Documentation
Core Concepts

Core Concepts

This page explains the key entities and abstractions in Mezusphere. Understanding these concepts will help you organize your workloads and configure traffic routing effectively.

Organizations

The top-level entity in Mezusphere. An organization groups projects, billing, and team access. Everything in Mezusphere belongs to an organization.

Organizations are typically one per company. Team members are invited at the organization level, and billing is consolidated under a single organization account.

Projects

A logical grouping of environments, routes, Warpgates, and service accounts under an organization. Projects represent a single service or application that you want to expose through Mezusphere.

Example: If you have a web application and a separate API service, create two projects, one for each.

Each project has:

  • One or more environments (production, staging, development)
  • Routes that define how traffic reaches your workload
  • Service accounts for Warpgate authentication
  • User directories for end-user management (if auth is enabled)

Environments

Named deployment targets within a project. Each environment has its own endpoint URL and can be independently enabled or disabled.

Typical environments:

  • Production: live traffic from end users
  • Staging: pre-release testing with production-like settings
  • Development: local development and debugging

Environments are isolated: routes, Warpgate connections, and authentication settings are configured independently per environment.

Routes

URL path routing rules within a project. Routes determine how incoming requests are directed to your workload.

Mezusphere supports three matching modes:

ModeDescriptionExample
PrefixMatches any path starting with the specified value/api/ matches /api/users, /api/orders
ExactMatches the path exactly/health matches only /health
RegexpMatches using a regular expression/users/[0-9]+ matches /users/123

Routes can be configured with:

  • Authentication requirements: require login on specific routes
  • Permission requirements: restrict access to users with specific roles
  • CORS settings: configure cross-origin resource sharing per route

Warpgates

Lightweight sidecars deployed alongside your workloads. A Warpgate connects outward to Mezusphere’s global edge, establishing a secure tunnel through which end-user traffic is forwarded to your workload.

Key characteristics:

  • Outbound connection: Warpgate initiates all connections; no inbound ports required
  • Automatic registration: Warpgates register themselves with the control plane using service account credentials
  • Status tracking: each Warpgate reports its connection status (connected, disconnected, or unknown) and IP address
  • Self-registering: Warpgates cannot be created through the Console; they register automatically when deployed

Service Accounts

Machine credentials used for Warpgate registration and API access. Each service account has:

  • An API key: a 50-character base62 string generated server-side
  • Configurable permissions: control what the service account can access
  • Project scope: service accounts are scoped to a single project

When you deploy a Warpgate, you provide a service account API key as the authentication token. The Warpgate uses this key to register itself with Mezusphere.

Architecture

Mezusphere’s architecture is organized into two planes:

Data plane

The data plane handles live traffic between end users and customer workloads. It consists of:

  • Global edge nodes: publicly reachable points of presence that terminate TLS, apply authentication and authorization policies, filter malicious traffic, and route requests to the correct Warpgate
  • Warpgates: outbound connectors deployed alongside customer workloads that maintain persistent TLS 1.3 tunnels to edge nodes

Traffic flows: End users connect to an edge node via HTTPS. The edge node authenticates the request, applies routing and security policies, then forwards approved traffic through the established tunnel to the Warpgate, which delivers it to the local workload.

Control plane

The control plane manages configuration, identity, and operational state. It provides:

  • Configuration management: projects, environments, routes, and policies
  • Identity services: user directories, authentication flows, service account credentials
  • Warpgate registration: service account authentication, certificate issuance, and configuration distribution
  • Operational data: metrics, logs, and billing information

Warpgates authenticate to the control plane on startup using service account credentials and receive their configuration (routes, policies, upstream targets). Configuration updates are pushed to Warpgates in real time.

Security properties of the outbound-only model

The inverted ingress architecture produces several important security properties:

  • Zero public attack surface: customer workloads have no open ports, no public IP addresses, and no DNS records pointing to them. There is nothing to scan, probe, or fingerprint.
  • No origin exposure: unlike traditional CDN or reverse proxy architectures, there is no “origin IP” that can be discovered and attacked directly.
  • mTLS everywhere: all connections between Warpgates and edge nodes use TLS 1.3 with mutual authentication. Both sides present certificates and verify each other’s identity.
  • Pre-authenticated traffic: workloads only receive traffic that has already been authenticated and authorized at the edge. Applications consume trusted identity context rather than implementing their own token validation.
  • Defense in depth: security policies are enforced at the edge (first line) and validated again at the Warpgate (second line) before traffic reaches the workload.

User Directories

Collections of end-user accounts, scoped to a project or organization. User directories let you manage separate pools of users for different services.

Example: A SaaS application might have one user directory for customer-facing users and a separate directory for internal admin users.

User Accounts

End users who access services through Mezusphere. User accounts have:

  • A status: active, inactive, or suspended
  • Login tracking: last login timestamp and authentication history
  • Profile information: name, email, and display name

When authentication is enabled on a route, Mezusphere manages the complete login flow (signup, login, password reset) and validates identity at the edge before forwarding requests to your Warpgate.