Architecture
The two independent planes that share one database and talk over HTTP.
Tenants and applications
Every object belongs to a tenant. A tenant holds members (with roles),
applications, API keys, connections, webhooks, and billing. An
application is one product surface: connections and widget tokens are minted
against an application, and its client_secret is what your server exchanges for
widget JWTs.
The two planes
- Connect plane (the control-plane) — the
/v1REST API, the four DNS connect rails, the propagation poller, quotas/metering, webhooks, and the OAuth/Domain-Connect machinery. - Edge plane — on-demand TLS termination + reverse proxy, gated by a single
internal
askcall to the control-plane.
Both planes share one Postgres database but scale independently and talk only over HTTP.
The edge hot path
POST /internal/ask (shared-secret auth via X-Edge-Auth / EDGE_ASK_SECRET)
is the only call the edge makes into the control-plane. It answers
{ approved } from a single indexed lookup — no joins, no billing — so the TLS
handshake never blocks on business logic. A host is approved iff a connection for
it exists and is live or propagating; the edge then issues the certificate on
demand during the handshake. Quota and metering are enforced only on the
control-plane write path, never here.
See Connections for the lifecycle and Self-hosting for how to run both planes.