Technical features

The controls behind a safer API proxy path

ThrottleProxy combines tenant-scoped configuration, exact key authentication, destination safety, traffic limits, credential separation, and privacy-aware operational visibility.

No Redis key scansPrivate targets blockedServer-enforced rolesReviewed billing activation

Implemented foundations

Security and operations controls that exist in the code today

These descriptions are intentionally conservative. Preview and deferred capabilities are labeled instead of folded into the active feature set.

Authentication

API keys without cache scans

Presented keys are SHA-256 hashed and resolved with one exact Redis lookup. Invalid random tokens do not trigger Redis KEYS/SCAN work or a database fallback.

  • Email verification required before live key creation
  • Workspace-scoped creation and deactivation
  • Exact cache invalidation when a key is deactivated

Routing policy

Specific destinations, not an open proxy

Plain allowlist entries match exact hosts. Explicit wildcards match one subdomain level. Broad public suffixes, local targets, private ranges, metadata services, unsafe ports, and unsafe protocols are rejected.

  • Server-side DNS resolution before outbound traffic
  • Validated IP pinned while TLS checks the original hostname
  • ThrottleProxy self-domain loop protection

Header safety

Proxy credentials stop at the proxy

ThrottleProxy Authorization, x-api-key, cookies, forwarding credentials, custom proxy headers, and hop-by-hop headers are removed before the upstream request.

  • Safe request headers remain available
  • Inbound Host is replaced with the intended upstream host
  • Upstream credential storage is not connected

Traffic controls

Limits around every expensive resource

Queue admission and active concurrency use atomic Redis operations with per-key, workspace, target, and global boundaries where applicable.

  • Streamed request and response byte counting
  • Separate idle and absolute upstream deadlines
  • TTL-backed counters and cleanup paths

Collaboration

Roles enforced on the server

Owner, Admin, Developer, Billing, and Viewer permissions are checked inside workspace routes. Resource queries and mutations include the authorized workspace boundary.

  • Last-active-Owner protection
  • Standard versus privileged member-management limits
  • Suspended memberships fail closed

Accountability

Sanitized workspace activity

Invitation, membership, API-key, allowlist, workspace, and config-sync actions produce tenant-scoped activity records with allowlisted metadata.

  • Bounded and paginated activity reads
  • No invitation token or token hash in customer activity
  • Platform administration remains a separate boundary

Diagnostics

Privacy-safe lifecycle foundations

Operational lifecycle events retain useful stages, timing, status, and correlation context after sensitive headers, query values, tokens, emails, bodies, and raw errors are sanitized.

  • Public health stays shallow
  • Detailed diagnostics remain platform-admin/internal only
  • Customer request timeline is currently a labeled preview

Activation review

Reviewed billing activation

Public prices provide a clear plan ladder. Authorized workspace billing roles can use Growth and Scale checkout; Starter and Enterprise remain reviewed, and automated usage synchronization remains disabled.

  • Server-side Stripe credentials and signature verification
  • Owner and Billing are the intended billing-management roles
  • No automatic charge or downgrade behavior

Security posture

Strong boundaries before ambitious automation

Fail closed

Missing platform-admin allowlists, internal shared secrets, or production configuration deny access instead of falling back to insecure behavior.

Useful, not invasive

Diagnostics preserve safe metadata by default and avoid raw request or response bodies, secrets, credentials, cookies, and unnecessary personal data.

Explicit launch boundaries

Provider templates, customer request timelines, automated email delivery, upstream credential storage, and self-serve billing are not presented as live.

Launch boundary

Upstream credential storage is not connected yet

ThrottleProxy correctly strips proxy credentials before forwarding. Providers that require Authorization or x-api-key need a future explicit upstream credential mechanism. Do not paste provider secrets into preview forms.

Discuss your setup