Contributing · Security · Changelog

Flare TEE proxy

Running

Copy config.example.toml to config.toml

cp ./config.example.toml ./config/config.toml

and set the configurations.

Make sure that the proxy's private key is stored in the environment variable PRIVATE_KEY. If you want it read from a different environment, set specify the name in config under private_key_variable

Start the proxy

go run ./...

Direct Endpoint

The POST /direct endpoint allows submitting direct instructions that bypass the C-chain. It is disabled by default and must be explicitly enabled in the config:

direct_extension = true

When enabled, the endpoint requires API key authentication via the X-API-Key HTTP header. The API key can be configured in two ways:

1. Environment variable (recommended): set DIRECT_API_KEY (or a custom variable name via direct_api_key_variable in config)
2. Config file: set direct_api_key in config.toml

If both are set, the environment variable takes precedence. The proxy will refuse to start if direct_extension is enabled without a configured API key.

The /direct endpoints expects Direct Instruction as a body

{
  "opType": "0x...",
  "opCommand": "0x...",
  "message": "0x..."
}

Example request:

curl -X POST http://localhost:6662/direct \
  -H "Content-Type: application/json" \
  -H "X-API-Key: {YOUR_API_KEY}" \
  -d '{ ... }'

Docker

Building

Clone tee-node and tee-proxy repositories and run the following command

docker build -t {IMAGE_TAG} -f tee-proxy/Dockerfile

Running

docker run -p 6661:6661 -p 6662:6662 \
  -e PRIVATE_KEY={PRIVATE_KEY} \
  -v {PATH_TO_CONFIG}:/app/config/config.toml \
  {IMAGE_TAG}

If you have indexer-db and redis running in docker-compose add the --network flag

docker run -p 6661:6661 -p 6662:6662 \
  -e PRIVATE_KEY={PRIVATE_KEY} \
  -v {PATH_TO_CONFIG}:/app/config/config.toml \
  --network {NETWORK_NAME} \
  {IMAGE_TAG}