Docs/self-host/network-and-tls
Reviewed 2026-07-04
Markdown
BetaOperate · Explainer

Design the network and TLS boundary

Choose a network boundary that keeps administration private and exposes only authenticated routes intentionally.

Review the recommended boundaryEstimated time7 minutes
Trust, applicability, and sourcesMobazha v0.3 release candidate

Route considerations

SurfaceDefault pathBoundary
Embedded UI and HTTP APIhttp://127.0.0.1:5102, API under /v1/Administrative and commerce authorization vary by operation
WebSocket/wsAuthenticate connection and preserve reconnect limits
MCP Streamable HTTP/v1/mcpRequires gateway identity, ai:use, and tool scopes
Webhooksoutbound from NodeValidate destination, TLS, signature, timeout, and retry behavior

Exposure checklist

  • Terminate TLS with a maintained configuration and automate certificate renewal safely.
  • Bind Node to loopback or a private interface and restrict host firewall ingress.
  • Forward the original scheme and host only through trusted proxy headers.
  • Apply rate, connection, request-size, and timeout limits without breaking WebSocket or MCP streaming.
  • Separate public storefront access from administrator, token-minting, wallet, and system operations.
  • Monitor authentication failures and unexpected route exposure.

Verification

From outside the trusted boundary, enumerate only the intended public routes and confirm administrative operations reject unauthenticated requests. From inside, verify UI, API, WebSocket, and MCP paths required by the deployment. Re-test after proxy or certificate changes.