DOME Docs

Cloudflare Tunnel

Expose @dome/backend over HTTPS without opening inbound ports.

Use Cloudflare Tunnel to publish the Dome indexer, relayer, and RPC proxy on your domain — typical setup: https://api.yourdomain.comhttp://127.0.0.1:8788.

Published routes

PathService
/healthBackend health
/configPool limits for SDK
/get_encrypted, /merkle/root, /commitmentIndexer
/relayer/withdrawRelayer
/rpcJSON-RPC proxy to Base Sepolia

Prerequisites

  1. Domain on Cloudflare (DNS active)
  2. @dome/backend running on port 8788 (localhost bind is fine)
  3. cloudflared installed:
bash scripts/cloudflare/install-cloudflared.sh

One-time setup

cp .dome-local/cloudflare.env.example .dome-local/cloudflare.env
# Edit DOME_TUNNEL_HOSTNAME=api.yourdomain.com

bash scripts/cloudflare/setup-tunnel.sh

setup-tunnel.sh will:

  1. Run cloudflared tunnel login (open the URL in a browser once)
  2. Create a named tunnel dome-backend
  3. Write .dome-local/cloudflare/config.yml
  4. Create DNS: api.yourdomain.com → tunnel

Dashboard token (alternative)

In Cloudflare Zero TrustNetworksTunnels → create tunnel → copy token.

Add to .dome-local/cloudflare.env:

CLOUDFLARE_TUNNEL_TOKEN=eyJ...

Set the public hostname in the dashboard to http://127.0.0.1:8788.

Start / stop

# Backend + tunnel (Base Sepolia)
bash scripts/cloudflare/up-sepolia.sh

# Stop tunnel, circuits server, and Sepolia backend
bash scripts/cloudflare/down-sepolia.sh

Logs:

  • .dome-local/run/backend-sepolia.log
  • .dome-local/run/cloudflared.log

Verify

curl -s https://api.yourdomain.com/health | jq
curl -s https://api.yourdomain.com/config | jq

Expect ok: true, chainId: 84532, and your pool address from base-sepolia-deploy.json.

Client configuration

SDK / mobile:

DOME_EVM_INDEXER_URL=https://api.yourdomain.com
DOME_ETH_POOL_ADDRESS=0x...

Web (dome-web/.env.local):

DOME_BACKEND_URL=https://api.yourdomain.com
DOME_EVM_INDEXER_URL=/api/indexer
DOME_BASE_RPC=/api/rpc

Or point directly at the tunnel URL for both indexer and RPC.

Security

  • Backend binds to 127.0.0.1; only cloudflared reaches it
  • Set DOME_RELAYER_SECRET in sepolia.env before going public
  • Tune DOME_RATE_LIMIT_* in backend env
  • Do not commit .dome-local/cloudflare.env or tunnel credentials

Circuits on the same domain

Serve Groth16 artifacts at https://circuits.yourdomain.com:

# In .dome-local/cloudflare.env
DOME_CIRCUITS_HOSTNAME=circuits.yourdomain.com

bash scripts/cloudflare/setup-circuits-route.sh
bash scripts/cloudflare/up-sepolia.sh

See Circuit Hosting for R2 and static hosting options.

Production systemd

sudo cloudflared service install
sudo systemctl enable --now cloudflared

Use the config path from .dome-local/cloudflare.env (DOME_TUNNEL_CONFIG).

Base Sepolia Testnet

Deploy contracts, run the backend, and smoke-test on public testnet.

Circuit Hosting

Host Groth16 proving artifacts (WASM and zkey) for browser and SDK clients.

On this page

Published routesPrerequisitesOne-time setupDashboard token (alternative)Start / stopVerifyClient configurationSecurityCircuits on the same domainProduction systemd