Skip to main content
Unkey Deploy is currently in private beta. To get access, reach out on Discord or email support@unkey.com.
A Sentinel is a reverse proxy that sits in front of your deployment. If you’re familiar with API gateways, a Sentinel fills the same role: it processes every inbound request, enforces policies like authentication and rate limiting, and only forwards traffic that passes all checks to your app.

Environment isolation

Every environment in your project gets its own isolated Sentinel. You don’t need to create, configure, or manage them. Unkey provisions them automatically when you create an environment.
  • Production environments get three Sentinel replicas for high availability
  • Preview environments get one Sentinel replica
Isolation between environments means a misconfigured policy or unusual traffic in a preview environment can’t affect production. It also means each Sentinel only caches data for its own environment, resulting in high cache hit rates and low latency. The Sentinel routes requests to instances in the same region. When multiple instances of your deployment are running, the Sentinel distributes requests randomly across them. There is no session affinity.

Policy enforcement

When a request arrives at your deployment’s URL, the Sentinel evaluates all configured policies in order. If every policy passes, the Sentinel selects a healthy instance and forwards the request. If any policy rejects the request, the Sentinel returns an error response and your app never sees it. All of the Sentinel’s request processing is built on policies. The most common ones are:
  • Authentication: Verifies API keys before your code runs, and forwards the authenticated identity to your app via a request header
  • Rate limiting: Enforces rate limits on specific routes or subjects, rejecting excess traffic before it reaches your instances
  • Logging: Records the full HTTP request and response, including headers and body, for debugging and observability
Other policy types include IP rules, OpenAPI request validation, and more. See Policies for the full list.

Configuration

The Sentinel dashboard is still in development. Today you can configure API key authentication through the dashboard. For other policy types, contact support@unkey.com.
To configure API key authentication:
  1. Navigate to your project’s Settings page.
  2. Scroll to the Sentinel configurations section.
  3. Select one or more keyspaces to enforce.
  4. Save your changes.
See Authentication for details on the Principal header your app receives after successful verification.
Last modified on March 30, 2026