Skip to content

Proxy Through Gateway

Gateway is served on port 8081. It is not a CRUD API; it is a protected reverse proxy for configured resources.

MethodPathPurpose
GET/healthLiveness check.
GET/readyReadiness check.
GET/metricsPrometheus metrics.
GET/metrics.jsonJSON metrics.
POST/internal/revocations/reloadReload revocation snapshot.
InputRequiredPurpose
Authorization: Bearer ...yesInbound Caracal mandate.
X-Caracal-ResourceyesResource identifier used to find a Gateway binding.
Request pathyesForwarded to the configured upstream after traversal checks.

Gateway ignores client attempts to set X-Caracal-Client-ID; the client ID is bound by Gateway configuration.

Gateway rejects before upstream dispatch. Treat these checks as the safety gate in front of every protected upstream.

StageChecks
Request preflightBearer token exists, token size is bounded, X-Caracal-Resource exists, and request path is not traversal.
Token validationToken is well formed, not expiring inside the preflight window, signature-valid, not replayed, not revoked, and includes a zone.
Binding resolution(zone_id, resource) has a Gateway binding and the bound upstream passes host safety checks.
STS exchangeGateway’s STS circuit is closed and the signed exchange succeeds.

After checks pass, Gateway performs a signed STS exchange, receives a resource mandate, forwards the request to the bound upstream, and emits audit evidence. Request and upstream timeouts are controlled by Gateway service config.

Continue to Use Event Topics to understand the Redis Stream topics that carry audit, invalidation, revocation, and agent lifecycle events.