

{
  "status": "success",
  "options": [
    {
      "name": "ads",
      "display_name": "Advertising",
      "description": "Block ad networks and trackers",
      "category": "privacy",
      "icon": "ad-icon",
      "domain_count": 150000,
      "default_enabled": true,
      "user_toggleable": true,
      "is_base_safety": false
    }
  ]
}

dns_get_tunnel_config

Parameter Required
token Yes
tunnel_token Yes 
{
  "status": "success",
  "tunnel_token": "abc...",
  "dns_blocking_enabled": true,
  "base_protections": ["malware", "phishing"],
  "subscriptions": [
    {"blocklist_name": "ads", "enabled": 1}
  ],
  "whitelists": [
    {"domain": "example.com", "reason": null}
  ],
  "blacklists": [
    {"domain": "evil.com", "reason": "manual block"}
  ]
}

dns_set_subscription

Parameter Required Description
token Yes Auth token
tunnel_token Yes Tunnel token
subscription Yes Blocklist name
enabled Yes 1 or 0
apply_to_all No 1 to apply to all tunnels 
{"status": "success", "message": "Subscription updated", "blocklist": "ads", "enabled": true, "tunnels_updated": 1}

dns_add_whitelist / dns_remove_whitelist

Parameter Required
token Yes
tunnel_token Yes
domain Yes
apply_to_all No

dns_add_blacklist / dns_remove_blacklist

Same parameters as whitelist.

dns_blocklist_stats

Parameter Required
token Yes 
{
  "status": "success",
  "total_domains": 500000,
  "count": 12,
  "lists": [
    {
      "name": "ads",
      "display_name": "Advertising",
      "domain_count": 150000,
      "category": "privacy",
      "is_base_safety": false,
      "default_enabled": true,
      "enabled": true
    }
  ]
}

Firewall

firewall_rule_list

Parameter Required Description
token Yes Auth token
tunnel_token No Filter by tunnel 
{
  "status": "success",
  "link_all_enabled": false,
  "rules": [
    {
      "tunnel_token": "abc...",
      "protocol": "TCP",
      "src_ip": "0.0.0.0/0",
      "src_port": "ALL",
      "dst_ip": "10.1.0.227",
      "dst_port": "443"
    }
  ],
  "count": 1
}

firewall_rule_add

Parameter Required Description
token Yes Auth token
tunnel_token Yes Tunnel token
protocol Yes TCP, UDP, ICMP, ALL
src_ip Yes Source IP/CIDR
src_port Yes Port or ALL
dst_ip Yes Your tunnel IP
dst_port Yes Destination port 
{
  "status": "success",
  "message": "Firewall rule created successfully",
  "rule": {"tunnel_token": "abc...", "protocol": "TCP", "src_ip": "0.0.0.0/0", "src_port": "ALL", "dst_ip": "10.1.0.227", "dst_port": "443", "enabled": 1}
}

firewall_rule_delete

Same parameters as firewall_rule_add.

{"status": "success", "message": "Firewall rule deleted successfully"}

firewall_link_all_toggle

Parameter Required
token Yes
enabled Yes (1 or 0) 
{"status": "success", "message": "Link all enabled", "link_all_tunnels": 1, "rules_deleted": 0}

firewall_link_all_status

{"status": "success", "link_all_tunnels": 0}

Domains

list_domains

{
  "status": "success",
  "domains": [
    {"name": "mysite.doxx", "id": 1234}
  ]
}

create_domain

Parameter Required Description
token Yes Auth token
domain Yes e.g., mysite.doxx or mysite (defaults to .doxx)

196 TLDs available: .doxx, .crypto, .vpn, .hack, .dao, .eth, .dns, .tor, .onion, .cyber, and more.

{"status": "success", "message": "Domain registered successfully"}

delete_domain

{"status": "success", "message": "Domain deleted successfully"}

import_domain

Import external domains (.com, .net, .org) via TXT record verification.

Parameter Required
token Yes
domain Yes 
{
  "status": "success",
  "message": "Domain imported successfully",
  "nameservers": ["a.root-dx.net", "a.root-dx.com", "a.root-dx.org"],
  "note": "Update your domain registrar to use these nameservers"
}

get_domain_validation

Get the TXT verification code. Set as _doxx-verify.yourdomain.com TXT record, then call import_domain.

{"status": "success", "validation_code": "a1b2c3d4e5f6..."}

DNS Records

Supported types: A, AAAA, CNAME, MX, TXT, NS, SRV, PTR

list_dns

Parameter Required
token Yes
domain Yes 
{
  "status": "success",
  "domain": "mysite.doxx",
  "records": [
    {"name": "mysite.doxx", "type": "A", "content": "1.2.3.4", "ttl": 300, "prio": 0},
    {"name": "mysite.doxx", "type": "SOA", "content": "ns.doxx. hostmaster.doxx. 2026020801 10800 3600 604800 3600", "ttl": 3600, "prio": 0},
    {"name": "mysite.doxx", "type": "NS", "content": "ns.doxx.", "ttl": 3600, "prio": 0}
  ]
}

create_dns_record

Parameter Required Description
token Yes Auth token
domain Yes Domain name
name Yes FQDN or @ for apex
type Yes Record type
content Yes Record value
ttl No Default: 3600
prio No Priority (MX)

SRV records use: srv_priority, srv_weight, srv_port, srv_target

{"status": "success", "message": "DNS record created successfully"}

update_dns_record

Parameter Required
token Yes
domain Yes
old_name Yes
old_type Yes
old_content Yes
name Yes
content Yes
ttl Yes 
{"status": "success", "message": "DNS record updated successfully"}

delete_dns_record

Parameter Required
token Yes
domain Yes
name Yes
type Yes
content Yes 
{"status": "success", "message": "DNS record deleted successfully"}

Public DNS (Secure DNS Sharing)

Create DoH/DoT endpoints that share your tunnel's DNS blocking config: HASH.sdns.doxx.net

public_dns_list_hashes

{
  "status": "success",
  "count": 1,
  "hashes": [
    {
      "host_hash": "gl6nqcbyhsau",
      "tunnel_token": "abc...",
      "label": "",
      "created_at": "2025-12-01 10:00:00",
      "tunnel_name": "My Laptop",
      "tunnel_server": "wireguard.mia.us.doxx.net",
      "doh_url": "https://gl6nqcbyhsau.sdns.doxx.net/dns-query",
      "dot_host": "gl6nqcbyhsau.sdns.doxx.net"
    }
  ]
}

public_dns_create_hash

Parameter Required
token Yes
tunnel_token Yes 
{
  "status": "success",
  "host_hash": "gl6nqcbyhsau",
  "tunnel_token": "abc...",
  "doh_url": "https://gl6nqcbyhsau.sdns.doxx.net/dns-query",
  "dot_host": "gl6nqcbyhsau.sdns.doxx.net"
}

public_dns_delete_hash

Parameter Required
token Yes
host_hash Yes

Proxy

get_proxy_config

Parameter Required
token Yes
tunnel_token Yes 
{
  "status": "success",
  "config": {
    "tunnel_token": "abc...",
    "assigned_ip": "10.1.0.226",
    "assigned_v6": "2602:f5c1:1::1c0:8916",
    "enabled": false,
    "location": "newyork-us",
    "browser": null,
    "custom_lat": null,
    "custom_lon": null
  }
}

update_proxy_config

Parameter Required Description
token Yes Auth token
tunnel_token Yes Tunnel token
enabled No 1 to enable
location No Location ID
browser No Browser fingerprint 
{"status": "success", "message": "Proxy configuration updated"}

Certificates

sign_certificate

Signs a CSR with the doxx.net root CA. Auto-upgrades to wildcard. Returns raw PEM, not JSON.

Parameter Required
token Yes
domain Yes (must own it)
csr Yes (PEM-encoded) 
curl -s -X POST $API \
  -d "sign_certificate=1&token=$TOKEN&domain=mysite.doxx" \
  --data-urlencode "csr=$(cat mysite.csr)" -o mysite.crt

The certificate includes SAN: DNS:*.mysite.doxx, DNS:mysite.doxx

Mobile Options

get_mobile_options

{
  "status": "success",
  "mobile_options": {
    "connect_on_startup": 0,
    "kill_switch": 0,
    "transport": "wireguard",
    "proxy_enabled": 0,
    "onion_enabled": 0,
    "port": null
  }
}

set_mobile_options

Parameter Required
token Yes
connect_on_startup No (1/0)
kill_switch No (1/0)
proxy_enabled No (1/0)
onion_enabled No (1/0)

Utility

version_check

No auth required.

{"status": "success", "version": "2.1.0", "download_url": "https://doxx.net/download"}

generate_qr

No auth required. Returns binary PNG, not JSON.

Parameter Required Description
data Yes Text to encode
size No 100-2048 pixels (default: 512) 
curl -s -X POST $API -d "generate_qr=1&data=hello&size=256" -o qr.png

DOXX POW

doxxpow_challenge

No auth required. Returns a proof-of-work challenge.

doxxpow_verify

No auth required. Submits a completed POW solution, returns a token.

doxxpow_validate_token

Parameter Required
pow_token Yes 
{"status": "success", "valid": true, "accuracy": 95}

Stats API

https://secure-wss.doxx.net

WebSocket

wss://secure-wss.doxx.net:443/ws?token=YOUR_TOKEN

Optional: &tunnel_token=X to filter to one tunnel.

Event Types

Type Description Key Fields
dns_block Blocked DNS query value (domain), category, count
security_event Security alert category, value (service/port info)
dangerous_port Dangerous port connection value (e.g., "SSH (Port 22)")
dns_bypass DNS bypass attempt value (provider)
doh_bypass DoH bypass attempt value (provider)
bandwidth Bandwidth (Mbps) value (format: in=X,out=Y)
dns_nxdomain Non-existent domain value (domain)
tunnel_status Tunnel state change value (sleeping/offline)
port_scan Port scan detected value (details)

Event Structure

{
  "tunnel_token": "abc...",
  "ts": 1707400000,
  "prefix": "10.1.0.226/31",
  "type": "dns_block",
  "action": "block",
  "category": "ads",
  "value": "doubleclick.net",
  "count": 5,
  "display": {
    "domain": "doubleclick.net",
    "source": "easylist",
    "reason": "advertising tracker"
  }
}

REST

GET /api/stats/bandwidth

Parameter Required Description
token Yes Auth token
tunnel_token No Filter by tunnel
start No ISO 8601 (default: 1h ago)
end No ISO 8601 (default: now) 
{
  "granularity": "1m",
  "data": [
    {"tunnel_token": "abc...", "timestamp": 1707400000, "peak_in": 125.5, "peak_out": 42.3, "samples": 60}
  ],
  "aggregate": [
    {"tunnel_token": "aggregate", "timestamp": 1707400000, "peak_in": 125.5, "peak_out": 42.3, "samples": 60}
  ]
}

Granularity auto-selects: 1s (<5m), 1m (<6h), 5m (<48h), 1h (<30d), 6h (30d+).

GET /api/stats/alerts

Parameter Required Description
token Yes Auth token
tunnel_token No Filter by tunnel
last No session, 1m, 1h, 1d, 7d, 30d
start / end No ISO 8601 (alternative to last)
type No Filter by event type 
{
  "granularity": "1m",
  "totals": {"dns_block": 1234, "security_event": 5},
  "block_count": 1234,
  "category_counts": {"ads": 800, "tracking": 300, "malware": 134},
  "data": [
    {"type": "dns_block", "value": "doubleclick.net", "count": 42, "timestamp": 1707400000, "last_seen": 1707403600}
  ]
}

GET /api/stats/summary

Parameter Required Description
token Yes Auth token
days No Default: 30

GET /api/stats/global

No auth. Returns global threat counter.

{"status": "success", "total": 1234567890, "ts": 1707400000}

wss://secure-wss.doxx.net/ws/global

Public WebSocket. Streams global threat counter updates. No auth.

Support

doxx.net - Freedom and Privacy by Design

About

Public API reference for config.doxx.net - doxx.net VPN configuration API

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors