Operator documentation
Delivery model
A concise overview of how approved workloads use the regional edge and which responsibilities remain with workspace operators.
Request flow
An approved client connects to the regional ingress. The edge evaluates the target namespace and delivery policy before forwarding a permitted request to its assigned origin path.
- Accept the client transport at the regional endpoint.
- Apply namespace and request policy.
- Route the accepted request to an approved origin.
- Return the origin response through the same controlled edge path.
Transport security
Public web surfaces use managed TLS. Certificate lifecycle and edge transport policy are operated centrally. Workspace operators remain responsible for application authentication, authorization, and sensitive response handling.
Remove credentials, session values, private headers, and personal data before sharing a request trace.
Origin binding
Origins are not discovered automatically. Each hostname and upstream association is reviewed during onboarding. Unrecognized hostnames and paths are not treated as valid workspace routes.
Expected operator data
- Workspace and service reference
- Origin hostname or internal endpoint
- Expected response and health-check path
- Change and rollback contact
Health checks
Edge availability and workload health are separate signals. The public status page describes the regional edge. Application-level incidents remain the responsibility of the corresponding workspace operator unless an edge advisory is published.
Service boundaries
This endpoint is not a public file host, open relay, anonymous proxy, or self-service CDN. Public registration, arbitrary origin forwarding, and unmanaged uploads are not supported.