Challenge mode

HTTP tunnels can now require a browser challenge before traffic is forwarded upstream.

Challenge mode adds an automated browser verification step at the edge. When a browser reaches a protected HTTP tunnel without a valid challenge session, the engine redirects it to an rstream verification page, runs the challenge, then returns to the original tunnel URL.

The check happens before rstream Auth, so it can reduce unwanted automated traffic before account-based authentication is evaluated. A valid and authorized bearer token remains the machine-client path and can proceed without the browser challenge.

Challenge sessions use a dedicated cookie scoped to the tunnel host. They are independent from rstream Auth sessions, which keeps browser verification and user identity separate even when both controls are enabled on the same tunnel.

Challenge mode is available for HTTP tunnels with rstream forward --http --challenge-mode when the engine has an active challenge backend configured.

For behavior details and setup notes, refer to the Challenge Mode guide.