FAQ & Troubleshooting

Each question below is a short, self-contained section. An AI assistant given any one section can answer the question without reading the rest of the page.

What will it cost?

PhoenixVPS runs a VPN server in your own cloud account, so you pay your cloud provider directly — PhoenixVPS itself has no subscription fee. Your cost is mainly the hourly price of the small cloud server while it exists, plus data transfer (egress).

You are billed for as long as the server exists, not just while the VPN tunnel is connected. When you finish, use the app’s Tear Down VPN Server action to terminate the server and stop the charges — see Is my VPN server deleted when I disconnect?.

Detailed per-hour and per-day figures — including AWS’s per-hour public IPv4 charge and egress, which are easy to overlook — are on the Pricing page. Note that all figures are currently unverified placeholder rates; see each provider’s official pricing page for confirmed numbers.

Does PhoenixVPS ever see my admin or root cloud keys?

No. You create a scoped credential — an IAM user via CloudFormation on AWS, or a scoped API token on Hetzner and Infomaniak — that can only manage the resources PhoenixVPS creates. That scoped credential is the only thing you hand to the app.

Your admin or root keys stay in your cloud console. PhoenixVPS never asks for them, never receives them, and has no way to act on them.

How do I revoke access?

The method depends on your provider:

AWS: Delete the CloudFormation stack named PhoenixVPS (or whatever you named it) in your AWS console. This deletes the phoenixvps-provisioner IAM user and its access key. Then open PhoenixVPS → Settings → Cloud accounts and remove the AWS profile.
Hetzner: Go to your Hetzner Cloud project → Security → API Tokens, find the token you created for PhoenixVPS, and delete it. Then remove the Hetzner account in PhoenixVPS settings.
Infomaniak: Log in to your Infomaniak Manager, navigate to API keys, and delete the PhoenixVPS key. Then remove the Infomaniak account in PhoenixVPS settings.

After revocation, PhoenixVPS cannot create or manage any resources in your account. Any server that was running at the time of revocation will continue to run until you delete it manually in your cloud console.

Can my AI assistant help me set this up?

Yes. The guides on this site are written specifically for AI-assisted setup. You can:

Paste a page into your assistant (Claude.ai, ChatGPT, Gemini, etc.) and ask it to walk you through the steps.
Point your assistant at a URL — the guides are plain Markdown, and the assistant can fetch and read them directly.
Use the llms.txt index — the whole site is summarised for language models at /llms.txt (short index) and /llms-full.txt (full content). Your AI can fetch the index and then fetch individual pages on demand.

Every step in every guide is complete from text alone — the AI does not need to see any screenshots to coach you through the process.

Is my VPN server deleted when I disconnect?

No — disconnecting and tearing down are two separate actions. Disconnecting stops the WireGuard tunnel, but the cloud server keeps running (and keeps billing). To delete the server, use the app’s Tear Down VPN Server action, which terminates the instance in your cloud account. Always tear down the server when you are finished so you are not paying for an idle machine.

The scoped credential and any key pairs stored on your device persist across sessions, so you do not need to repeat the setup when you create a new server later.

What does “scoped credential” mean?

A scoped credential is an access key or API token that can only do a limited set of things. For example, the phoenixvps-provisioner IAM user on AWS can create and delete EC2 instances, security groups, and key pairs that PhoenixVPS tagged — it cannot list your S3 buckets, read your billing data, or touch anything outside those tagged resources.

This limits the damage if the credential is ever compromised: an attacker can spin up a VM (which you pay for) but cannot access your other cloud resources.

Why does the setup use CloudFormation (AWS)?

CloudFormation lets PhoenixVPS create the scoped IAM user without ever seeing your admin keys. You open a “Launch Stack” URL in your browser, review what the stack will create, and click Create stack — all inside your own AWS session. The app receives only the scoped credential the stack emits as its Output.

Hetzner and Infomaniak do not have an equivalent “launch stack” flow, so their guides walk you through creating a scoped API token manually in their web consoles.

I pasted the credential but the app says “Invalid credential”

The most common causes:

Truncation. Copy the full value again from the source (the CloudFormation Outputs tab, the token creation screen, etc.). Do not type it manually; even one wrong character invalidates it.
Expiry. Some providers let you set token expiry at creation time. If the token has expired, go back to your cloud console and create a new one.

Where is my data stored?

Scoped credentials are encrypted in your local credential store (Data Protection API on Windows, Keychain on macOS, Secrect Service on Linux).
SSH Keys are encrypted in your local credential store and handed to ssh-agent if you open a Shell
Tunnel configuration (WireGuard config, key pairs) are stored encrypted on disk under %ProgramData%\PhoenixVPS\ (Windows) and is ACL-locked to the SYSTEM account and local Administrators. You can save an unencrypted copy via the Devices Screen
No telemetry is collected. PhoenixVPS does not send usage data, crash reports, or analytics to any servers