FAQ
Short answers, no hedging. If something here raises a follow-up, the linked pages have the long version.
Is there really no relay or cloud?
None. codeout has no servers. Your devices connect straight to your daemon. There is no account to create and no company sitting in the path of your sessions. Even when you use codeout --public, the tunnel forwards encrypted bytes; it is not a relay that can read them.
Does it work without internet?
Yes. On a LAN with no internet at all, a paired device reaches the daemon and runs sessions normally. Internet only matters when you want to reach the daemon from outside its network, and even then you bring the path. The daemon does not phone home to function.
Which agents are supported?
Claude, Gemini, and a plain shell are first-class. Because codeout runs a real pseudo-terminal, anything that runs in your shell runs in a session, agent or not. If you can launch it from a prompt, codeout can put it on your phone.
Where do my API keys and credentials live?
On the daemon host, in your existing agent config. codeout launches the agents you already have; it does not store, proxy, or transmit their credentials. Keys never leave the machine the daemon runs on, and they certainly never reach your phone.
Can two devices use the same session at once?
Yes. The session lives on the daemon, so multiple paired devices can attach to it and see the same live terminal. Detaching one does not disturb the others. Handy for starting on a phone and finishing on a desktop without dropping a beat.
A device was lost. Now what?
Revoke its token with codeout devices revoke <name>. It can no longer connect or decrypt new traffic. Then rotate any secrets it could have displayed on screen, the same as you would after losing any logged-in device. The token is per-device, so revoking it costs you nothing on your other devices.
Is the public tunnel safe to use?
Yes, and it is more private than opening a port. The daemon dials out, so your home IP is never exposed; the public only ever sees Cloudflare. The channel is encrypted end to end, so the tunnel carries sealed ciphertext and reads nothing. You still pair against the public address with the same QR or code and confirm the same fingerprint, so an impostor in the path is caught.
What is the license?
MIT. Read every line, host it yourself, and send pull requests. The source is on GitHub. If you do not trust a tool with your terminal, the right move is to read it, and this one is built to be read.