Nodes connect to M through one stable secure public entrypoint, which keeps the externally exposed surface predictable and compact.
Transport and session protection
StreamGate keeps one public relay edge and one secure external transport layer while still performing an authenticated application-level secure handshake before payload frames are switched.
After the outer TLS layer is established, StreamGate applies its own handshake and encrypted payload framing so that sessions are not switched before trust is established.
Routes stay attached to node identities, app instances are individually addressable, and access keys bind users to only their own nodes, sessions and routes.
Client and server versions are tracked centrally so operators can manage updates, revoke access and contain stale deployments more cleanly than with ad-hoc tunnels.
Operational security posture
Security in StreamGate is primarily about minimizing scope.
- The platform is designed to expose one required service path instead of broad network membership.
- Access keys can be blocked, revoked, rotated, renewed and limited by application count.
- Dashboard operators can observe nodes, sessions, routes and versions without granting users visibility into each other.
- Mailbox-based onboarding, support flows and renewal flows keep the access lifecycle bound to a real contact point.