Unkey Deploy is currently in private beta. To get access, reach out on
Discord or email
support@unkey.com.
DNS
Unkey uses latency-based geolocation routing to resolve both*.unkey.app wildcard domains and custom domains to the closest region to the client.
Frontline
The request arrives at Frontline, Unkey’s global edge layer. Frontline terminates TLS close to the client, so your app never needs to manage certificates. All connections enforce TLS 1.2 or higher, with TLS 1.3 preferred. HTTP requests are redirected to HTTPS automatically. Certificates are provisioned and renewed automatically for both wildcard and custom domains. After terminating TLS, Frontline resolves the requested domain to a deployment. It consults a globally replicated metadata store that maps every domain to a deployment ID. If the target deployment runs in a different region, Frontline forwards the request to that region automatically.Sentinel
Frontline forwards the request to Sentinel, the application gateway. Sentinel runs the policies configured for the deployment before the request reaches your code:- Authentication verifies the caller’s identity
- Rate limiting enforces request quotas
- Custom policies apply additional rules
Request headers
Sentinel adds headers to every proxied request so your app can identify the original client and request context:| Header | Description |
|---|---|
X-Forwarded-For | The original client IP address |
X-Forwarded-Host | The original Host header from the client request |
X-Forwarded-Proto | The protocol used by the client (https) |
X-Deployment-Id | The deployment ID that Frontline resolved from the domain |
X-Unkey-Principal | The authenticated principal, populated by Sentinel’s authentication policy |