Search⌘KSign inStart free
PRODUCT · EDGE POLICIES

Routing, rewriting, auth — declared once.

One policy file describes how every request to your tunnel is handled. Versioned in Git, validated at compile time, propagated to every PoP in under three seconds.

Read the DSLView examples →
Live in 38 regions · 99.99% uptime · SOC 2 Type II
REQUESTALLOW60%REWRITE22%DENY12%RATE-LIMIT6%POLICY
< 3s
Global rollout
From git push to every PoP
0.4ms
Policy eval
p99 added latency
120+
Built-in matchers
Path, header, geo, asn, body
100%
Type-safe
Compiled, not interpreted
DECLARATIVE DSL

A policy file reads like a contract.

The tGate DSL is a small, statically-checked language. No magic. No runtime surprises. If it compiles, it deploys. If it deploys, it routes correctly — guaranteed.

  • Fail at build, not at runtimeType checker catches bad header references and unreachable rules.
  • Hot reloadApply via dashboard, CLI, or git webhook. No restarts, no drops.
  • Roll back any versionEvery deploy is immutable. tgate policy rollback is one command.
# policy.tg
route "/api/v1/*" {
auth = oidc("auth.t.gate")
rate_limit = "100/min/user"
cache = edge(60)
headers.add("x-trace", req.id)
}
route "/admin/*" {
require = req.user.role == "admin"
geo_allow = ["DE", "US"]
}
MATCH ANYTHING

Path, header, country, ASN, JSON body — they're all just predicates.

The matcher language is uniform. Every signal — from the request line, the headers, the body, the connection metadata — composes into the same boolean expressions.

  • Geo & ASN matchersMaxMind data refreshed weekly. ASN lists from PeeringDB.
  • JSONPath on bodiesRoute by request body without parsing in your app.
  • Custom claimsMatch on JWT claims, mTLS subject, session attributes.
path/api/v1/users/:id+ params
host*.t.gatewildcard
headerx-tier=premiumexact
queryversion=v2regex ok
methodGET, POST, PATCHany of
countryDE, AT, CHgeo db
asnAS13335asn list
body.json$.user.rolejsonpath
VS NGINX

Same outcome. Half the lines. None of the regex pain.

Real-world A/B routing rule, with auth and rate limiting.

BEFOREnginx.conf
map $http_x_tier $rate {
  default "60r/m";
  premium "600r/m";
}
limit_req_zone $binary_remote_addr
  zone=tier:10m rate=$rate;

location ~ ^/api/v1/(.*)$ {
  auth_request /_oidc;
  limit_req zone=tier burst=20;
  if ($http_user_agent ~* "bot") {
    return 403;
  }
  proxy_pass http://upstream/$1;
  proxy_set_header X-Trace $request_id;
}
Plus a dedicated openresty + lua module for OIDC.
AFTERpolicy.tg
route "/api/v1/*" {
  auth = oidc("auth.t.gate")
  rate_limit = match {
    req.header("x-tier") == "premium" => "600/min"
    else => "60/min"
  }
  deny if req.ua.is_bot
  headers.add("x-trace", req.id)
}
Compiled to native at edge. No runtime interpreter.
POLICY PRIMITIVES

Twelve verbs cover every routing decision.

Compose them. Override them per route. Inherit across environments.

↪️

rewrite

Path and header rewrites with capture groups.

rewrite /v1/* → /v2/$1
🛡️

auth

OIDC, JWT, mTLS, API key — single keyword.

auth = jwt(jwks_url)
⏱️

rate_limit

Token bucket per IP, user, header or expression.

100/min/user
💾

cache

Edge cache with stale-while-revalidate, by-tag purge.

cache = edge(60)
🌍

geo_allow

ISO-3166 allow/deny, ASN block lists.

geo_deny = ["RU"]
🔁

retry

Idempotent retries with exponential backoff.

retry = 3 backoff=expo
GIT-NATIVE

Policies live next to your code.

Connect a repo, point at a folder, and tGate watches for new commits. Every PR gets a preview environment with the new policy applied to a copy of your traffic.

  • PR previewsEach PR mirrors live traffic at 1% so you can diff response shapes.
  • Required reviewersLock production policies behind GitHub CODEOWNERS.
  • Audit trailEvery deploy ties back to commit, author, and reviewer.
$ git push origin main
...
policy.tg compiled (47 routes)
✓ Validated against staging traffic
✓ Rolled out to 38/38 PoPs in 2.4s
Audit: deploy_8x2af · by @priya
"
Our SRE team used to live in nginx.conf. Now they live in code review. Every routing change is a PR with type-checking and a preview environment. We've shipped 280 policy changes this quarter without a single rollback.
Marcus Wei
Director of Platform · Nimbus Cloud
0
ROUTING INCIDENTS / Q
EXPLORE MORE

Pair it with the rest of tGate.

🌐

Tunnels

The ingress that policies attach to.

Read more →
🔑

Identity & Access

Auth providers wired straight into policy rules.

Read more →
📊

Observability

See which policy matched every request.

Read more →

Move every routing rule into version control.

Stop ssh-ing into proxies at 2am. Stop hand-editing YAML. Ship policies the way you ship code.

Start freeRead the spec →
No card required · Free for 7 days · Cancel anytime