hobhob
Core Features

Remote access

Reach hob from your phone, tablet, or any browser — on your network or, via the relay, over the internet.

hob has two remote surfaces, each with its own access control:

  • Remote IDE — the full hob interface in any browser
  • hob roam — a mobile-optimized companion for phones and tablets

Both are off by default, and both are managed from the Remote popup, opened from the titlebar. Internet access goes only through the relay — hob never exposes ports to the public internet.

Remote access requires an active hob Pro+ license — Remote IDE and hob roam at every level, including local network and the relay. Without Pro+, these options are unavailable and report as disabled.

Remote IDE — full hob in a browser

Set Settings → Remote → Remote IDE access to Local host (this machine only) or Local network (devices on your network). Remote IDE has no internet option.

Once enabled, the Remote popup shows a copyable access URL with an embedded token — open it in any browser to get the complete IDE (workspaces, agents, terminals), backed by your desktop session. You can Regenerate credentials from the popup at any time to invalidate the current URL and force re-connection.

Remote VMs with --headless

Yes, you can run hob on a remote VM. Start hob with --headless and it serves the same browser IDE without opening a desktop window. The browser UI has near-desktop parity: workspaces, agent panes, terminals, render panes, settings, history, and source-control surfaces all run against the machine where hob is running.

Headless still feels like the full IDE

You can paste screenshots and other clipboard images into agent panes from the browser, attach image files, paste long text as attachments, use interactive terminals, edit and preview files in render panes, review diffs, approve agent commands, manage source control, switch projects, and reconnect later to the same running sessions.

With no path argument, hob restores the last saved project state when one exists; otherwise it opens in no-project mode. You can pass a path when you want a specific initial project. Once connected, use the project switcher or Open folder to open other projects on the VM from the same browser IDE. Headless mode disables native new window actions, but project switching works in the headless session.

Use this when your code, agent CLIs, credentials, and build tools live on a remote machine you control:

curl -fsSL https://get.hob.dev/install | sh
hob app license activate
hob --headless

Headless mode prints a Browser UI: URL when it starts. That URL includes an access token in the fragment; treat it like a secret and regenerate credentials from the Remote popup if it is exposed. With no path argument, hob restores the last saved project state when one exists; otherwise it opens in no-project mode. You can pass hob --headless /path/to/project when you want a specific initial project.

If you run hob --headless again while that same headless server is already reachable, hob prints the existing Browser UI: URL and exits instead of starting another server. If the second command includes a project, file, or hob:// link, open it from the existing browser IDE.

The default headless setup is designed for an SSH tunnel. It forces Remote IDE to at least Local host, so you can connect without opening a public VM port:

ssh -L 22907:127.0.0.1:22907 [email protected]

Then open the Browser UI: URL locally, replacing the host with 127.0.0.1 if needed. hob uses HTTPS for headless by default, so your browser may ask you to accept the local certificate the first time.

Private network or VPN

If your browser is on the same private network as the VM, or reaches it through a VPN, set Remote IDE access to Local network in the Remote popup. Headless uses 0.0.0.0:22907 by default, so the server listens on all interfaces unless you change Settings → Remote → Server listen address in Advanced mode. Open TCP port 22907 only on networks you trust.

Remote IDE does not use the internet relay. For access across the public internet, use your own SSH tunnel, VPN, or private network path. hob roam is the mobile companion that can use the relay.

What runs where

In headless mode, everything executes on the VM: agent subprocesses, terminal commands, filesystem access, Git operations, project switches, and builds. Install and authenticate your agent CLI providers on that VM before launching hob. Your browser is only the UI.

hob roam — mobile companion

roam is a mobile-optimized UI for monitoring and steering agents from your phone.

Set Settings → Remote → Roam app access to Local host, Local network, or Internet (via the relay).

Connecting

Open the access URL

The Remote popup shows a QR code and URL for roam. Scan the QR code with your phone, or enter the URL manually.

Approve the device

A new browser appears as a pending device with a 4-character request code shown on both ends. In the Remote popup, confirm the code matches and click Approve.

Use roam

The approved device becomes a trusted device and the mobile UI opens. You can remove trusted devices from the same popup later.

From roam you can view agent conversations and tool calls, send messages, approve or deny permission requests, stop running agents, and view terminal output.

Credentials mode

Under Settings → Remote → Roam: credentials mode, choose how roam's URL is issued. This applies to every access level:

ModeBehavior
FixedA stable, bookmarkable URL that persists across restarts.
EphemeralNew credentials each time you enable roam — good for one-off access.

Enable Settings → Remote → Roam: auto-enable on startup to bring roam back automatically after a restart (pairs naturally with Fixed mode). As with Remote IDE, you can Regenerate credentials from the popup to revoke access.

Relay — internet access

Setting roam access to Internet connects your desktop to connect.hob.dev, letting you reach it from anywhere:

  1. Your desktop opens an outbound host session to the relay.
  2. The broker returns a session (stable in Fixed mode, fresh in Ephemeral) and a browser URL that carries the roam credential.
  3. Open that URL in any browser to connect back to your desktop.

The connection is asymmetric — your desktop always initiates, and no ports are exposed on your machine.

Relay encryption

The relay is only a rendezvous point and frame forwarder. It can authenticate the host, issue short-lived browser and websocket tokens, enforce one active host per license, and observe connection metadata such as timing, IP addresses, and encrypted frame sizes. It is not given the roam credential or the key used to read websocket payloads.

The roam websocket is wrapped in an end-to-end envelope between your desktop and the trusted browser:

  1. The desktop creates the roam credential. In Internet mode, the broker URL carries that credential in the URL fragment, so it is available to the browser app but is not sent as part of the HTTP request for the page.
  2. The desktop and browser independently derive the same AES-GCM key from that credential. Broker API calls use only the license hash, enrollment tokens, device trust records, and a credential fingerprint when the browser needs to detect that an old link was rotated.
  3. Every mux websocket message is encrypted before it is sent to connect.hob.dev. The relay Durable Object forwards the resulting binary frames without decrypting or parsing the hob RPC, terminal, or agent-session payload inside them.
  4. The receiving endpoint decrypts the frame locally and drops plaintext relay frames.

This means hob's relay service and Cloudflare can route the connection, enforce session lifetime, and see transport metadata, but they cannot read the contents of the roam websocket stream.

Security

  • Off by default, Pro-gated — every remote level must be explicitly enabled and requires hob Pro.
  • Private network only at the local levels — connections from non-private IP addresses are always rejected; nothing leaves your network unless you use the relay.
  • Device trust — roam connections must be approved as trusted devices before they can do anything; you can revoke them anytime.
  • End-to-end encryption — relay traffic is encrypted with AES-GCM using a key derived from your roam credential, so the relay forwards only opaque ciphertext it cannot read.
  • Credential rotation — regenerate Remote IDE or roam credentials to instantly revoke existing access.
How is this guide?

On this page