Band Band

Remote Access

Band supports remote access to your dashboard and API through a Cloudflare tunnel. This allows you to monitor agent activity, create tasks, and review code from any device — including your phone — without exposing ports or configuring a VPN.

How It Works

Band uses cloudflared (Cloudflare's tunnel client) to create a secure, encrypted connection between your local machine and Cloudflare's network. Traffic is routed through Cloudflare's infrastructure, and a temporary public URL is generated for your session.

  1. Band starts a cloudflared tunnel process on your machine.
  2. Cloudflare assigns a temporary public URL (e.g., https://abc-def-123.trycloudflare.com).
  3. Band generates an authentication token for the session.
  4. Remote clients connect using the URL and token.

Prerequisites

Install cloudflared before using the tunnel feature: 

# macOS
brew install cloudflared

# Linux (Debian/Ubuntu)
sudo apt install cloudflared

# Other platforms
# Download from https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/

No Cloudflare account is required. Band uses cloudflared's free quick tunnel feature.

Starting the Tunnel

Start the tunnel from the CLI or the desktop app:

band tunnel start

The command outputs the public URL and an authentication token. Both are needed to connect from a remote device. 

Tunnel started.
URL:   https://abc-def-123.trycloudflare.com
Token: bnd_a1b2c3d4e5f6...

Stopping the Tunnel

band tunnel stop

Stopping the tunnel immediately revokes the public URL. Any connected remote clients will be disconnected.

Custom Subdomains

By default, cloudflared assigns a random subdomain that changes each time the tunnel restarts. For a stable URL, configure a custom subdomain through your Cloudflare account:

  1. Create a tunnel in the Cloudflare Zero Trust dashboard.
  2. Configure a DNS record pointing to your tunnel (e.g., band.yourdomain.com).
  3. Configure Band to use the named tunnel instead of the quick tunnel.

Token-Based Authentication

Every tunnel session is protected by a randomly generated token. Remote clients must provide this token to access the Band API and dashboard.

  • The token is displayed when the tunnel starts.
  • Set BAND_TOKEN for CLI access from remote machines.
  • The web interface shows a login screen where you can paste the token.
  • Tokens are rotated each time the tunnel restarts.

Mobile Access via QR Code

The desktop app and dashboard display a QR code that encodes both the tunnel URL and authentication token. Scan the QR code with your phone's camera to open the Band dashboard instantly — no need to manually type the URL or token.

This is the fastest way to set up mobile access: start the tunnel, scan the QR code, and you are connected.

Security Considerations

  • All traffic is encrypted end-to-end through Cloudflare's network.
  • The authentication token is required for all API requests and dashboard access.
  • Tokens are single-session — restarting the tunnel invalidates old tokens.
  • The tunnel can be stopped at any time to immediately revoke remote access.
  • No ports are opened on your local firewall.