Security model
Written for the engineer evaluating whether to put a device in a customer's building. No security theatre — just what the system does.
Every device has its own identity
Every device holds its own CA-issued certificate. The private key is generated on the device and never leaves it.
Enrollment is a certificate signing request: the device generates its keypair locally and sends only a CSR. Renewal is automatic and proves possession of the current key. Identities are SPIFFE URIs, scoped to your organization, over a TLS 1.3 floor with mutual authentication on the tunnel.
Revocation is fast
Revoke a device and its live tunnels drop in seconds — the relay re-checks certificate status continuously.
What we can and cannot see
| We can see | We cannot see |
|---|---|
| Per-interval byte and connection counters (for metrics and quotas) | The contents of passthrough traffic — it is never decrypted |
| Device and route metadata you configure | Your payloads on TLS-passthrough routes |
| An append-only audit trail of state changes | Anything a routing decision does not require |
Passthrough traffic is never decrypted at the relay. We route by TLS SNI without reading a single byte of your payload.
Routes you choose to terminate at the edge are, by definition, decrypted there to apply the access rules you enabled — that is a choice you make per route, not a default.
Tenant isolation
Every resource belongs to an organization, and the boundary is enforced and adversarially tested in CI.
Account security
Console accounts get role-based access, optional TOTP two-factor, and an append-only audit trail.