Birdcage sits on a VPS and handles auth + reverse proxying. The connection back home runs over WireGuard — the VPS only sees opaque packets. The agent manages its own WireGuard interface, discovers endpoints via STUN, and falls back to relay when direct UDP fails.
Auth uses PBKDF2 with adaptive proof-of-work on brute force, JWT dual-token pattern with sliding session expiry, and WireGuard key rotation on a configurable interval. Single binary, pure Go, no CGO.