Edge Proxy

Edge Proxy lets you reverse-proxy traffic from a subdomain to any external upstream you control. The edge handles TLS termination, header injection, and routing — you just verify and configure the target.

How it works

https://api.your-domain.com → https://internal-staging:8080

1. You verify ownership of the target (proof-of-control)
2. You create a proxy record — specifying a slug, optional domain, and the verified target URL
3. An etcd route is registered (pinned to the verified IP) so the edge proxy knows where to forward traffic
4. All HTTPS requests to slug.domain are TLS-terminated at the edge and forwarded to the target
5. Responses flow back through the edge to the client

Key concepts

Slugs and domains

Every proxy maps a subdomain to an upstream:

• Slug — the subdomain part (e.g. api, staging, dashboard)
• Domain — optional; defaults to the platform domain. Custom domains require an entitlement.
• Target — the upstream URL to forward traffic to (must be verified)

Target ownership verification

A target must be proven before it can be routed. The proof is pull-based and SSRF-safe:

1. Request a challenge for the target — POST /edge/verifications
2. Serve the returned one-time token at /.well-known/oblien-proxy-challenge/<token> on the target
3. Run the check — POST /edge/verifications/:id/check. Oblien fetches the token over an IP-pinned connection (the target never calls you) and pins the route to the validated IP, so DNS rebinding can't redirect it inward.

Verifications last 90 days and auto-renew; a target that can no longer be proven has its proxies disabled.

Domains

The platform default domain is available to everyone. Custom/wildcard domains are exclusive and require a grant:

1. Register and verify your domain via the Domains API
2. DNS must point your domain to the Oblien edge

Headers

The edge proxy injects standard forwarding headers on every request:

Your upstream receives these headers and can use them for logging, rate limiting, or access control.

Proxy status

Disabling a proxy removes the edge route (traffic stops) but keeps the configuration. Re-enabling restores forwarding without recreating the record.

Creating a proxy

From the dashboard

1. Go to Dashboard → Edge Proxy
2. Click Create Proxy
3. Enter a name, slug, target URL, and (optionally) a custom domain
4. Verify the target, then the proxy goes live

From the SDK

const client = new Oblien({ clientId, clientSecret });

const target = 'https://internal-staging.example.com:8080';

// 1. Prove ownership of the target first.
const { verification } = await client.edgeProxy.requestVerification(target);
// → serve verification.token at verification.path on the target, then:
const { verification: result } = await client.edgeProxy.checkVerification(verification.id);
if (result.status !== 'verified') throw new Error(result.error);

// 2. Create the proxy (domain optional — defaults to the platform domain).
const { proxy } = await client.edgeProxy.create({
  name: 'staging-api',
  slug: 'staging-api',
  target,
});

console.log(proxy.url);

Managing proxies

// List all proxies
const { proxies } = await client.edgeProxy.list();

// Update the target URL
await client.edgeProxy.update(proxy.id, {
  target: 'https://new-upstream.example.com',
});

// Disable / re-enable
await client.edgeProxy.disable(proxy.id);
await client.edgeProxy.enable(proxy.id);

// Delete
await client.edgeProxy.delete(proxy.id);

Target restrictions

To prevent SSRF (Server-Side Request Forgery), the target URL is validated before the proxy is created. The following targets are blocked:

Only http:// and https:// protocols are allowed. Other schemes (FTP, WebSocket, etc.) are rejected.

Limits

API reference

See the Edge Proxy API for the full REST endpoint reference.