Macha Logo
மச்சா ·  Tamil for "hey bro" ·  because good tools should feel like a friend

Your localhost,
on the internet — right now

One command gives your local dev server a public URL.
Share webhooks, demos, and APIs with anyone, instantly.

Get started →See the steps
terminal
$
🤝

Why "Macha"?

Macha(மச்சா) is a Tamil word — the way you call your closest friends. "Macha, come look at this." "Macha, got a minute?" It's warm, casual, no-ceremony. That's the vibe this tool aims for: a close friend who opens a tunnel for you, no account, no credit card, no questions asked.

How it works

Three components, zero configuration. Your app never needs to change.

1

You run your app

Any server on localhost— Express, FastAPI, Rails, anything. Macha doesn't touch your code.

2

Agent opens a tunnel

The macha agent dials out to macha.live and registers your subdomain. From then on, it opens a fresh connection on demand for every incoming request.

3

Traffic flows through

Anyone visiting myapp.macha.live is transparently bridged to localhost:3000. No headers changed. WebSocket, gRPC, all protocols work.

Your browser sends an HTTPS request to yourapp.macha.live — a normal DNS lookup and TLS handshake, just like any website.
macha.live's nginx terminates TLS and forwards to the macha server on :8080 — one wildcard certificate covers every subdomain, so agents never touch TLS.
The server asks the agent to open a fresh connection just for this request — a quick CONNECT/DATA handshake dials out in milliseconds, with no fixed pool to run out of.
That connection is a tunnel the agent dialed out to earlier — outbound connections sail through NAT and firewalls that would block anything inbound.
The agent forwards the request to localhost:3000 byte-for-byte — no headers rewritten, so WebSockets, gRPC, and cookies all work unmodified.
Your app's response streams back through the exact same tunnel to the browser — one connection, reused for both directions.
Browser
visitor
macha.live
nginx + TLS :443
macha server
:8080
On-demand link
dialed per request
macha agent
your laptop
localhost:3000
your app
Request (blue) flows in, gets bridged through a fresh on-demand connection to your laptop, and the response (purple) flows back the same way.
The agent always dials out — so NAT and firewalls are never a problem.

Why it's built this way

A few deliberate choices explain almost everything about how Macha behaves — here's what each one buys you, and what the obvious alternative would have cost.

Why can't the internet reach my laptop?

localhost:3000
blocked ✕
the internet
localhost:3000
myapp.macha.live ✓
the internet

Home and office networks sit behind NAT and a firewall that blocks unsolicited inbound connections — that's a security feature, not a bug. The macha agent never asks for an inbound connection. Instead it dials out to macha.live, the same way your browser dials out to any website. Outbound traffic is always allowed, so there's nothing to configure — no port forwarding, no router settings.

How does each request get a connection?

opened per request, closed after
no pool to exhaust

Earlier versions of macha kept a pool of pre-opened connections sitting idle, ready to go — but a fixed pool has a ceiling, and dev servers blow past it fast (HMR keeps a socket open forever, and a single page load can fire dozens of concurrent asset requests). Macha now opens a connection per request: when a visitor arrives, the server asks your agent to dial out a fresh connection just for that request, over the same outbound-only path. The dial takes milliseconds and runs in parallel for every request, so concurrency has no fixed ceiling to exhaust.

Why does macha.live handle HTTPS instead of my agent?

your agent(s)
plain TCP
macha.live
HTTPS
browsers

The alternative would be every agent managing its own TLS certificate — running an ACME client, renewing certs, and binding to port 443 on whatever machine it's running on. That's a lot of moving parts for something that should just work. Instead, one wildcard certificate for *.macha.live lives on the edge server, and every agent connects over a plain outbound TCP socket — no cert, no port 443, nothing to renew. The tradeoff: traffic is decrypted at macha.live before reaching the tunnel, so self-hosters who need end-to-end encryption all the way to their machine can run their own server with their own certs (see self-hosting).

Get started

Three steps from zero to a live public URL.

1

Install

Pick your platform. No dependencies, no runtime — just a single binary.

curl -fsSL https://macha.live/install.sh | bash

Downloads a pre-built binary for Apple Silicon or Intel Mac.

curl -fsSL https://macha.live/install.sh | bash

Statically linked binary — works on any Linux (x86-64, ARM64). No libc required.

PowerShell
# Run in PowerShell
irm https://macha.live/install.ps1 | iex

Installs to %LOCALAPPDATA%\macha\bin and adds it to your user PATH.

cargo install --git https://github.com/DhineshKrishnan1206/macha macha

Requires Rust. Compiles from source — takes about a minute.

2

Start your local app

Macha works with any server — it doesn't care what language or framework you use. Just make sure it's running.

examples
# Node.js / Express
node app.js           # running on :3000

# Python / FastAPI
uvicorn main:app      # running on :8000

# Anything else
./my-server           # running on :8080
3

Run Macha

Tell it which port your app is on and what subdomain you want — or skip the subdomain and get a random one.

macha --port 3000 --subdomain myapp

You'll see:

  Dashboard → http://127.0.0.1:4040
✓  Tunnel: https://myapp.macha.live

Share https://myapp.macha.live with anyone. Open localhost:4040 to watch requests in real-time.

Need more options? Auth tokens, TLS, library API, custom servers —

Full documentation →

Everything you need

Production-grade internals, simple on the outside.

No signup requiredPick a subdomain and go. No account, no email, no credit card.
On-demand connectionsEvery request opens a fresh tunnel connection in milliseconds — no fixed pool to exhaust under load.
Live dashboardEvery request logged at localhost:4040 — method, path, size, duration, in real time.
Auto-reconnectSurvives laptop sleep, Wi-Fi drops, and server restarts. Reconnects with exponential backoff.
HTTPS by defaultAll *.macha.live subdomains are served over TLS. Your local app gets HTTPS for free.
Any protocolHTTP, WebSocket, gRPC, SSE — transparent TCP proxy, not an HTTP proxy. Zero header modification.
Rust libraryAdd macha to Cargo.toml and embed tunneling directly in your app.
Self-hostableDon't want traffic through our server? Run your own in 60 seconds with Docker.
Free & open sourceMIT licensed. Self-hosted on a VPS. No paid tiers, no rate-limit paywalls.

Self-host on your own VPS

Full control, no trust required. Your traffic stays on your infrastructure.

Prerequisites

A VPS with Docker installed and a domain with a wildcard DNS record (*.tunnel.yourcompany.com → your-vps-ip). Caddy handles TLS automatically — no certificate management needed.

1 — Start the server

docker-compose.yml (on your VPS)
services:
  macha:
    image: ghcr.io/dhineshk/macha-server:latest
    restart: unless-stopped
    ports:
      - "80:8080"
      - "9000:9000"
      - "9001:9001"
    environment:
      DOMAIN: tunnel.yourcompany.com
      AUTH_TOKEN: change-me-to-a-long-random-secret
docker compose up -d

2 — Point your agents at it

macha --port 3000 --subdomain myapp \
      --server tunnel.yourcompany.com \
      --token your-secret

The tunnel URL will read https://myapp.tunnel.yourcompany.com — fully under your domain.

All server environment variables

VariableWhat it doesDefault
DOMAINBase domain for tunnel URLsmacha.live
PUBLIC_SCHEMEhttp or https in tunnel URLshttps
AUTH_TOKENAgents must present this token to registernone (open)
PUBLIC_PORTPort the public HTTP listener binds on8080
CONTROL_PORTPort agents use to register9000
DATA_PORTPort agents use for on-demand data connections9001
TLS_CERTPath to PEM certificate for ports 9000/9001none
TLS_KEYPath to PEM private key for ports 9000/9001none

Ready to go deeper?

Full CLI reference, library API, TLS configuration,
auth tokens, Caddy setup guides, and more.

docs.macha.live →