Technical architecture, deployment patterns, and system design
SatGateβ’ Gateway Documentation
π Documentation Navigation | Overview | Architecture | Capability Tokens | Policy Modes | |:ββββββββ-:|:βββββ-:|:ββββββββββββββ-:|:βββββββββββ:| | What & Why | How Itβs Built | Credential System | Protection Levels |
SatGate Gateway is an API Gateway purpose-built for the agent economy. It sits between clients (humans, services, AI agents) and your upstream APIs, providing:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SatGate Gateway β
β β
β "EZ-Pass for the Agent Economy" β
β "Protection by default. Payments optional." β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Clients Layer β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β
β β Human β β Service β β AI Agent β β CLI β β
β β User β β (M2M) β β (LLM) β β Tool β β
β ββββββ¬ββββββ ββββββ¬ββββββ ββββββ¬ββββββ ββββββ¬ββββββ β
β β β β β β
β ββββββββββββββββ΄βββββββ¬ββββββββ΄βββββββββββββββ β
β β β
β Authorization: Bearer <capability_token> β
β (or L402 mac:preimage) β
β β β
ββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SatGate Gateway β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Request Pipeline β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β β β
β β βββββββββββ βββββββββββ βββββββββββ βββββββββββ ββββββββββββ β
β β β Rate ββββΆβ Request ββββΆβ Auth ββββΆβ Policy ββββΆβ Metrics ββ β
β β β Limiter β β Parse β β Verify β β Engine β β Record ββ β
β β βββββββββββ βββββββββββ βββββββββββ βββββββββββ ββββββββββββ β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ β
β β Macaroon β β Budget β β Payment β β Governance β β
β β Service β β Service β β Service β β Service β β
β β β β β β β β β β
β β β’ Mint β β β’ Allocate β β β’ Lightning β β β’ Ban/Unban β β
β β β’ Verify β β β’ Check β β β’ Stripe β β β’ Audit Log β β
β β β’ Delegate β β β’ Enforce β β β’ Invoices β β β’ Lineage β β
β β β’ Decode β β β’ Alert β β β’ Settlement β β β’ Export β β
β βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ β
β β
β βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ β
β β Metering β β Config β β Cloud β β Mint β β
β β Service β β Service β β Service β β Service β β
β β β β β β β β β β
β β β’ Count β β β’ Routes β β β’ Tenants β β β’ Identity β β
β β β’ Aggregate β β β’ Upstreams β β β’ Sessions β β β’ Policy β β
β β β’ Export β β β’ Reload β β β’ Lifecycle β β β’ Exchange β β
β β β’ Prometheus β β β’ Validate β β β’ WebSocket β β β’ Rotate β β
β βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Upstreams Layer β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β REST API β β GraphQL β β gRPC β β
β β Service β β Service β β Service β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β LLM API β β Database β β Internal β β
β β (OpenAI) β β Service β β Microserviceβ β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SatGate Request Pipeline β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β 1. REQUEST RECEIVED ββ
β β βββββββββββββββββ ββ
β β β’ TLS termination (if configured) ββ
β β β’ Request ID assigned (X-Request-ID) ββ
β β β’ Rate limit check (fail-closed if store unavailable) ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β 2. ROUTE MATCHING ββ
β β ββββββββββββββ ββ
β β β’ Match request path against configured routes ββ
β β β’ Select upstream and policy ββ
β β β’ If no route matches: 404 Not Found ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β 3. POLICY CHECK ββ
β β ββββββββββββ ββ
β β ββ
β β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ ββ
β β β PUBLIC β β OBSERVE β β CONTROL β β CHARGE β ββ
β β β β β β β β β β ββ
β β β β’ No auth β β β’ Token req β β β’ Token req β β β’ Token req β ββ
β β β β’ No meter β β β’ Metering β β β’ Metering β β β’ Metering β ββ
β β β β’ Pass-thru β β β’ No enforce β β β’ Budget chk β β β’ Payment chkβ ββ
β β β β β β β β’ 429 on failβ β β’ 402 on failβ ββ
β β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ ββ
β β ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β 4. TOKEN VALIDATION (if policy requires) ββ
β β ββββββββββββββββββββββββββββββββββββ ββ
β β a. Extract token from Authorization header ββ
β β βββ Bearer <token> | L402 <mac>:<preimage> | Receipt <jwt> ββ
β β b. Base64 decode β JSON parse ββ
β β c. Verify HMAC signature (HMAC-SHA256) ββ
β β d. Check caveats (expires, scope, tenant_id, custom) ββ
β β e. Check governance ban list ββ
β β f. If L402: verify preimage against payment_hash ββ
β β ββ
β β β Invalid? β 401 Unauthorized ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β 5. BUDGET CHECK (Control mode only) ββ
β β ββββββββββββββββββββββββββββββ ββ
β β β’ Look up budget allocation for token/tenant ββ
β β β’ Check: current_usage < budget_limit ββ
β β β’ Add X-Budget-Remaining header ββ
β β ββ
β β β Budget exceeded? β 429 Too Many Requests ββ
β β βββ Retry-After header included ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β 6. PAYMENT CHECK (Charge mode only) ββ
β β ββββββββββββββββββββββββββββββββ ββ
β β ββ
β β L402 (Lightning): ββ
β β β’ Check if payment preimage provided ββ
β β β’ Verify SHA256(preimage) == payment_hash in macaroon ββ
β β β’ Mark invoice as settled ββ
β β ββ
β β Fiat402 (Stripe): ββ
β β β’ Verify JWT receipt from Stripe ββ
β β β’ Check payment intent status ββ
β β ββ
β β β No payment? β 402 Payment Required ββ
β β βββ WWW-Authenticate: L402 macaroon="...", invoice="..." ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β 7. METERING ββ
β β ββββββββ ββ
β β β’ Record request metadata (timestamp, path, method, token) ββ
β β β’ Increment usage counters (tenant, token, route) ββ
β β β’ Export to Prometheus metrics ββ
β β β’ Check for usage alerts/thresholds ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β 8. PROXY TO UPSTREAM ββ
β β βββββββββββββββββ ββ
β β β’ Forward request with original headers ββ
β β β’ Add X-Forwarded-For, X-Request-ID ββ
β β β’ Add X-SatGate-Tenant-ID, X-SatGate-Token-Signature ββ
β β β’ Configurable timeout, retries ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β 9. RESPONSE ββ
β β ββββββββ ββ
β β β’ Pass upstream response to client ββ
β β β’ Record response status for metrics ββ
β β β’ Update latency histograms ββ
β β β’ Audit log (if enabled) ββ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Gateway Core Services β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Macaroon Service β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β β β
β β Responsibilities: β β
β β β’ Mint capability tokens with configurable scope, TTL β β
β β β’ Verify token signatures (HMAC-SHA256) β β
β β β’ Decode and parse token structure β β
β β β’ Validate caveats (expires, scope, custom) β β
β β β’ Support delegation (child token creation) β β
β β β β
β β Dependencies: β β
β β β’ CAPABILITY_ROOT_KEY (environment variable) β β
β β β’ Governance Service (ban list check) β β
β β β β
β β Key Functions: β β
β β β’ Mint(scope, ttl) β Token β β
β β β’ Verify(token) β Claims, error β β
β β β’ Delegate(parentToken, caveats) β ChildToken β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Budget Service β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β β β
β β Responsibilities: β β
β β β’ Manage budget allocations per tenant/token β β
β β β’ Track usage against budgets β β
β β β’ Enforce limits (429 when exceeded) β β
β β β’ Support budget delegation (child budgets) β β
β β β’ Alert on threshold warnings (80%, 90%, 100%) β β
β β β β
β β Storage: β β
β β β’ PostgreSQL (persistent allocation records) β β
β β β’ Redis (real-time usage counters, optional) β β
β β β β
β β Key Functions: β β
β β β’ AllocateBudget(tokenSig, limit, period) β Allocation β β
β β β’ CheckBudget(tokenSig) β Remaining, error β β
β β β’ IncrementUsage(tokenSig, amount) β error β β
β β β’ DelegateBudget(parentSig, childSig, amount) β error β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Payment Service β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β β β
β β Responsibilities: β β
β β β’ Generate Lightning invoices (L402) β β
β β β’ Verify payment preimages β β
β β β’ Integrate with Stripe (Fiat402) β β
β β β’ Track payment status β β
β β β’ Support settlement and reconciliation β β
β β β β
β β Providers: β β
β β β’ LND (Lightning Network Daemon) β β
β β β’ CLN (Core Lightning) β β
β β β’ LNBits (Lightning backend) β β
β β β’ Stripe (fiat payments) β β
β β β β
β β Key Functions: β β
β β β’ CreateInvoice(amountSats, memo) β Invoice β β
β β β’ VerifyPreimage(paymentHash, preimage) β bool β β
β β β’ CreateStripeIntent(amount, currency) β PaymentIntent β β
β β β’ CheckPaymentStatus(invoiceID) β Status β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Governance Service β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β β β
β β Responsibilities: β β
β β β’ Maintain token ban list (instant revocation) β β
β β β’ Track token lineage (parent β child relationships) β β
β β β’ Record all minted tokens β β
β β β’ Audit logging (immutable) β β
β β β’ Compliance exports (SOC2, audit) β β
β β β β
β β Storage: β β
β β β’ PostgreSQL (audit_log, token_governance tables) β β
β β β’ Immutable tables (RLS + triggers prevent modification) β β
β β β β
β β Key Functions: β β
β β β’ Ban(signature, reason) β error β β
β β β’ Unban(signature) β error β β
β β β’ IsBanned(signature) β bool β β
β β β’ RecordMint(token, metadata) β error β β
β β β’ GetLineage(signature) β []Token β β
β β β’ ExportAuditLog(startTime, endTime) β []Event β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Metering Service β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β β β
β β Responsibilities: β β
β β β’ Record all request metadata β β
β β β’ Aggregate usage by tenant, token, route β β
β β β’ Export metrics to Prometheus β β
β β β’ Support custom metric labels β β
β β β’ Real-time usage dashboards β β
β β β β
β β Metrics Exposed: β β
β β β’ satgate_requests_total (counter) β β
β β β’ satgate_request_duration_seconds (histogram) β β
β β β’ satgate_active_connections (gauge) β β
β β β’ satgate_budget_usage_ratio (gauge) β β
β β β’ satgate_payment_revenue_sats (counter) β β
β β β β
β β Key Functions: β β
β β β’ RecordRequest(req, resp, latency) β error β β
β β β’ GetUsage(tenantID, period) β Usage β β
β β β’ ExportPrometheus() β string β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Mint Service β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β β β
β β Responsibilities: β β
β β β’ Exchange platform credentials for capability tokens β β
β β β’ Verify identity providers (K8s, AWS IAM, OIDC) β β
β β β’ Apply policy-as-code rules β β
β β β’ Support automatic token rotation β β
β β β’ Track issued tokens for governance β β
β β β β
β β Identity Providers: β β
β β β’ Kubernetes (ServiceAccount JWT) β β
β β β’ AWS IAM (instance/role identity) β β
β β β’ Azure AD (OIDC tokens) β β
β β β’ Okta (OIDC tokens) β β
β β β’ Custom OIDC providers β β
β β β β
β β Key Functions: β β
β β β’ Exchange(provider, credentials, scopes) β Token β β
β β β’ Delegate(parentToken, caveats) β ChildToken β β
β β β’ ListPolicies() β []Policy β β
β β β’ ListProviders() β []Provider β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββSatGate supports four policy modes that determine how requests are processed:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Policy Mode Spectrum β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β PUBLIC OBSERVE CONTROL CHARGE β β
β β (Open) (Authentication) (Budget Limit) (Payment Gate) β β
β β β β
β β ββββββββββββββββββββββββββββββββββββββββ β β
β β β β
β β No Auth Token Required Token + Budget Token + Payment β β
β β No Meter Metering Only Enforce Limits Pay-per-Use β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β "Protection by default. Payments optional." β
β β
β Start with OBSERVE for visibility, graduate to CONTROL for budgets, β
β add CHARGE when you're ready to monetize. β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ| Aspect | Public | Observe | Control | Charge |
|---|---|---|---|---|
| Token Required | β | β | β | β |
| Metering | β | β | β | β |
| Budget Enforcement | β | β | β | β |
| Payment Required | β | β | β | β |
| Fail Response | N/A | 401 | 401 / 429 | 401 / 402 |
| Use Case | Public APIs | Visibility | Cost Control | Monetization |
routes:
- name: public-health
match:
pathPrefix: /health
upstream: http://api:8080
policy:
kind: public # No authentication
- name: api-observe
match:
pathPrefix: /api/v1/analytics
upstream: http://analytics:8080
policy:
kind: observe # Token required, metering only
scope: api:analytics:read
- name: api-control
match:
pathPrefix: /api/v1/compute
upstream: http://compute:8080
policy:
kind: control # Token + budget enforcement
scope: api:compute
budget:
default: 10000 # Default budget per token
period: daily
- name: api-charge
match:
pathPrefix: /api/v1/premium
upstream: http://premium:8080
policy:
kind: charge # Payment required
scope: api:premium
price:
sats: 100 # Satoshis per request
currency: BTCβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Single Instance Deployment β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββ β
β β Load Balancer β β
β β (optional) β β
β βββββββββββ¬ββββββββββ β
β β β
β βΌ β
β βββββββββββββββββββββ β
β β SatGate Gateway β β
β β (single) β β
β β β β
β β β’ All services β β
β β β’ In-memory stateβ β
β β β’ SQLite/Postgresβ β
β βββββββββββ¬ββββββββββ β
β β β
β βΌ β
β βββββββββββββββββββββ β
β β Upstream APIs β β
β βββββββββββββββββββββ β
β β
β Suitable for: β
β β’ Development environments β
β β’ Testing and staging β
β β’ Low-traffic production (<1000 RPS) β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β High Availability Deployment β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββ β
β β Load Balancer β β
β β (L7, health) β β
β βββββββββββ¬ββββββββββ β
β β β
β βββββββββββββββββββββΌββββββββββββββββββββ β
β β β β β
β βΌ βΌ βΌ β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ β
β β SatGate Gateway β β SatGate Gateway β β SatGate Gateway β β
β β Instance 1 β β Instance 2 β β Instance 3 β β
β β β β β β (N+1) β β
β ββββββββββ¬βββββββββ ββββββββββ¬βββββββββ ββββββββββ¬βββββββββ β
β β β β β
β βββββββββββββββββββββΌββββββββββββββββββββ β
β β β
β βββββββββββββββββββββΌββββββββββββββββββββ β
β β β β β
β βΌ βΌ βΌ β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ β
β β PostgreSQL β β Redis β β Lightning Node β β
β β (Primary/ β β (Cluster) β β (LND/CLN) β β
β β Replica) β β β β β β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ β
β β
β Features: β
β β’ Horizontal scaling (add instances as needed) β
β β’ Session affinity not required (stateless auth) β
β β’ Shared state via PostgreSQL β
β β’ Real-time counters via Redis β
β β’ Leader election for singleton jobs β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SatGate Cloud + Hybrid Deployment β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β SatGate Cloud (SaaS) β β
β β https://cloud.satgate.io β β
β β β β
β β βββββββββββββββ βββββββββββββββ βββββββββββββββ βββββββββββββββ β β
β β β Control β β Config β β Governance β β Billing β β β
β β β Plane β β Store β β Store β β Service β β β
β β βββββββββββββββ βββββββββββββββ βββββββββββββββ βββββββββββββββ β β
β β β β
β β WebSocket Control β β
β β wss://cloud.satgate.io/gateway/v1 β β
β β β β
β βββββββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββ β
β β β
β β Config push, Telemetry β
β β β
β βββββββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββ β
β β Customer VPC / Data Center β β
β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β Hybrid Gateway β β β
β β β β β β
β β β βββββββββββββββ βββββββββββββββ βββββββββββββββ β β β
β β β β Request β β Policy β β Local β β β β
β β β β Pipeline β β Engine β β Cache β β β β
β β β βββββββββββββββ βββββββββββββββ βββββββββββββββ β β β
β β β β β β
β β β β’ Processes all API traffic locally (data never leaves VPC) β β β
β β β β’ Syncs config from control plane β β β
β β β β’ Reports telemetry (aggregated, no PII) β β β
β β β β’ Operates independently during network partitions β β β
β β β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β β β
β β βΌ β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β Customer Internal APIs (Upstreams) β β β
β β β β β β
β β β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β β β
β β β β API 1 β β API 2 β β API 3 β β API N β β β β
β β β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β β β
β β β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Benefits: β
β β’ Data sovereignty: API traffic stays in customer VPC β
β β’ Low latency: Local processing, no round-trip to SaaS β
β β’ Control plane benefits: Central config, governance, billing β
β β’ Offline resilience: Gateway operates with cached config β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Authentication Data Flow β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Client Gateway Upstream β
β β β β β
β β POST /api/resource β β β
β β Authorization: Bearer β β β
β β <capability_token> β β β
β βββββββββββββββββββββββββββΆβ β β
β β β β β
β β βββββββββ΄ββββββββ β β
β β β Extract token β β β
β β β from header β β β
β β βββββββββ¬ββββββββ β β
β β β β β
β β βββββββββ΄ββββββββ β β
β β β Base64 decode β β β
β β β JSON parse β β β
β β βββββββββ¬ββββββββ β β
β β β β β
β β βββββββββ΄ββββββββ β β
β β β Verify HMAC β β β
β β β signature β β β
β β βββββββββ¬ββββββββ β β
β β β β β
β β βββββββββ΄ββββββββ β β
β β β Check caveats β β β
β β β β’ expires β β β
β β β β’ scope β β β
β β β β’ custom β β β
β β βββββββββ¬ββββββββ β β
β β β β β
β β βββββββββ΄ββββββββ β β
β β β Check ban listβ β β
β β βββββββββ¬ββββββββ β β
β β β β β
β β β If valid: β β
β β β POST /api/resource β β
β β β X-SatGate-Tenant-ID: xxx β β
β β β X-SatGate-Token-Signature:xxx β β
β β ββββββββββββββββββββββββββββββββΆβ β
β β β β β
β β βββββββββββββββββββββββββββββββββ β
β β β 200 OK β β
β β β β β
β ββββββββββββββββββββββββββββ β β
β β 200 OK β β β
β β β β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β L402 Payment Data Flow β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Client Gateway LN Node Upstream β
β β β β β β
β β GET /api/premium β β β β
β β (no payment) β β β β
β βββββββββββββββββββββΆβ β β β
β β β β β β
β β β Create invoice β β β
β β βββββββββββββββββββββΆβ β β
β β β β β β
β β ββββββββββββββββββββββ β β
β β β invoice, hash β β β
β β β β β β
β ββββββββββββββββββββββ β β β
β β 402 Payment Req β β β β
β β WWW-Authenticate: β β β β
β β L402 macaroon=...,β β β β
β β invoice=... β β β β
β β β β β β
β β β β β β
β β (Client pays invoice via Lightning wallet) β β
β β β β β β
β β β β β β
β β GET /api/premium β β β β
β β Authorization: β β β β
β β L402 <mac>:<preimage> β β β
β βββββββββββββββββββββΆβ β β β
β β β β β β
β β β Verify: β β β
β β β β’ Macaroon sig β β β
β β β β’ SHA256(preimage) β β β
β β β == payment_hash β β β
β β β β β β
β β β Proxy request β β β
β β βββββββββββββββββββββββββββββββββββββββΆβ β
β β β β β β
β β ββββββββββββββββββββββββββββββββββββββββ β
β β β β 200 OK β β
β β β β β β
β ββββββββββββββββββββββ β β β
β β 200 OK β β β β
β β β β β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Storage Architecture β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β PostgreSQL β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β β β
β β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ β β
β β β audit_log β β token_governanceβ β budget_alloc β β β
β β β (immutable) β β (ban list) β β (allocations) β β β
β β β β β β β β β β
β β β β’ event_type β β β’ signature β β β’ token_sig β β β
β β β β’ tenant_id β β β’ banned_at β β β’ limit β β β
β β β β’ actor β β β’ reason β β β’ period β β β
β β β β’ resource β β β’ parent_sig β β β’ used β β β
β β β β’ metadata β β β’ lineage β β β’ reset_at β β β
β β β β’ timestamp β β β β β β β
β β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ β β
β β β β
β β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ β β
β β β cloud_tenants β β cloud_sessions β β metering_events β β β
β β β (multi-tenant) β β (auth) β β (usage data) β β β
β β β β β β β β β β
β β β β’ id β β β’ session_id β β β’ tenant_id β β β
β β β β’ email β β β’ tenant_id β β β’ token_sig β β β
β β β β’ plan β β β’ expires_at β β β’ route β β β
β β β β’ status β β β’ created_at β β β’ request_count β β β
β β β β’ config β β β β β’ timestamp β β β
β β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ β β
β β β β
β β Security Features: β β
β β β’ Row Level Security (RLS) for tenant isolation β β
β β β’ Immutable audit_log (INSERT only, triggers prevent UPDATE/DELETE) β β
β β β’ Encrypted connections (TLS required) β β
β β β’ Prepared statements (SQL injection prevention) β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Redis (Optional) β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β β β
β β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ β β
β β β rate_limits β β budget_countersβ β session_cache β β β
β β β β β β β β β β
β β β Key: β β Key: β β Key: β β β
β β β rate:{ip}:{min} β β budget:{sig} β β session:{id} β β β
β β β β β β β β β β
β β β Value: count β β Value: used β β Value: claims β β β
β β β TTL: 60s β β TTL: period β β TTL: 1h β β β
β β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ β β
β β β β
β β Use Cases: β β
β β β’ Rate limiting (high-frequency counters) β β
β β β’ Budget enforcement (real-time usage) β β
β β β’ Session caching (reduce DB load) β β
β β β’ Distributed locking (leader election) β β
β β β β
β β Fail Behavior: β β
β β β’ Rate limiting: Fail CLOSED (503 if Redis unavailable) β β
β β β’ Session cache: Fall back to PostgreSQL β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Security Architecture β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Network Security β β
β β β β
β β β’ TLS 1.3 for all external connections β β
β β β’ mTLS optional for hybrid gateways β β
β β β’ IP allowlist for admin endpoints β β
β β β’ Rate limiting at edge (fail-closed) β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Authentication Security β β
β β β β
β β β’ HMAC-SHA256 token signatures (256-bit key) β β
β β β’ Time-based expiration (caveats) β β
β β β’ Instant revocation (governance ban list) β β
β β β’ Scope-based authorization β β
β β β’ No token storage (stateless validation) β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Data Security β β
β β β β
β β β’ Secrets in environment variables (not config files) β β
β β β’ Database encryption at rest β β
β β β’ Audit log immutability (RLS + triggers) β β
β β β’ PII minimization in logs β β
β β β’ Request ID correlation (not tokens) β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Response Headers β β
β β β β
β β Content-Security-Policy: default-src 'self'; ... β β
β β X-Content-Type-Options: nosniff β β
β β X-Frame-Options: DENY β β
β β Referrer-Policy: strict-origin-when-cross-origin β β
β β Permissions-Policy: geolocation=(), microphone=(), camera=() β β
β β Strict-Transport-Security: max-age=31536000; includeSubDomains β β
β β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Prometheus Metrics β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β # Request metrics β
β satgate_requests_total{tenant, route, status, policy_mode} β
β satgate_request_duration_seconds{tenant, route, quantile} β
β satgate_request_size_bytes{tenant, route} β
β satgate_response_size_bytes{tenant, route} β
β β
β # Auth metrics β
β satgate_auth_attempts_total{tenant, result} # success, invalid, banned β
β satgate_tokens_minted_total{tenant, scope} β
β satgate_tokens_revoked_total{tenant} β
β β
β # Budget metrics β
β satgate_budget_usage_ratio{tenant, token_sig} # 0.0 - 1.0 β
β satgate_budget_exceeded_total{tenant} β
β satgate_budget_remaining{tenant, token_sig} β
β β
β # Payment metrics β
β satgate_payment_revenue_sats_total{tenant, route} β
β satgate_payment_attempts_total{tenant, status} # success, failed β
β satgate_invoices_created_total{tenant} β
β β
β # System metrics β
β satgate_upstreams_health{upstream, status} β
β satgate_active_connections β
β satgate_goroutines β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Structured Logging β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β { β
β "level": "info", β
β "time": "2024-01-15T10:30:00Z", β
β "request_id": "abc123", β
β "tenant_id": "tenant-456", β
β "method": "GET", β
β "path": "/api/v1/resource", β
β "status": 200, β
β "latency_ms": 45, β
β "policy_mode": "control", β
β "token_signature": "a1b2c3...", // truncated β
β "budget_remaining": 9500, β
β "upstream": "backend-api" β
β } β
β β
β Log Levels: β
β β’ debug: Detailed request tracing (dev only) β
β β’ info: Normal operations, request logs β
β β’ warn: Recoverable issues, budget warnings β
β β’ error: Failures, upstream errors β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ# SatGate Gateway Configuration
# Version: 1.0
server:
host: 0.0.0.0
port: 8080
metricsPort: 9090
readTimeout: 30s
writeTimeout: 30s
shutdownTimeout: 10s
admin:
token: ${ADMIN_TOKEN}
capabilityRootKey: ${CAPABILITY_ROOT_KEY}
ipAllowlist: "10.0.0.0/8,192.168.0.0/16" # Optional
database:
postgres:
url: ${DATABASE_URL}
maxConnections: 25
autoMigrate: true
redis:
url: ${REDIS_URL} # Optional, enables real-time counters
lightning:
backend: lnd # lnd, cln, lnbits
lnd:
rpcHost: ${LND_HOST}
macaroonPath: ${LND_MACAROON_PATH}
tlsCertPath: ${LND_TLS_CERT_PATH}
stripe: # Optional, for Fiat402
secretKey: ${STRIPE_SECRET_KEY}
webhookSecret: ${STRIPE_WEBHOOK_SECRET}
upstreams:
- name: backend-api
url: http://api:8080
timeout: 30s
retries: 3
healthCheck:
path: /health
interval: 10s
routes:
- name: public-health
match:
pathPrefix: /health
upstream: backend-api
policy:
kind: public
- name: api-observe
match:
pathPrefix: /api/v1/read
upstream: backend-api
policy:
kind: observe
scope: api:read
- name: api-control
match:
pathPrefix: /api/v1/compute
upstream: backend-api
policy:
kind: control
scope: api:compute
budget:
default: 10000
period: daily
- name: api-charge
match:
pathPrefix: /api/v1/premium
upstream: backend-api
policy:
kind: charge
scope: api:premium
price:
sats: 100
currency: BTC
logging:
level: info
format: json
metrics:
enabled: true
prefix: satgate| Variable | Description | Required |
|---|---|---|
ADMIN_TOKEN |
Admin API authentication token | Yes |
CAPABILITY_ROOT_KEY |
Root key for token signing (32+ bytes hex) | Yes |
DATABASE_URL |
PostgreSQL connection string | Yes |
REDIS_URL |
Redis connection string | No |
LND_HOST |
Lightning node RPC host | For Charge mode |
LND_MACAROON_PATH |
Path to LND macaroon | For Charge mode |
STRIPE_SECRET_KEY |
Stripe API key | For Fiat402 |
| Method | Endpoint | Description |
|---|---|---|
POST |
/api/v1/tokens |
Mint a new capability token |
GET |
/api/v1/tokens |
List minted tokens |
DELETE |
/api/v1/tokens/{sig} |
Revoke a token |
POST |
/api/v1/tokens/{sig}/delegate |
Delegate (attenuate) a token |
POST |
/api/v1/governance/ban |
Ban a token |
POST |
/api/v1/governance/unban |
Unban a token |
GET |
/api/v1/governance/graph |
Get token lineage graph |
GET |
/api/v1/metrics |
Prometheus metrics |
GET |
/api/v1/health |
Health check |
| Method | Endpoint | Description |
|---|---|---|
POST |
/v1/mint |
Exchange credentials for token |
POST |
/v1/mint/delegate |
Delegate with additional caveats |
GET |
/v1/mint/policies |
List configured policies |
GET |
/v1/mint/providers |
List identity providers |
SatGateβ’ Gateway β EZ-Pass for the Agent Economy β‘
βProtection by default. Payments optional.β
SatGateβ’ is a trademark of SatGate, Inc.Β All rights reserved.