API Gateway
Before traffic reaches your local machine, it hits the Binboi API Gateway. This layer handles TLS termination, host routing, rate limiting, and edge security policies.
Edge Network & TLS
Where the public internet meets your private tunnel.
Every inbound request to a *.binboi.link address is intercepted by our globally distributed API Gateway.
The gateway performs TLS termination at the edge. This means the heavy cryptographic handshake happens close to the client, reducing latency before the request is routed through the persistent multiplexed connection to your local CLI.
Routing Logic
When a request arrives, the gateway inspects the Host header to determine which active CLI agent should receive the traffic.
Exact Host Matching
Requests to my-app.binboi.link are routed strictly to the agent that reserved 'my-app'.
Connection Pooling
If multiple agents authenticate with the same tunnel credentials, the gateway load-balances requests across them (Round Robin).
Dead-letter Handling
If a host matches but the agent disconnected unexpectedly, the gateway returns a standard 502 Bad Gateway immediately, without hanging.
Traffic Policies
| Policy | Behavior | Configuration |
|---|---|---|
| Rate Limiting | Prevents abuse by capping req/sec per IP. | Dashboard UI (Pro tier) |
| IP Allowlisting | Drops traffic from IPs not explicitly allowed. | binboi start --allow-ips=... |
| Webhook Signatures | Rejects payloads lacking valid provider signatures. | CLI Middleware |
| Payload Limits | Blocks requests larger than 10MB to protect memory. | Platform default |
Custom Domains
You can bring your own domain (e.g., api.yourcompany.com) instead of using the default Binboi subdomain.
Type: CNAME\nName: api\nValue: custom.binboi.linkOnce your CNAME is detected, the API Gateway automatically provisions and renews a Let's Encrypt TLS certificate for your custom domain. This usually takes less than 60 seconds.