> ## Documentation Index
> Fetch the complete documentation index at: https://unkey.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Sentinel

> A Sentinel is a reverse proxy that sits in front of your deployment, enforcing policies on every request before it reaches your app.

<Info>
  Unkey Deploy is currently in private beta. To get access, reach out on
  [Discord](https://unkey.com/discord) or email
  [support@unkey.com](mailto:support@unkey.com).
</Info>

A Sentinel is a reverse proxy that sits in front of your deployment. If you're familiar with API gateways, a Sentinel fills the same role: it processes every inbound request, enforces [policies](/platform/sentinel/policies/overview) like authentication and rate limiting, and only forwards traffic that passes all checks to your app.

## Environment isolation

Every environment in your project gets its own isolated Sentinel. You don't need to create, configure, or manage them. Unkey provisions them automatically when you create an environment.

* **Production environments** get three Sentinel replicas for high availability
* **Preview environments** get one Sentinel replica

Isolation between environments means a misconfigured policy or unusual traffic in a preview environment can't affect production. It also means each Sentinel only caches data for its own environment, resulting in high cache hit rates and low latency.

The Sentinel routes requests to instances in the same region. When multiple instances of your deployment are running, the Sentinel distributes requests randomly across them. There is no session affinity.

## Policy enforcement

When a request arrives at your deployment's URL, the Sentinel evaluates all configured [policies](/platform/sentinel/policies/overview) in order. If every policy passes, the Sentinel selects a healthy instance and forwards the request. If any policy rejects the request, the Sentinel returns an error response and your app never sees it.

All of the Sentinel's request processing is built on [policies](/platform/sentinel/policies/overview). The most common ones are:

* [**Authentication**](/platform/sentinel/authentication): Verifies API keys before your code runs, and forwards the authenticated identity to your app via a request header
* [**Rate limiting**](/platform/sentinel/policies/rate-limiting): Enforces rate limits on specific routes or subjects, rejecting excess traffic before it reaches your instances
* [**Logging**](/platform/sentinel/policies/logging): Records the full HTTP request and response, including headers and body, for debugging and observability

Other policy types include the [Firewall](/platform/sentinel/policies/firewall), [OpenAPI request validation](/platform/sentinel/policies/openapi-validation), and more. See [Policies](/platform/sentinel/policies/overview) for the full list.

## Configuration

<Note>
  The Sentinel dashboard is still in development. Today you can configure API key authentication through the dashboard. For other policy types, contact [support@unkey.com](mailto:support@unkey.com).
</Note>

To configure API key authentication:

1. Navigate to your project's **Settings** page.
2. Scroll to the **Sentinel configurations** section.
3. Select one or more keyspaces to enforce.
4. Save your changes.

See [Authentication](/platform/sentinel/authentication) for details on the Principal header your app receives after successful verification.