Skip to content

Protect Upstreams

Gateway is the protected-resource ingress. It validates inbound Caracal authority, checks replay and revocation, exchanges with STS, and forwards to configured upstreams only after safety checks pass.

PropertyValue
Port8081
Health/readiness/health, /ready
Metrics/metrics, /metrics.json
Revocation reloadPOST /internal/revocations/reload
sequenceDiagram
  participant Client
  participant Gateway
  participant STS
  participant Upstream
  participant Audit
  Client->>Gateway: bearer token + X-Caracal-Resource
  Gateway->>Gateway: verify JWT, jti, revocation, binding, path, upstream safety
  Gateway->>STS: signed per-request exchange
  STS-->>Gateway: resource mandate
  Gateway->>Upstream: proxied request
  Gateway->>Audit: audit event or replay file
  • Missing, malformed, oversized, expiring, replayed, revoked, or signature-invalid bearer token.
  • Missing X-Caracal-Resource.
  • No binding for (zone_id, resource).
  • Client-supplied X-Caracal-Client-ID.
  • Path traversal.
  • Operation (method and path) not declared on an enforced resource, or missing the operation’s required scope.
  • STS exchange failure or open STS circuit.
  • Unsafe upstream destination.
VariablePurpose
STS_URLSTS endpoint for exchange and JWKS.
GATEWAY_STS_HMAC_KEYSigns Gateway exchange requests.
MAX_REQUEST_BYTESRequest body limit, default 10 MiB.
UPSTREAM_HOST_ALLOWLISTOptional egress allowlist pinning upstreams to named hosts.
JTI_FAIL_OPENForbidden in published modes.
AUDIT_REPLAY_DIRReplay directory for audit events.

Use Ingest Audit Evidence to understand how Gateway, STS, API, Coordinator, and Control evidence becomes searchable audit state.