# Sidecar Network > Give any Docker container its own public IPv4 and IPv6 address — all ports, all protocols, no proxying. Works behind CGNAT, Starlink, T-Mobile 5G, and any NAT that passes outbound UDP. ## Quickstart - [Install Guide](/docs): One command installs the agent. Add sidecar.enable=true to any container for a public IP in ~5 seconds. - [Pricing](/pricing): Free tier (3 peers), paid from $0.99/mo. No bandwidth caps, never any per-GB charges. - [API Reference](/api): REST API for managing peers, tokens, and billing. ## How it works - [Architecture](/docs#how-it-works): WireGuard kernel netns injection. The container IS the IP — no NAT, no proxy, every protocol including raw UDP and ICMP. - [Post-Quantum Security](/docs#pqenc): X-Wing hybrid KEM mandatory on all connections since initial release. - [6 Global Regions](/docs): us-east, us-west, us-west1 (dedicated), ca-east, eu-west, eu-central. ## Install - [Linux (systemd)](/install): curl -fsSL https://sidecar.network/install | sh (requires root, Linux with Docker) - [Docker Desktop (macOS/Windows)](/docs#docker-desktop): docker run command — no systemd needed - [Docker Network Plugin](/docs#plugin): Alternative install via docker run sidecar-plugin container - [Self-host a relay](/self-host): Debian 12+, IPv6 /64, make relay ## API - [OpenAPI spec](/api/openapi.json): Full REST API spec for programmatic access - [Token management](/tokens): Create and manage API tokens at /tokens ## For AI Agents — Headless / Automated Install AI agents can install Sidecar without a browser, email, or human-in-the-loop steps using RFC 8628 device-code flow. ### Machine-readable entry points - [Agent Onboarding Manifest](/.well-known/agent-onboarding.json): Step-by-step install contract — preflight checks, signed install steps, typed error taxonomy, resume semantics. Start here. - [A2A Agent Card](/.well-known/agent-card.json): Google A2A capability declaration with skills and OAuth2 security schemes. - [RFC 9728 Resource Metadata](/.well-known/oauth-protected-resource): OAuth 2.0 Protected Resource Metadata. MCP clients follow this on 401. - [RFC 8414 Auth Server Metadata](/.well-known/oauth-authorization-server): Lists device_authorization_endpoint for RFC 8628 clients. ### Getting a token without a browser (device flow) 1. POST https://sidecar.network/v1/device/authorize with body `{"scope":"peers:add peers:read","tier":"free"}` — returns `device_code`, `user_code`, `verification_uri_complete` 2. Show the user the `user_code` and ask them to open `verification_uri_complete` 3. Poll https://sidecar.network/v1/device/token with `{"device_code":"..."}` every 5s 4. On 200, `access_token` is the bearer token. Set as SIDECAR_TOKEN. ### Dry-run the installer (no root required) ``` curl -fsSL https://sidecar.network/install | sh -s -- --print-only ``` ### Install once you have a token ``` SIDECAR_TOKEN=sct_live_... SIDECAR_AGREE_TOS=1 curl -fsSL https://sidecar.network/install | sudo sh ``` ### Verify a container is reachable after install ``` GET https://sidecar.network/v1/peers/by-container/ Authorization: Bearer sct_live_... ``` Returns `{"up":true,"externally_reachable":true,"ipv6":"...","ipv4":"..."}` when provisioned. ## Legal - [Terms of Service](/terms) - [Privacy Policy](/privacy) - [Acceptable Use Policy](/aup) - [Bug Bounty](/security) - [Warrant Canary](/warrant-canary)