Overview
VMSC is designed to run locally on your machine. It does not phone home, collect telemetry, or transmit personal data. This page documents every network connection the software makes so you can audit, firewall, or proxy as needed.
All sensitive credentials (API keys, session tokens, OAuth tokens) are stored locally using AES-256-GCM encryption via electron-store. They are never sent to any server other than the ones listed below.
Local Services
These services run on your machine and bind to localhost by default. They are not accessible from other devices on your network unless you explicitly configure tunnel access.
| Service | Protocol | Default Address | Default Port | Direction | Purpose |
|---|---|---|---|---|---|
| Overlay Server | HTTP / WebSocket | localhost |
7890 |
Inbound | Serves overlay HTML pages to OBS browser sources and standalone browsers. Also handles WebSocket connections for real-time overlay updates. |
| VRChat OSC (Send) | UDP (OSC) | 127.0.0.1 |
9000 |
Outbound | Sends avatar parameter changes and chatbox messages to VRChat. |
| VRChat OSC (Receive) | UDP (OSC) | 127.0.0.1 |
9001 |
Inbound | Listens for avatar parameter updates from VRChat. |
Local Network Exposure: The overlay server binds to localhost only. If you need remote access, use the built-in Cloudflare Tunnel system rather than exposing the port directly.
External Connections
VMSC connects to the following external services. All external connections use TLS/HTTPS encryption.
| Service | Protocol | Hostname | Port | When | Purpose |
|---|---|---|---|---|---|
| Gatekeeper (Auth) | HTTPS | auth.vryionic.com |
8443 |
App startup & license check | License validation, Patreon OAuth token exchange, remote config fetch, Cloudflare Tunnel provisioning. Operated by Vryionic. |
| TikTok LIVE | WebSocket (TLS) | *.tiktok.com |
443 |
When connected to a stream | Receives real-time chat, gift, follow, like, and share events from TikTok LIVE streams via tiktok-live-connector. |
| TikFinity Bridge | WebSocket (TLS) | *.tikfinity.zerody.one |
443 |
When using TikFinity mode | Alternative TikTok connection that routes through TikFinity's WebSocket bridge infrastructure. |
| PiShock API | WebSocket (TLS) | ws.pishock.com |
443 |
When PiShock actions are active | Sends vibrate, beep, and shock commands to PiShock devices. Includes device discovery and emergency stop. |
| Patreon OAuth | HTTPS | www.patreon.com |
443 |
Premium login only | OAuth 2.0 authorization flow for linking your Patreon account to verify Premium membership. |
| Discord Webhooks | HTTPS | discord.com |
443 |
When Discord webhook actions fire | Sends event notifications to Discord channels via user-configured webhook URLs. |
| Custom Webhooks | HTTPS | User-configured | User-configured | When webhook actions fire | HTTP POST to arbitrary URLs with templated payloads. Only connects to URLs you explicitly configure. |
| Cloudflare Tunnel | HTTPS / QUIC | *.cfargotunnel.com |
7844 |
Premium — when tunnel is active | Exposes your local overlay server over HTTPS for remote access without port forwarding. Provisioned via Gatekeeper. |
| HuggingFace | HTTPS | huggingface.co |
443 |
Premium — AI model download only | Downloads GGUF model files for the local AI assistant. Models run entirely on your machine after download. |
| Electron Updater | HTTPS | *.amazonaws.com |
443 |
App startup (update check) | Checks for and downloads new VMSC releases via electron-builder's auto-update system. |
Data Flow Summary
Here is what data leaves your machine and where it goes:
| Data | Destination | Notes |
|---|---|---|
| Machine ID (hardware hash) | auth.vryionic.com |
Used for license seat counting. Not linked to personal identity. |
| Patreon OAuth token | auth.vryionic.com |
Exchanged for a VMSC JWT. Patreon token is not stored server-side after exchange. |
| VRChat avatar parameters | 127.0.0.1:9000 (local) |
OSC messages stay on your machine. Never sent externally. |
| PiShock commands | ws.pishock.com |
Vibrate/beep/shock commands sent to your PiShock account using your API key. |
| Webhook payloads | User-configured URLs | Templated event data sent only to URLs you explicitly set up. |
| Overlay content | localhost:7890 or tunnel |
Overlay state stays local unless you enable the Cloudflare Tunnel for remote access. |
What VMSC Does NOT Do
- No telemetry — VMSC does not collect usage analytics, crash reports, or behavioral data.
- No tracking — No cookies, fingerprinting, or third-party tracking scripts.
- No data selling — Your stream data, viewer information, and configuration are never shared with third parties.
- No cloud storage — All rules, actions, viewer data, and settings are stored locally on your machine.
- No background connections — When VMSC is idle (not connected to a stream), it makes no outbound connections except the initial update check on startup.
- No AI cloud processing — The AI assistant runs entirely on your local hardware using downloaded GGUF models. Your prompts and conversations never leave your machine.
Security Measures
| Measure | Details |
|---|---|
| Credential Encryption | API keys and tokens stored with AES-256-GCM via electron-store. Encryption key is derived from machine-specific data. |
| Origin Restriction | Overlay server restricts CORS to localhost origins only. Cross-origin requests from other hosts are rejected. |
| Path Traversal Protection | All file-serving endpoints reject paths containing .. or other traversal sequences. |
| WebSocket Authentication | Connections require a valid per-session token injected into the overlay HTML at serve time. |
| Rate Limiting | Maximum of 10 WebSocket connections per IP. Excess connections are dropped. |
| Message Size Limits | WebSocket messages capped at 512 KB. Oversized messages close the connection. |
Firewall Configuration
If you want to restrict VMSC's network access, here are the minimum rules needed for each feature:
| Feature | Required Access | Can Be Blocked? |
|---|---|---|
| Core app + overlays | Localhost only (no internet) | No — required |
| TikTok LIVE connection | *.tiktok.com:443 |
No — required for stream events |
| License validation | auth.vryionic.com:8443 |
No — required for startup |
| Auto-updates | *.amazonaws.com:443 |
Yes — updates will be skipped |
| PiShock | ws.pishock.com:443 |
Yes — PiShock actions won't work |
| Discord webhooks | discord.com:443 |
Yes — Discord notifications won't send |
| Cloudflare Tunnel | *.cfargotunnel.com:7844 |
Yes — remote overlay access won't work |
| AI model download | huggingface.co:443 |
Yes — cannot download new models |