One front door
for every app.

Agents ship apps faster than anyone can add a login to each one. Put them all behind one gate instead.

Relight Gateway is a self-hosted proxy that signs users in and routes them to the right deployment. The apps themselves stay private.

$ docker run -p 8080:8080 getrelight/gateway Copied!
apps.internal
User
SSO login
Relight Gateway
auth + route
Your apps
not exposed
Routes
/pto-bot pto-bot.run.app everyone open
/invoice-scanner invoice-scanner.awsapprunner.com finance gated
/admin admin.run.app admins gated

Features

Auth in front of every app

SSO login guards every deployment, even ones the agent never added auth to. Users sign in once at the gateway and reach the apps they're allowed to - no per-app login screens to build.

One hostname, many apps

Route by path or subdomain to any deployment across GCP, AWS, or Azure. Add an app to the gateway and it's reachable at a clean URL - no DNS juggling, no per-app certificates.

Per-app access policies

Decide who can reach what. Grant apps to individual users, groups, or teams from your identity provider. Public, gated, or admin-only - set it per route and change it anytime.

Nothing exposed directly

Apps stay private on your cloud. The gateway is the only public surface, so a forgotten deployment isn't an open door. Close a route and it's instantly unreachable.

Full access audit log

Every request is attributed to a user and a route. See who accessed which app and when, export the log, and answer "who could reach this?" without guessing.

Standalone, or with the rest of Relight

A single Docker container on your infrastructure. Register routes to any deployment yourself, or connect the Portal and apps deployed through it show up as routes automatically.

Put an app behind the gateway

Point the gateway at a deployment, pick who can reach it, and it's live behind SSO at a clean URL - no code changes to the app itself.

# Connect the gateway once
$ relight gateways add https://apps.internal
Token: rl_gw_abc...
--> Connected to gateway at apps.internal
# Route an app and set who can reach it
$ relight gateway route invoice-scanner --allow finance
Registering route /invoice-scanner...
Access: group:finance (SSO required)
--> Live at https://apps.internal/invoice-scanner

The app keeps running privately on your cloud. The gateway terminates TLS, checks the user's session against your identity provider, enforces the --allow policy, and proxies the request through. Revoke access by removing the route.