Like other web services, festivald can be set-up & accessed via Tor.

A public instance of festivald with Creative Commons licensed music is available at:

and its Onion Service is available at:


Onion Service

festivald doesn't have special integration with Tor, but it can easily be turned into an Onion Service.

After getting festivald setup normally, follow the Onion Service instructions here.

Your torrc should look something like:

HiddenServiceDir /var/lib/tor/festivald
HiddenServicePort 80

And in /var/lib/tor/festivald, you should have your onion service hostname, keys, etc.

This onion service will allow you to interact with festivald in all the normal ways, although, you must connect to it via Tor.


To use festivald's JSON-RPC API over Tor, your HTTP client must either use a proxy, or be wrapped with torsocks.


	--proxy socks5:// \ # The Tor SOCKS5 proxy.
	--festivald $ONION \              # The onion address mapped to `festivald`
	daemon_state                      # Method

# or with `torsocks`
torsocks festival-cli -f $ONION daemon_state

curl \
	--socks5-hostname \                    # The Tor SOCKS5 proxy.
	--festivald $ONION \                                  # The onion address mapped to `festivald`
	-d '{"jsonrpc":"2.0","id":0,"method":"daemon_state"}' # Method


For the REST API, it is the same: your HTTP client must connect over Tor.

Although you could just use Tor Browser.

http://omjo63yjj66ga7jlvhqib4z4qgx6y6oigjcpjcr5ehhfdugfuami3did.onion/map/Ludwig van Beethoven/Moonlight Sonata 1/Moonlight Sonata Op. 27, No. 2 In C Sharp Minor: Allegretto

The equivalent curl command:


curl --socks5-hostname $SOCKS -JO $ONION/map/Artist%20Name/Artist%20Title/Song%20Title


Since Onion Service's are end-to-end encrypted, HTTPS is not required.

Thus, festivald can freely pass authentication tokens around when used as an Onion Service.

Although, since festivald cannot know if an onion address is being mapped to it, you must pass:

festivald --confirm-no-tls-auth

or set the confirm_no_tls_auth configuration to confirm that you allow authentication without TLS.

If the IP festivald is binding to is localhost/, this setting will be enabled by default.

For festival-cli, it will automatically detect if you're connecting to an onion address and will allow authentication.