Agents ship apps faster than anyone can add a login to each one. Put them all behind one gate instead.
Relight Gateway is a self-hosted proxy that signs users in and routes them to the right deployment. The apps themselves stay private.
| /pto-bot | pto-bot.run.app | everyone | open |
| /invoice-scanner | invoice-scanner.awsapprunner.com | finance | gated |
| /admin | admin.run.app | admins | gated |
SSO login guards every deployment, even ones the agent never added auth to. Users sign in once at the gateway and reach the apps they're allowed to - no per-app login screens to build.
Route by path or subdomain to any deployment across GCP, AWS, or Azure. Add an app to the gateway and it's reachable at a clean URL - no DNS juggling, no per-app certificates.
Decide who can reach what. Grant apps to individual users, groups, or teams from your identity provider. Public, gated, or admin-only - set it per route and change it anytime.
Apps stay private on your cloud. The gateway is the only public surface, so a forgotten deployment isn't an open door. Close a route and it's instantly unreachable.
Every request is attributed to a user and a route. See who accessed which app and when, export the log, and answer "who could reach this?" without guessing.
A single Docker container on your infrastructure. Register routes to any deployment yourself, or connect the Portal and apps deployed through it show up as routes automatically.
Point the gateway at a deployment, pick who can reach it, and it's live behind SSO at a clean URL - no code changes to the app itself.
The app keeps running privately on your cloud. The gateway terminates TLS, checks the user's session against your identity provider, enforces the --allow policy, and proxies the request through. Revoke access by removing the route.