Reverse Proxy
If you run your own reverse proxy (such as nginx, Caddy, or Traefik), you can expose your SendSpin server securely over the internet with authentication.
Prerequisites
Section titled “Prerequisites”- A reverse proxy configured to forward WebSocket traffic to your SendSpin/Music Assistant server
- TLS certificate (HTTPS) on your proxy
- An authentication mechanism (login credentials or long-lived token)
Configuration
Section titled “Configuration”In the Add Server wizard, choose Reverse Proxy as your remote access method.
Login Mode
Section titled “Login Mode”- Enter your proxy URL (e.g.,
https://ma.example.com/sendspin) - Enter your username and password
- The app authenticates with the proxy and receives a session token
Your username is saved for convenience on future logins. Passwords are never stored.
Token Mode
Section titled “Token Mode”- Enter your proxy URL
- Paste a long-lived authentication token
- The app uses this token for all connections
Tokens are stored securely in Android’s EncryptedSharedPreferences, backed by the hardware Keystore (AES-256-GCM encryption).
URL Format
Section titled “URL Format”Your proxy URL should point to the WebSocket endpoint of your SendSpin server. Common formats:
https://ma.example.com/sendspinhttps://music.yourdomain.com:8443/wsSecurity
Section titled “Security”- All proxy connections use TLS (HTTPS)
- Authentication tokens are encrypted at rest using Android Keystore
- On devices with broken Keystore implementations (some budget OEMs), the app falls back to plain SharedPreferences and logs a warning
- Passwords are never persisted — only session tokens
Saved Proxy Servers
Section titled “Saved Proxy Servers”Proxy connections are saved with your server configuration. The app stores up to 10 recent proxy servers.
Combining with Local
Section titled “Combining with Local”You can configure both local and proxy access for the same server. The app uses the local connection when on the same network and falls back to the proxy when away.