Ingress
Request enters ThrottleProxy
Your application sends an HTTPS proxy request with a ThrottleProxy API key and an explicit upstream destination.
Explore the checks between your application and an approved public upstream. Select any stage to see what happens and where the security boundary holds.
Lifecycle map
Hover, focus, or select a stage
How it works
ThrottleProxy authenticates the caller, applies the correct workspace boundary, validates the destination, controls burst pressure, and returns the upstream response with privacy-safe lifecycle context.
Request lifecycle
The flow is deliberately ordered: authenticate first, derive the tenant, validate the destination, then spend network resources.
Ingress
Your application sends an HTTPS proxy request with a ThrottleProxy API key and an explicit upstream destination.
Authentication
The presented key is hashed and resolved through one exact Redis lookup. Random invalid keys do not trigger cache scans or database fallback.
Tenant scope
The key resolves its authorized workspace configuration. Client-supplied object IDs cannot switch the request into another tenant.
Allowlist + SSRF
Exact or explicitly wildcarded hosts are checked before routing. Private, local, metadata, reserved, unsafe-port, and self-referential targets are rejected.
Policy
Redis-backed limits evaluate request pace, concurrency, and queue admission. Per-key, workspace, target, and global caps fail fast under pressure.
Queue
Eligible bursts may wait briefly in a TTL-bound queue. Queue size and wait time are capped so held connections cannot grow without bound.
Upstream
ThrottleProxy credentials, cookies, forwarding credentials, and hop-by-hop headers are stripped. The validated DNS result is pinned while TLS still verifies the intended hostname.
Response
Request and response bytes are counted while streaming. Absolute and idle timeouts stop oversized or long-lived traffic from holding resources indefinitely.
Visibility
Sanitized lifecycle events preserve stages, timing, status, and correlation context while redacting credentials, query values, email addresses, bodies, and unsafe error details.
Protection by construction
Localhost, private and reserved IP ranges, cloud metadata targets, unsafe protocols, and unsafe ports are rejected before outbound traffic.
The API key used to authenticate to ThrottleProxy is never forwarded as an upstream Authorization or x-api-key credential.
Body sizes, response sizes, queue depth, concurrency, idle time, and total upstream duration all have explicit limits.
Deployment path
The dashboard guides key creation and allowlist setup. Provider templates and request timelines are clearly labeled previews while live provider credential storage remains future work.