Glossary

The process inside a private environment that connects outward to the rstream engine and relays traffic to local services. The agent can be the rstream CLI, or code that embeds an rstream SDK.

The rstream edge network entrypoint. The engine hosts tunnel endpoints, enforces authentication and access policies, and forwards traffic through tunnels to agents.

An endpoint hosted by the engine that relays traffic to an upstream target through an agent connection. A tunnel has properties such as protocol, type (bytestream/datagram), labels, and edge security settings.

A tunnel that is reachable using standard clients (for example a browser for HTTP). Public tunnels are designed for edge termination and proxying so authentication and policies can be enforced before traffic reaches upstream.

A tunnel that is not exposed as a public Internet endpoint. Private tunnels are designed to be accessed through rstream SDK clients that dial the tunnel by name or ID.

Downstream refers to the client-side connection into the engine from the Internet. Upstream refers to the connection the engine makes to the service through the tunnel and agent.

A stream-oriented tunnel type (TCP-like). It is the natural fit for HTTP/1.1, HTTP/2 cleartext (h2c), TLS tunnels, SSH-style access, and most private tunnel workflows.

A packet-oriented tunnel type (UDP-like). Published DTLS and QUIC tunnels use datagram semantics, and HTTP/3 also uses a datagram tunnel in the rstream model.

The protocol the engine exposes to downstream clients for a public tunnel, such as HTTP, TLS, DTLS, or QUIC. Protocol choice affects edge behavior and which security features are available.

The secure connection between the agent and the engine. Transport is independent of the tunnel protocol and can be tuned with options such as proxying, DNS override, and interface binding.

A named CLI configuration entry that typically includes an engine endpoint and optional authentication token. Contexts allow switching between projects and environments without rewriting commands.

A grouping concept used by the hosted platform. Projects typically collect tunnels, credentials, and access controls. In the CLI, projects are represented by contexts.

Structured key-value metadata attached to clients, tunnels, and related runtime resources. Labels make short-lived resources easier to reconcile with application objects such as devices, environments, customers, regions, or service roles.

An HTTP tunnel mode where the engine requires a valid rstream token on every request. Tokens can be provided as a bearer header or as a query parameter.

An HTTP tunnel mode intended for browser-based access where the engine can maintain an authenticated session (typically via a cookie) rather than requiring a bearer token on every request.

An HTTP tunnel access mode where the engine requires an interactive browser challenge before forwarding requests upstream.

A long-lived token created in the Dashboard. PATs are intended for operators and automation and can be revoked or rotated.

A long-lived credential pair (client ID + client secret) used to mint short-lived application tokens locally. Application credentials are intended for software products that integrate rstream and need to distribute scoped tokens to clients or devices.

A token that includes scoped permissions limiting what it can create, list, or connect to, often using filters and selection sets based on tunnel properties such as protocol, labels, or HTTP path.

The managed API surface used for accounts, workspaces, projects, credentials, billing, TURN credential issuance, and other platform operations. It is separate from the engine runtime that carries tunnel traffic.

The runtime path used by rstream clients and engines to create tunnels, accept connections, relay traffic, and watch live tunnel state.

Model Context Protocol, a protocol for exposing tools and resources to AI agents. rstream provides MCP surfaces for project discovery, tunnel operations, logs, events, webhook inspection, and controlled local or remote access workflows.

A network shape where agents and SDKs initiate connections from the private environment to the edge. The private network does not need an inbound listener or public IP address for rstream to reach the upstream service.

An access model where reachability alone is not treated as authorization. In rstream, tunnel access can be constrained by tokens, resources.tunnels boundaries, edge authentication, trusted IPs, GeoIP restrictions, TLS policy, and project-wide access policies.

Authentication performed by the engine before a published request or connection is forwarded upstream. HTTP tunnels can use token auth, rstream Auth, and challenge mode; edge-terminated TLS surfaces can use mTLS where configured.

A project-wide runtime requirement enforced by the engine. Access policies can restrict public tunnel creation, source IPs, GeoIP, minimum TLS version, post-quantum key exchange behavior, and Encrypted Client Hello behavior.

A token or credential restriction that limits tunnel access to specific workspaces, projects, tunnel properties, labels, list fields, or HTTP paths. In the public token contract this is encoded under resources.tunnels. Resource boundaries are reduced as tokens are derived and are enforced by the engine.

A published tunnel where the engine accepts HTTP traffic and forwards HTTP requests to an upstream service. HTTP tunnels support request-level controls, connection reuse, WebSocket, plain CONNECT, HTTP/3 WebTransport, and MASQUE protocols when the runtime enables them.

A published bytestream tunnel that accepts TLS traffic at the edge. TLS tunnels can terminate TLS at the edge or pass the encrypted TLS session through to the upstream service.

A published datagram tunnel that accepts DTLS traffic at the edge. It is designed for UDP-style protocols that need DTLS semantics rather than HTTP semantics.

A published datagram tunnel for custom QUIC application protocols. It is distinct from QUIC tunnel transport, which is the client-to-engine transport used by rstream clients.

The HTTP version that runs over QUIC. In rstream, HTTP/3 is used by HTTP tunnels with h3 upstream mode and by WebTransport, CONNECT-UDP, and CONNECT-IP flows.

The standard HTTP forward proxy method for TCP targets. A client sends CONNECT host:port, the upstream proxy decides whether to allow that target, and a 2xx response turns the stream or connection into an opaque byte tunnel.

An HTTP/2 and HTTP/3 form of CONNECT that carries a protocol token such as websocket, webtransport, connect-udp, or connect-ip. The same pattern lets upgraded sessions remain on the HTTP tunnel path.

The HTTP mechanism for associating unreliable datagram payloads with an HTTP request. rstream uses HTTP Datagrams for HTTP/3 WebTransport and MASQUE sessions.

An HTTP stream format used by upgrade tokens to exchange reliable control messages. CONNECT-IP uses capsules for address assignment and route advertisement, and CONNECT-UDP can use capsules alongside HTTP Datagrams.

A family of HTTP proxying protocols that tunnel datagram traffic through HTTP. In rstream documentation, MASQUE usually refers to CONNECT-UDP and CONNECT-IP over published HTTP/3 datagram tunnels.

A MASQUE protocol for proxying UDP payloads over HTTP. rstream relays CONNECT-UDP through HTTP/3 datagram tunnels to an upstream UDP proxy service.

A MASQUE protocol for proxying IP packets over HTTP. rstream relays CONNECT-IP through HTTP/3 datagram tunnels to an upstream IP proxy service that owns address assignment, routes, and packet policy.

An HTTP-based upgrade mechanism that creates a bidirectional stream. rstream HTTP tunnels relay WebSocket across HTTP/1.1, h2c, and HTTP/3 upstream modes.

An HTTP/3 transport that supports bidirectional streams, unidirectional streams, and datagrams. Browser and native clients can use WebTransport when they match the draft version supported by the runtime.

Application-Layer Protocol Negotiation, the TLS extension used to select an application protocol during the handshake. rstream uses ALPN for HTTP versions and for custom TLS, DTLS, and QUIC protocol selection.

A TLS mode where the client presents a certificate and the engine maps it to a client certificate credential. In rstream, mTLS can authenticate agent control-channel connections, and it can also protect public traffic entering edge-terminated published tunnel endpoints. It does not authenticate the Engine HTTP API and does not apply to TLS passthrough.

A standard API for using private keys held by hardware or software security modules. rstream SDKs can use PKCS#11-backed keys for mTLS agent authentication with devices such as YubiKeys, HSMs, smart cards, TPM-backed modules, or SoftHSM validation tokens.

Credential storage modes that avoid placing long-lived secrets directly in the rstream YAML configuration, such as macOS Keychain token storage, Keychain mTLS identities, and PKCS#11-backed mTLS private keys.

A TLS feature that encrypts sensitive ClientHello metadata when the client and DNS configuration support it. rstream can prefer or require ECH on supported edge-terminated project surfaces.

TLS key exchange using hybrid post-quantum groups where supported by the runtime and clients. rstream project policy can prefer or require hybrid groups for edge-terminated TLS surfaces.

A browser and native real-time media stack for audio, video, and data channels. In rstream architectures, tunnels commonly publish signaling surfaces, while managed STUN/TURN and application labels help connect transient device sessions to durable application state.

Session Traversal Utilities for NAT, a protocol used by WebRTC clients to discover network-facing addresses. rstream exposes STUN alongside TURN for WebRTC connectivity.

Interactive Connectivity Establishment, the WebRTC connectivity framework that gathers candidates, checks candidate pairs, and selects the path used for media. rstream supports ICE workflows through tunnel-published signaling and managed STUN/TURN.

Stream Control Transmission Protocol, a message-oriented transport that can multiplex streams. rstream examples include SCTP over datagram tunnels and over published DTLS endpoints.

Traversal Using Relays around NAT, a relay service used when direct WebRTC connectivity cannot be established. rstream can issue or derive scoped TURN credentials for projects.

A reusable tunnel hostname requested by the client and validated by the engine. Stable domains make reconnecting tunnels keep predictable public addresses.

A remote terminal protocol integrated with rstream. A WebTTY server runs next to a machine and can be published through a tunnel, making it accessible from browsers and remote clients while still being controlled by rstream authentication and policies.

A configured endpoint that receives signed project lifecycle events outside the live signaling connection. Webhooks are used to update durable application state when clients or tunnels appear and disappear, especially when labels identify the corresponding application object.

A real-time event stream that reports changes in clients, tunnels, and (in some builds) stream summaries. Signaling can be consumed over SSE or WebSocket and is used to build inventories and reactive systems.