ibkr canary

Canary remote app beta

Canary can now pair a phone through a remote HTTPS relay while the app, broker session, and authorization still run from your Mac. It is meant for early users who already understand the local IBKR setup and want mobile access away from the LAN.

Experimental beta: for now, relay-agent operation is maintainer-assisted and may change without compatibility promises.

Start remote mode Security model Screenshots Give feedback
Canary mobile app monitor screen showing market regime and portfolio canary cards

What this adds.

The remote path keeps the local-first design, but makes the paired PWA reachable from outside your home network.

Remote access

Phone pairing through the relay

The printed pairing URL uses the remote origin and a short route id, so a phone can open Canary without being on the same LAN.

Local control

Your Mac still owns the session

The relay forwards allowed app traffic only. Pairing creation, device grants, sessions, and broker data access remain in the local app process.

Beta shape

Small, explicit, reversible

The feature is intentionally narrow while the relay operations, failure modes, and install flow are proven with early users.

Start the remote server.

Run the app in remote mode on the Mac that already has TWS or IB Gateway running.

ibkr app --remote

# in another shell
ibkr app pair

Pair and use it.

  1. Start TWS or IB Gateway locally and make sure ibkr status is healthy enough for app reads.
  2. Run ibkr app --remote. The app opens an outbound connector to the relay; you do not expose an inbound port on your Mac.
  3. Run ibkr app pair and open the printed URL on the phone. The URL includes a short-lived pairing id, nonce, and relay route.
  4. Use the Monitor, Positions, Alerts, and Settings tabs from the PWA. Market and account values still come from your local IBKR session.
  5. For a supervised app host, restart in remote mode with ibkr restart --app --remote.

Security model.

Remote access uses TLS-protected transport: the phone connects to the relay over HTTPS, and the Mac connector uses WSS. Network intermediaries between the phone, relay, and Mac connector cannot read the traffic without breaking TLS.

The relay is transport only, not the owner of your broker session. The local app creates pairing sessions, validates device proof, sets the session cookie, and talks to the daemon. The current relay is not an extra app-layer end-to-end encryption boundary, so treat the operated relay as trusted beta infrastructure.

Encrypted transit

HTTPS and WSS

The default remote origin is https://remote.osauer.dev; the connector URL is upgraded to wss://.

Local auth

Pairing stays on your Mac

Remote requests cannot create pairing sessions. That local-control action is accepted only from the Mac-side app.

No broker custody

No hosted IBKR login

The relay does not receive an IBKR username, password, TWS socket, or hosted broker connection. Your local TWS/Gateway remains the source.

Screenshots.

These captures are from the real PWA served by ibkr app against a paper account, with account values visible.

Canary mobile app with account, market regime, and portfolio canary panels Canary app wide viewport showing account, market regime, portfolio canary, and protection panels