Architecture

Three deployment modes for every security requirement — from single-binary evaluation to full 4-process isolation.

Deployment Modes

Mini

Single Binary

All 4 pipeline stages run in one process with in-memory DirectMessageTransport. No external dependencies.

  • 1 process
  • In-memory transport
  • No NATS/Valkey needed
  • Ideal for evaluation and edge deployments
Free Tier

Small

2 Processes

Frontend + Backend communicate via NATS or Valkey. Request and response validators run in-process with their hosts.

  • 2 processes, 2 isolated networks
  • NATS or Valkey transport
  • Standard network isolation
  • Ideal for small teams
Starter Tier

Full

4 Processes

Maximum isolation: Frontend, Request Validator, Backend, and Response Validator each run in separate networks.

  • 4 processes, 4 isolated networks
  • 4 dedicated NATS/Valkey instances
  • Strong network isolation
  • Enterprise-grade security
Business Tier

Identical Behavior Across All Modes

Validation logic, policy decisions, and error responses are bit-for-bit identical regardless of deployment mode. The transport layer is the only difference.

Request Validation Pipeline (16 Steps)

  1. HTTP-level security checks (SQLi, XSS, path traversal)
  2. Realm validation (whitelist enforcement)
  3. Client ID validation
  4. Blocked path check
  5. CIBA grant type denial
  6. Flow profile enforcement
  7. Flow-specific validation (authorization/token/refresh)
  8. Token-in-URL detection
  9. Grant type validation (per-client)
  10. Scope validation (per-client whitelist)
  11. Redirect URI validation (whitelist + SSRF)
  12. PKCE enforcement (S256)
  13. State/nonce parameter check
  14. Admin API endpoint whitelist
  15. SAML validation (XXE, signature wrapping)
  16. HTTP base security (smuggling, injection)

Response Validation Pipeline (9 Steps)

  1. Token-in-URL fragment detection
  2. Token structure validation (JWT format)
  3. Refresh token in body check
  4. JWT claim allowlist enforcement
  5. Discovery document validation
  6. JWKS response inspection (RSA key size, algorithms)
  7. Claim value inspection (size limits)
  8. Realm/role claims inspection
  9. JWE/opaque token handling

Keycloak Operation Recognition

The gateway classifies every request by HTTP method, path, and query parameters.

OIDC Protocol

  • Token Request / Refresh
  • Authorization Request
  • UserInfo, Introspection, Revocation
  • Device Authorization
  • End Session, JWKS

SAML Protocol

  • AuthnRequest / Response
  • Logout Request
  • Metadata Endpoint
  • Artifact Resolve

Admin API

  • Realm CRUD + Export
  • User Management (CRUD, roles, sessions)
  • Client Management
  • Identity Provider Configuration
  • Auth Flows, Roles, Groups, Events