Skip to main content
A gateway is the top-level isolation boundary. Everything else — registries, consumers, auth credentials, policies, roles — belongs to exactly one gateway. You can run many gateways on one TrustGate deployment (one per team, environment, or product). A gateway is addressed by its slug, a DNS-safe label (^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$). The proxy resolves the gateway from the slug — either via the X-AG-Gateway-Slug header or the request host (see gateway discovery).

What a gateway holds

FieldMeaning
name / slugDisplay name and DNS-safe identifier.
statusactive.
domainOptional custom hostname for the proxy.
metadataFree-form string map (e.g. {"team_id": "…"}).
telemetryPer-gateway telemetry exporters and trace toggles — see Telemetry.
client_tlsPer-upstream TLS settings (keyed by hostname) — see Server security.
session_configSession affinity: { enabled, header_name, body_param_name }.
The Admin API also returns derived proxy_url and mcp_url fields built from GATEWAY_BASE_DOMAIN / MCP_BASE_DOMAIN and the slug.

Session affinity

When session_config.enabled is true and a session id is present (from the configured header or body field), the proxy pins that conversation to the same consumer context on subsequent requests — useful for stateful routing and consistent load-balancer selection.

Managing gateways

Create, list, update, and delete gateways through the Admin API under /v1/gateways. See the Gateways API. Deleting a gateway cascades to everything it owns and publishes a cache-invalidation event so the proxy drops it immediately. Next: register upstreams as registries.