Gateway Service

The Gateway is the public entry point of a WebStream deployment. It terminates SSL, authenticates users, resolves their entitlements, and proxies every browser connection — HTTP and WebSocket — to the right streamer on the right session host. It also hosts the built-in IAM control plane and the registry that backends and streamers report into.

Function

Started with webstream.exe -gw (or -gateway), the Gateway performs six jobs:

Ports and endpoints

ListenerPortPurpose
HTTPS443Public browser traffic (when the PFX certificate is present).
HTTPgateway.port (default 9000)Backend registration/heartbeat and internal traffic.

Message contracts

Inbound — from session hosts (backends)

EndpointMethodFrequencyPayload
/gateway/registerPOSTOnce at backend startup (retried every 30 s, up to 10 times){ serverUrl, maxSessions, instanceType, ec2InstanceId, tags[], capabilities[], version }
/gateway/heartbeatPOSTEvery 10 s (config heartbeatInterval){ serverUrl, status, activeSessions, maxSessions, instanceType, tags[], cpuUsage, memoryUsage, timestamp }
/gateway/unregisterPOSTBackend shutdown{ serverUrl }

Inbound — from streamers (licence registry)

EndpointMethodFrequencyPayload / response
/gateway/license/streamer-checkinPOSTEvery 15 s per active streamer{ streamerGuid } → 200 OK, 403 (licence), or 409 (capacity)
/gateway/license/streamer-checkoutPOSTSession logoff / streamer exit{ streamerGuid }{ success, activeStreamers }

Inbound — from browsers

EndpointMethodPurpose
/iam/auth/login, /iam/*variousAuthentication and the full IAM API (built-in mode). Returns a JWT used on all subsequent calls.
/gateway/session/selectPOSTWorkspace launch. Body { workspaceId, workspaceType, appId, appExe, appArgs } with X-Session-ID and Authorization: Bearer headers. Reserves a concurrency slot and pins the session to a backend.
/gateway/session/releasePOSTWorkspace end; frees the concurrency slot.
/gateway/session/statusGETReconnect preflight; reports current session state.
/getConnectionGETProxied to the pinned backend; returns the streamer connection details for the session.
/capture, /control, /audioWebSocketProxied through to the session's streamer for the life of the session.
/gateway/healthGETPlain OK liveness probe (for load balancers).

After /gateway/session/select, the gateway injects the workspace contract into proxied requests as headers: X-Workspace-ID, X-Workspace-Name, X-Workspace-Type, X-App-ID, X-App-Exe, X-App-Args, X-User-ID, X-Username, X-Org-ID, and X-Policy-JSON (base64). The session host and streamer act on these — they never query IAM directly.

Inbound — MCP proxy

PathAuthRouted to
/mcp/api/*X-MCP-Key header, validated against <mcpApiKeys>Metrics Engine (http://localhost:9009/api/*)
/mcp/iam/*X-MCP-Key headerIn-process IAM handlers

Outbound — health probes

EndpointMethodFrequencyNotes
{backendUrl}/healthGETAdaptive: 1 s while a backend is unstable, 10 s once stable (config healthCheck.interval)Timeout 8 s; a backend is marked Unreachable after 4 consecutive failures (failureThreshold) and healthy again after 2 successes (successThreshold).

Configuration

The Gateway consumes the <gateway> section of app.config.xml, plus the IAM and MCP sections:

PropertyPurpose
gateway.enabled, gateway.publicIP, gateway.portEnable gateway mode and set the public bind address and internal port.
gateway.elevateGatewayPriorityRun the process at AboveNormal priority for WebSocket responsiveness.
gateway.loadBalancing.strategyRoundRobin, LeastConnections, or Weighted.
gateway.loadBalancing.sessionAffinityTimeoutSticky-session window in seconds (default 3600).
gateway.healthCheck.interval / timeout / failureThreshold / successThresholdBackend probe tuning. Keep timeout ≥ 6 s and failureThreshold ≥ 3 so a backend busy with login provisioning is not flapped out of routing.
webstreamSettings.serverPfxCertificateFile / serverPfxSecretThe certificate used for HTTPS termination.
accessManagement.modebuiltin runs IAM in-process (recommended); standalone/external point at a separate Access Management service.
mcpApiKeysNamed API keys for the /mcp/* proxy. If empty, all MCP requests are rejected with 401.

Aligned settings on peer services