Mixed

mixed inbound is a socks4, socks4a, socks5 and http server.

Structure

{
  "type": "mixed",
  "tag": "mixed-in",

  ... // Listen Fields

  "users": [
    {
      "username": "admin",
      "password": "admin"
    }
  ],
  "jwt_auth": {
    "issuer": "my-issuer",
    "audience": ["my-service"],
    "algorithm": "HS256",
    "hmac_secret": "your-secret-key"
  },
  "set_system_proxy": false
}

Listen Fields

See Listen Fields for details.

Fields

users

SOCKS and HTTP users.

No authentication required if empty.

users and jwt_auth are mutually exclusive.

jwt_auth

JWT authentication for SOCKS5 and HTTP proxies.

When enabled, SOCKS5 clients must authenticate using username/password where the password is a JWT token. HTTP clients must include Proxy-Authorization: Bearer <token> header.

jwt_auth and users are mutually exclusive.

issuer

JWT issuer string. Required.

audience

JWT audience list. Required. At least one audience must be specified.

algorithm

JWT signing algorithm. Required. Supported values:

Algorithm	Key Type
HS256	HMAC-SHA256
HS384	HMAC-SHA384
HS512	HMAC-SHA512
RS256	RSA-SHA256
RS384	RSA-SHA384
RS512	RSA-SHA512
ES256	ECDSA-SHA256
ES384	ECDSA-SHA384
ES512	ECDSA-SHA512

hmac_secret

HMAC secret key for symmetric algorithms (HS256/384/512). Required when using HMAC algorithms.

public_key_pem

PEM-encoded public key for asymmetric algorithms (RS/ES). Required when using RSA or ECDSA algorithms.

socks_username

SOCKS5 authentication username. The JWT token is sent as the password. Default: jwt.

clock_skew

Allowed clock skew for iat/exp validation. Default: 30s.

JWT Token Format

The JWT token must contain the following claims:

Claim	Type	Description
`rid`	string	Resource identifier (extracted as connection's ResourceID)
`iss`	string	Issuer (must match configured issuer)
`aud`	array	Audience list (must intersect with configured audience)
`iat`	numeric	Issued at timestamp
`exp`	numeric	Expiration timestamp

Generate JWT Tickets

Use the built-in command to generate JWT tickets for authentication:

sing-box generate jwt-ticket <count> [flags]

Flags:
  --algorithm string   Signing algorithm (HS256, HS384, HS512) (default "HS256")
  --audience strings   JWT audience(s), can be specified multiple times (required)
  --issuer string      JWT issuer (required)
  --prefix string      Resource ID prefix for generated tickets (default "user")
  --secret string      HMAC secret/PSK for signing (required)
  --validity string    Token validity duration (e.g., 24h, 7d, 30d) (default "24h")

Example:

# Generate 10 tickets with 30-day validity
sing-box generate jwt-ticket 10 \
  --issuer "my-service" \
  --audience "api-gateway" \
  --secret "my-secret-key" \
  --prefix "client" \
  --validity "30d"

Usage Examples

SOCKS5 Authentication

Connect with username jwt (or custom socks_username) and the JWT token as password:

# Using curl with SOCKS5
curl --socks5 username:jwt --proxy-user username:jwt \
     --proxy socks5://127.0.0.1:1080 \
     https://example.com

HTTP Authentication

Use Bearer token in Proxy-Authorization header:

curl -x http://127.0.0.1:8080 \
     -H "Proxy-Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."
     https://example.com

set_system_proxy

Only supported on Linux, Android, Windows, and macOS.

To work on Android and Apple platforms without privileges, use tun.platform.http_proxy instead.

Automatically set system proxy configuration when start and clean up when stop.