Deploying applications on Unkey is in public beta. To try it, open the product switcher in the
top-left of the dashboard and select Deploy. During beta, deployed
resources are free. We’re eager for feedback, so let us know what you think
on Discord, X, or
email support@unkey.com.
DNS
Unkey uses latency-based geolocation routing to resolve both*.unkey.app wildcard domains and custom domains to the closest region to the client.
Frontline
The request arrives at Frontline, Unkey’s global network layer. Frontline terminates TLS close to the client, so your app never needs to manage certificates. All connections enforce TLS 1.2 or higher, with TLS 1.3 preferred. HTTP requests are redirected to HTTPS automatically. Certificates are provisioned and renewed automatically for both wildcard and custom domains. After terminating TLS, Frontline resolves the requested domain to a deployment. It consults a globally replicated metadata store that maps every domain to a deployment ID. If the target deployment runs in a different region, Frontline forwards the request to that region automatically.Gateway
Once it resolves the deployment, Frontline runs the gateway, which evaluates the policies configured for that deployment before the request reaches your code:- Authentication verifies the caller’s identity
- Rate limiting enforces request quotas
- Custom policies apply additional rules
Request headers
Frontline adds headers to every proxied request so your app can identify the original client and request context:| Header | Description |
|---|---|
X-Forwarded-For | The original client IP address |
X-Forwarded-Host | The original Host header from the client request |
X-Forwarded-Proto | The protocol used by the client (https) |
X-Deployment-Id | The deployment ID that Frontline resolved from the domain |
X-Unkey-Principal | The authenticated principal, populated by the gateway’s authentication policy |