Gateway Deployment.
VPC / Docker / Terraform.
Production deployment reference for the RGX Compliant Multi-Tenant AI Integration Gateway. All three deployment targets — cloud-managed, Docker self-hosted, and VPC-dedicated — covered with real configuration at every step. No placeholder values.
| Mode | Infrastructure | Data Residency | Best For |
|---|---|---|---|
| Cloud Managed | RGX-operated Render + managed Postgres. Zero ops burden. | RGX infrastructure (SOC 2 Type II). US region by default. | VAR pilots, SMB deployments, fast time-to-production. |
| Docker Self-Hosted | Your server or VM. Single docker compose up. |
Your datacenter or cloud account. You own the database. | On-prem requirements, custom data residency, hybrid setups. |
| VPC Dedicated | ECS Fargate, AKS, or bare-metal in your VPC. No shared resources with other tenants. | Fully within your cloud account. Air-gap compatible. | HIPAA covered entities, regulated finance, government, CISO-mandated isolation. |
All modes use identical API endpoints and response schemas. Switching from Cloud Managed to VPC Dedicated requires only a DNS update and environment variable change — no application code changes.
https://rgxsystems.com/api/v1. Every request passes your API key as X-Api-Key. For full endpoint reference see API Reference →docker compose up starts the gateway plus a managed Postgres instance. Suitable for on-prem servers, bare-metal, or single-VM cloud deployments.TLS termination is your responsibility in self-hosted mode. Place an nginx or Caddy reverse proxy in front of the gateway container that terminates TLS 1.3 and forwards to port 3000. Do not expose port 3000 directly to the internet.
| Resource | Type | Notes |
|---|---|---|
| ECS Cluster | Fargate | Auto-scaling 1–10 tasks based on CPU/memory. Task definition pinned to gateway image digest. |
| Application Load Balancer | HTTPS/443 | TLS 1.3 policy. ACM certificate auto-provisioned for your domain. HTTP/80 permanently redirected. |
| RDS PostgreSQL | Multi-AZ db.t3.medium | AES-256 encryption at rest. Automated backups 7-day retention. Point-in-time recovery enabled. |
| Secrets Manager | KMS-encrypted | Stores LICENSE_KEY, ANTHROPIC_API_KEY, JWT_SECRET, DB_PASSWORD. Injected into Fargate task at runtime. |
| Security Groups | Least privilege | ALB: 443 inbound from 0.0.0.0/0. ECS task: 3000 from ALB SG only. RDS: 5432 from ECS SG only. |
| CloudWatch | Log group + alarms | Structured JSON logs. Alarms on 5xx rate >1% and p99 latency >2s. |
Azure AD / Entra ID OIDC is the recommended seat auth mode for Azure deployments. Set OIDC_ISSUER=https://login.microsoftonline.com/<tenant_id>/v2.0, OIDC_AUDIENCE=api://<your_app_registration_id>, and OIDC_JWKS_URI is auto-discovered from the issuer metadata endpoint. Bearer tokens from Entra ID are validated on every request without any per-request network call — JWKS keys are cached with automatic rotation.
| Variable | Required | Description |
|---|---|---|
| DEPLOYMENT_MODE | required | cloud | dedicated. Cloud mode phones home for billing; dedicated mode is fully offline per-request. |
| DATABASE_URL | required | PostgreSQL connection string. Format: postgresql://user:pass@host:5432/dbname. SSL mode enforced. |
| ANTHROPIC_API_KEY | required | Your Anthropic API key. The gateway routes all AI calls through this key. Never exposed in logs or API responses. |
| LICENSE_KEY | required (dedicated) | RS256 JWT issued by RGX CA. Verified offline at startup. Claims: node_id, expiry, allowed_seats. Contact licensing@rgxsystems.com. |
| RGX_NODE_ID | required (dedicated) | Node identifier issued with your license. Must match node_id claim in LICENSE_KEY. Format: vn_01j9x... |
| JWT_SECRET | required | 64-byte hex string. Signs RGX-issued HS256 seat JWTs. Generate with openssl rand -hex 64. |
| SEAT_AUTH_MODE | optional | jwt | oidc | saml | header. Default: jwt. All four modes are auto-detected from request headers when not set. |
| OIDC_ISSUER | oidc only | OIDC issuer URL. Example: https://dev-123.okta.com/oauth2/default. JWKS fetched from {issuer}/.well-known/jwks.json. |
| OIDC_AUDIENCE | oidc only | Expected aud claim value. Example: api://default (Okta) or api://rgx-gateway (Azure AD). |
| OIDC_JWKS_URI | oidc only | Override the auto-discovered JWKS URI. Required for air-gapped deployments where the IdP metadata endpoint is not reachable. |
| SAML_ENTRY_POINT | saml only | IdP SSO URL. Example: https://yourcompany.okta.com/app/rgx/sso/saml |
| SAML_CERT | saml only | PEM-encoded IdP signing certificate (base64, no headers). Obtained from your IdP's SAML metadata XML. |
| PORT | optional | HTTP listen port. Default: 3000. TLS termination handled upstream by ALB, nginx, or Application Gateway. |
| LOG_LEVEL | optional | error | warn | info | debug. Default: info. Structured JSON. PHI/PII never appears in logs at any level. |
| Mode | Trigger | Compatible IdPs |
|---|---|---|
| RGX JWTHS256 | Authorization: Bearer <hs256_jwt> |
Issued by your own back-end using JWT_SECRET. Payload must contain { tenant_id, seat_id }. |
| OIDCRS256 / ES256 | Authorization: Bearer <id_token> |
Okta, Azure AD / Entra ID, Google Workspace, Auth0, Ping Identity. |
| SAML 2.0 | X-Saml-Assertion: <base64 SAMLResponse> |
Azure AD SAML, Okta SAML, ADFS, Ping Identity. |
| Header / Body | X-Seat-Id: <user_id> or body { "seat_id": "..." } |
Server-side VAR calls where you control both ends. No token signing required. |
var_client_seats on first appearance and populates req.seatContext with { seatId, tenantId, nodeId, autoProvisioned, idpMode }. Usage is metered against that seat for per-seat billing.DEPLOYMENT_MODE=dedicated to activate full offline operation. In this mode, the gateway makes zero outbound network calls to RGX infrastructure per request. License validation, seat provisioning, usage metering, and audit logging all run locally within your VPC. No data leaves your network boundary.Dedicated mode requires a LICENSE_KEY JWT. Contact licensing@rgxsystems.com. The JWT is RS256-signed by RGX CA and verified offline at gateway startup against a hardcoded public key baked into the image. No license server call is ever made. Set it as LICENSE_KEY in your environment.
| LICENSE_KEY JWT Claim | Type | Description |
|---|---|---|
| node_id | string | Must match RGX_NODE_ID. Gateway refuses to start if they differ. |
| expiry | unix timestamp | License hard expiry. Gateway logs a warning at 30 days out and enters read-only mode at expiry. |
| allowed_seats | integer | Maximum concurrent active seats. Provisioning new seats above this limit returns HTTP 402. |
| industries | string[] | Allowed industry values. Requests with unlicensed industry fields return HTTP 403. |
In dedicated mode, admin and VAR portal routes are disabled. The node bootstraps from the LICENSE_KEY claims on first start — no manual provisioning step is needed. Billing runs locally against your Postgres instance. Stripe is never contacted.
-
TLS 1.3 enforced at the load balancer. Disable TLS 1.0 and 1.1. Use
ELBSecurityPolicy-TLS13-1-2-2021-06on AWS ALB or the equivalent Azure / GCP policy. The gateway container itself speaks plain HTTP internally — TLS lives at the LB. -
AES-256-GCM encryption enabled on PostgreSQL at rest. AWS RDS:
StorageEncrypted: truewith KMS key. Azure: Transparent Data Encryption (TDE) enabled. GCP: CMEK on Cloud SQL. -
No secrets in environment variable logs. Confirm your container orchestrator filters
LICENSE_KEY,ANTHROPIC_API_KEY,JWT_SECRET,DATABASE_URLfrom log streams. AWS Secrets Manager and Azure Key Vault inject at runtime without environment variable leakage. -
API keys stored as SHA-256 hashes only. Plaintext API keys are never persisted to the database. The gateway hashes inbound keys on each request and compares against stored hashes. This is the default behavior — verify with
SELECT * FROM api_keys LIMIT 1;and confirm thekey_hashcolumn starts with a 64-char hex string, notrgx_live_. -
Raw PII/PHI never written to central logs. The gateway's compliance engine tokenizes regulated data before any logging occurs. Confirm by sending a test request with dummy PHI and verifying CloudWatch / Log Analytics shows
{{REDACTED_PHI_1}}tokens, not the original values. -
Database connection uses SSL mode=require. Confirm
DATABASE_URLincludes?sslmode=requireor the equivalent DSN parameter. The gateway will refuse to connect to a non-SSL database in dedicated mode. -
Security groups / NSGs restrict database access to gateway tasks only. Postgres port 5432 must not be reachable from the public internet or any other security group. Verify inbound rules on your RDS instance or VM firewall.
-
HSTS header configured at load balancer. Set
Strict-Transport-Security: max-age=31536000; includeSubDomainson all HTTPS responses. Prevents protocol downgrade attacks. -
JWT_SECRET is at least 64 bytes of random entropy. Generate with
openssl rand -hex 64. Do not reuse across environments. Rotate quarterly or on suspected compromise. -
Health endpoint is not publicly accessible.
GET /api/v1/healthrequires a valid API key. If your ALB health check calls it unauthenticated, create a separate internal ALB target group or use the/internal/healthendpoint (authenticated by source IP restriction, not API key).
/health for liveness and readiness probes. Use /api/v1/usage to monitor seat consumption and billing position.
For licensing and dedicated VPC deployments: licensing@rgxsystems.com
For deployment support: support@rgxsystems.com
Full API reference: API Reference → |
Security architecture: Security Overview → |
Data flow diagram: Zero-Leakage Architecture →