Remote Access
Your agent runs locally. Managed remote access gives it a permanent public address — no port forwarding, no tunnels, no certificates to manage.
When you need remote access
Salmex I/O runs on your machine and listens on 127.0.0.1. For desktop-only use, that is all you need. Remote access becomes necessary when external platforms need to reach your agent:
- Telegram — Telegram delivers bot updates via webhooks to an HTTPS endpoint. A public address is required.
- Slack, Discord, WhatsApp — all require a publicly reachable callback URL.
- Proactive delivery — the agent needs an inbound path to push notifications and scheduled task results to external channels.
If you only use the desktop app for chatting with your agent and don't need external channels, you don't need remote access at all.
Managed remote access (Pro)
Pro accounts include managed remote access — a permanent public HTTPS endpoint that routes external traffic to your local agent through a secure tunnel. No configuration required.
How it works
- When you activate Pro, Salmex I/O assigns your account a permanent subdomain on
salmex.net. - The app opens a secure tunnel to the Salmex I/O infrastructure.
- External platforms (Telegram, Slack, etc.) send webhooks to your subdomain.
- Traffic is forwarded through the tunnel to your local agent.
- Your agent responds, and the response is sent back to the platform.
The tunnel reconnects automatically if your network drops. Your subdomain never changes — configure it once in Telegram or Slack and forget about it.
Your public address
Each Pro account gets a unique, permanent address:
https://{your-subdomain}.salmex.netYour subdomain is shown in the Remote Access section of the sidebar and on the Dashboard. Webhook URLs for each channel are configured automatically when you add a channel.
What's handled for you
| Concern | How it's handled |
|---|---|
| TLS | Wildcard certificate on *.salmex.net, auto-renewed. All traffic is HTTPS. |
| Authentication | Tunnel authenticated with your Pro licence key. External webhooks are verified at the application layer (Telegram bot token, Slack HMAC signing, etc.). |
| Reconnection | If your network drops, the agent reconnects automatically with exponential backoff. Webhooks arriving during brief disconnects are held for up to 5 seconds. |
| Network changes | Wi-Fi switch or IP change detected automatically. Reconnects within seconds. |
| Port changes | If the local server restarts on a different port, the connection updates automatically. No manual action needed. |
| Rate limiting | 60 requests per minute per subdomain. More than enough for webhook traffic. |
| Privacy | Pass-through only. Request and response bodies are never logged, cached, or inspected. |
Connecting
Once you have a Pro account:
- Open Settings and sign in with your Pro licence key.
- The Remote Access indicator in the sidebar turns green and shows your public address.
- Add a channel (e.g. Telegram). The webhook URL is set automatically using your public address.
That's it. No DNS records, no certificates, no firewall rules.
Security
Remote access is designed so that your data stays yours.
- End-to-end tunnel encryption — the connection uses TLS 1.3. Traffic between the server and your agent is encrypted in transit.
- No body logging — method, path, status, and latency are logged for operational purposes. Request and response bodies are never logged or stored.
- Licence key never stored in plaintext — only the SHA-256 hash is stored server-side. The original key exists only on your machine, in your OS keychain.
- Loopback-only — traffic is only forwarded to
127.0.0.1on your machine. It cannot be redirected to other hosts. - Automatic subscription checks — your subscription is verified on connect and periodically during the session. Expired or suspended accounts are disconnected immediately.
- Brute-force protection — 5 failed authentication attempts per IP triggers a 10-minute ban.
Free tier
The Free plan includes desktop chat and one external channel. External channels (Telegram, Slack, Discord, WhatsApp) require a public HTTPS endpoint for webhook delivery. On the Free plan, you would need to set up your own tunnel or reverse proxy to provide this.
Pro includes managed remote access — zero configuration, always connected. Compare plans.