How ByteTunnel protects you
A plain explanation of what the edge sees, what it does not, and why a modified agent cannot break anything.
What the edge sees
When a player connects, the edge reads the Minecraft handshake packet. This contains the hostname they typed (e.g. cool-pvp.ams.bytetunnel.gg) and, during login, their username. The edge uses the hostname to figure out which tunnel to route the connection through. After that initial handshake, the edge forwards raw bytes in both directions without reading or modifying them.
What the edge does not see
Game data, chat messages, commands, inventory, world data. None of that is parsed or stored. The edge is a dumb pipe after the handshake. It does not log packet contents and has no ability to inject commands or modify gameplay. It also cannot log into your Minecraft server. It only bridges TCP connections between players and your agent.
Your IP stays hidden
Players connect to the edge IP. DNS records point to the edge. The MC client only ever sees the edge address. Your home IP is not exposed in DNS, not in packet headers, not in server list pings. The only way to find your IP is to compromise our edge infrastructure.
The agent is open source
The agent runs on your machine and you can read every line of code. It connects to the edge, authenticates with your API key, and opens TCP connections that carry player traffic to your local MC server. It does not phone home, collect telemetry, or access anything outside the tunnel.
Can someone write their own agent to attack the edge?
No. Security is enforced by the edge, not the agent. Even if someone writes a custom client from scratch, the edge still requires a valid API key to authenticate, still validates the MC handshake on every connection, still enforces rate limits and player caps per account, and still isolates each customer's traffic from everyone else. A rogue agent cannot turn the tunnel into a general proxy because the edge drops anything that is not a valid Minecraft connection.
Tenant isolation
Each server gets its own hostname and its own set of TCP connections. Customer A's traffic can never reach Customer B's backend. Routing is determined by the hostname in the MC handshake, which is validated against the authenticated tunnel session. There is no way to spoof routing to another customer's server.
DDoS protection
Edge nodes sit behind multi-Tbps DDoS mitigation provided by the hosting infrastructure. Volumetric attacks are absorbed before they reach the edge process. Application-layer attacks (connection floods, slowloris) are handled by per-IP rate limiting and the anti-bot system at the edge. Your home connection is never exposed to any of this traffic.
Authentication
The agent authenticates with your API key, which is hashed with SHA-256 before storage. The API returns a short-lived JWT token (5 minute expiry) that the agent uses to connect to the edge. If you revoke your API key, the agent loses access within 5 minutes. Passwords are hashed with Argon2id.
Questions about security? Email info@bytetunnel.gg.