Glossary

The process inside a private environment that connects outward to the rstream engine and relays traffic to local services. The agent can be the rstream CLI, or code that embeds an rstream SDK.

The rstream edge network entrypoint. The engine hosts tunnel endpoints, enforces authentication and access policies, and forwards traffic through tunnels to agents.

An endpoint hosted by the engine that relays traffic to an upstream target through an agent connection. A tunnel has properties such as protocol, type (bytestream/datagram), labels, and edge security settings.

A tunnel that is reachable using standard clients (for example a browser for HTTP). Public tunnels are designed for edge termination and proxying so authentication and policies can be enforced before traffic reaches upstream.

A tunnel that is not exposed as a public Internet endpoint. Private tunnels are designed to be accessed through rstream SDK clients that dial the tunnel by name or ID.

Downstream refers to the client-side connection into the engine from the Internet. Upstream refers to the connection the engine makes to the service through the tunnel and agent.

A stream-oriented tunnel type (TCP-like). It is the natural fit for HTTP/1.1, HTTP/2 cleartext (h2c), and TLS tunnels.

A packet-oriented tunnel type (UDP-like). It is required for QUIC and for HTTP/3 at the edge.

The protocol the engine exposes to downstream clients for a public tunnel, such as HTTP, TLS, DTLS, or QUIC. Protocol choice affects edge behavior and which security features are available.

The secure connection between the agent and the engine. Transport is independent of the tunnel protocol and can be tuned with options such as proxying, DNS override, and interface binding.

A named CLI configuration entry that typically includes an engine endpoint and optional authentication token. Contexts allow switching between projects and environments without rewriting commands.

A grouping concept used by the hosted platform. Projects typically collect tunnels, credentials, and access controls. In the CLI, projects are represented by contexts.

An HTTP tunnel mode where the engine requires a valid rstream token on every request. Tokens can be provided as a bearer header or as a query parameter.

An HTTP tunnel mode intended for browser-based access where the engine can maintain an authenticated session (typically via a cookie) rather than requiring a bearer token on every request.

A long-lived token created in the Dashboard. PATs are intended for operators and automation and can be revoked or rotated.

A long-lived credential pair (client ID + client secret) used to mint short-lived application tokens locally. Application credentials are intended for software products that integrate rstream and need to distribute scoped tokens to clients or devices.

A token that includes scoped permissions limiting what it can create, list, or connect to, often using filters and selection sets based on tunnel properties such as protocol, labels, or HTTP path.

A remote terminal protocol integrated with rstream. A WebTTY server runs next to a machine and can be published through a tunnel, making it accessible from browsers and remote clients while still being controlled by rstream authentication and policies.

A real-time event stream that reports changes in clients, tunnels, and (in some builds) stream summaries. Signaling can be consumed over SSE or WebSocket and is used to build inventories and reactive systems.