Skip to content

focuxdot/wokey-provider-node

BranchesTags

Repository files navigation

Wokey Provider Node

Connect unused AI subscription capacity to Wokey.

Release Node.js 20+ Official Exit License: Apache-2.0

Provider-owned node runtime for local onboarding, outbound connectivity, and encrypted official-exit capacity.

Install · First run · How it works · Safety boundary · Commands · Release verification · Docs

中文版 · Official website

What Problem It Solves

You may have official AI subscriptions or accounts with unused capacity. Turning that capacity into reliable API supply is not just "run a proxy":

  • No public inbound port: the node connects outbound to Wokey Platform.
  • No prompt visibility: official-exit traffic stays inside vendor TLS.
  • No browser scraping: browser cookies, sessions, and safe-storage secrets are unsupported.
  • Local operations: binding, authorization, status, updates, and diagnostics stay close to the machine.
  • Auditable releases: installers verify SHA-256 checksums, with optional cosign provenance verification.

Provider Node is Wokey's provider-side answer: local onboarding and network egress on your machine, with business policy and request construction kept on Wokey Platform.

What It Delivers

  • Daemon: a local Provider Node process that connects outbound to Wokey Platform.
  • Console: loopback-only management at http://127.0.0.1:16888.
  • CLI: wokey-node for binding, credentials, diagnostics, updates, logs, and service control.
  • Installers: macOS, Linux, and Windows packages.
  • Authorization flows: Codex, Claude, and manual OAuth/token JSON.
  • Official-exit tunnel: encrypted byte relay to approved vendor hosts without terminating TLS.

Quick Install

macOS / Linux:

curl -fsSL https://github.com/focuxdot/wokey-provider-node/releases/latest/download/install.sh | bash

Windows PowerShell:

irm https://github.com/focuxdot/wokey-provider-node/releases/latest/download/install.ps1 | iex

Node.js 20+ is required. The installer downloads checksums.txt and verifies the downloaded artifact's SHA-256 before installation. If cosign is already installed, it also verifies official release provenance automatically; installation still works without cosign.

Open the local console:

http://127.0.0.1:16888

First Run

  1. Install Provider Node.
  2. Open the local console at http://127.0.0.1:16888, or run wokey-node.
  3. Open the Wokey Provider page from the console and sign in.
  4. Bind the node automatically, or paste a bind_... binding code.
  5. Add an authorization credential from a detected local source or a guided OAuth flow.
  6. Run wokey-node status or use the console to confirm the node is bound, connected, and ready.

Remote Linux servers can use the CLI path without exposing the console publicly:

wokey-node
wokey-node bind --value bind_...
wokey-node add
wokey-node list
wokey-node import 1
wokey-node login codex
wokey-node paste token --vendor openai --file ./token.json

How It Works

Part Runs where Responsibility
Wokey Platform Wokey infrastructure Accounts, routing, billing, credential custody, vendor request construction, policy, settlement
Provider Node Provider-owned machine Local console, node binding, credential onboarding, outbound WebSocket bridge, encrypted network exit
Vendor API Official vendor host Receives the HTTPS request sent by Platform through the Provider Node exit

Official-exit request flow:

Wokey Platform -> outbound WebSocket -> Provider Node -> TCP socket -> vendor host

Platform constructs the vendor HTTPS request and performs TLS through the node's TCP socket. Provider Node opens the socket and relays bytes; it does not terminate vendor TLS.

Local Authorization

Supported local authorization paths:

  • Codex auth.json
  • Claude Code local credentials
  • Codex device code / OAuth flow
  • Claude OAuth authorization code flow
  • Manual OAuth token JSON

During onboarding, the provider explicitly authorizes or imports a credential bundle. The selected bundle is uploaded to Wokey Platform's encrypted credential store so Platform can construct official vendor requests.

Browser cookie, browser session, and browser safe-storage secret import is intentionally unsupported. Provider Node does not scan browser cookie databases.

Safety Boundary

Provider Node is provider-side software, but it is not the source of truth for production business policy.

It can:

  • bind a provider-owned machine to Wokey;
  • manage local onboarding and diagnostics;
  • open outbound connections requested by the bound Platform;
  • relay encrypted official-exit traffic;
  • report local health and saturation signals.

It cannot:

  • decide routing, billing, entitlement, quota, model mapping, or settlement;
  • terminate vendor TLS in official-exit mode;
  • read user prompts, model responses, or vendor authorization headers;
  • import browser cookies or browser safe-storage secrets;
  • widen the local operator's egress allowlist remotely.

Sensitive local config fields are encrypted at rest under the enc:v1: prefix. The encryption key comes from PROVIDER_NODE_MASTER_KEY when set, or from a generated local key file beside the config.

Egress Restrictions

By default, Provider Node only allows official-exit connections to official domains for currently supported vendors. The public source of truth is maintained here:

Vendor Default hosts
OpenAI / Codex api.openai.com, chatgpt.com
Anthropic / Claude api.anthropic.com
Qwen dashscope.aliyuncs.com, dashscope-us.aliyuncs.com
Zhipu AI open.bigmodel.cn, api.z.ai
Moonshot / Kimi api.kimi.com, api.moonshot.ai, api.moonshot.cn
MiniMax api.minimax.io, api.minimaxi.com
Xiaomi MiMo api.xiaomimimo.com
DeepSeek api.deepseek.com
Google Gemini generativelanguage.googleapis.com
xAI api.x.ai

Operators can narrow or extend the local egress host list with PROVIDER_OFFICIAL_EXIT_ALLOWED_HOSTS. This setting is read only from the local environment, so Platform cannot widen it remotely. Wildcard * is not supported; use explicit hosts or domain patterns such as .example.com / *.example.com.

Common Commands

Command Use
wokey-node Open the interactive local CLI menu
wokey-node open Open the local console in a browser, where supported
wokey-node bind --value bind_... Bind this node with a Provider page binding code
wokey-node add Add a credential through the guided CLI flow
wokey-node list List importable local authorization sources
wokey-node import 1 Import a detected credential candidate
wokey-node login codex Start Codex device-code authorization
wokey-node paste token --vendor openai --file ./token.json Paste authorization material manually
wokey-node status Show local, binding, bridge, and credential status
wokey-node doctor Run diagnostics
wokey-node restart Restart the local service
wokey-node update Re-run the latest release installer
wokey-node logs Show service logs, where supported

Development

Install dependencies:

npm install

Start the local console:

npm run dev

Use a local config while testing:

PROVIDER_CONFIG_PATH=./data/provider-node.json npm run dev

Run full verification:

npm run verify

Packaging

Build all supported packages:

npm run package:provider-node

Generate release checksums:

npm run release:checksums

Verifying A Release

Official releases publish checksums.txt, checksums.txt.sig, and checksums.txt.pem. Installers always verify each artifact's SHA-256 against checksums.txt. If cosign is installed, they also verify the GitHub Actions keyless signature over checksums.txt to confirm the release artifact came from the official release workflow.

cosign is not required for quick installation. To require provenance verification, install cosign first and run:

curl -fsSL https://github.com/focuxdot/wokey-provider-node/releases/latest/download/install.sh | WOKEY_PROVIDER_NODE_REQUIRE_SIGNATURE=1 bash

Windows PowerShell:

$env:WOKEY_PROVIDER_NODE_REQUIRE_SIGNATURE = "1"
irm https://github.com/focuxdot/wokey-provider-node/releases/latest/download/install.ps1 | iex

Manual verification example:

cosign verify-blob \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp '^https://github.com/focuxdot/wokey-provider-node/\.github/workflows/release\.yml@refs/(tags/v.*|heads/main)$' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  checksums.txt

Configuration

Runtime configuration is provided through environment variables. Copy .env.example to .env.local for local development; npm start loads .env.local automatically.

Common settings include local console host/port, config path, local encryption master key, Platform host allowlist, official-exit egress allowlist, and log level.

File Structure

wokey-provider-node/
├── src/provider-node/          # daemon, console API, bridge, OAuth, local config
├── src/shared/                 # protocol, crypto, ids, vendor allowlist
├── web/console/                # local console HTML, CSS, client JS, bundled fonts
├── packaging/                  # macOS, Linux, Windows wrappers and installers
├── scripts/                    # build, package, checksum, OSS-boundary checks
├── docs/                       # runtime, installer, verification, maintainer docs
├── .github/workflows/release.yml
├── README.md
└── LICENSE

Documentation

License

Apache-2.0. See LICENSE.

About

No description, website, or topics provided.

Resources

Readme

License

View license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 5

Wokey Provider Node v0.1.27 Latest
Jun 16, 2026
+ 4 releases

Packages

 
 
 

Contributors

Languages