Request flow

Understanding request flow prevents mixing concerns: TLS/SNI, tenant resolution, JWT verification, PostgREST routing, and Postgres permissions are different failure modes.

What you will learn

• v2 shared path step-by-step
• How v1 differs
• Where to look first when debugging

The idea

v2 shared

HTTPS client  → Traefik / edge (TLS)  → Flux gateway (host → tenant, verify project JWT)  → PostgREST pool (bridge JWT → role)  → Postgres (tenant schema, policies)

v1 dedicated (typical)

HTTPS client  → Traefik (host → tenant API container)  → PostgREST (project keys / JWT per container env)  → Postgres (per-project instance)

How it works

Each layer refuses with a recognizable signal: 401 before Postgres indicates auth at the edge; 42501 indicates database authorization; an empty array indicates RLS filtering after the role was already allowed in. The full layer-by-layer map and verification steps live in Troubleshooting.

Example

For internal health checks from the control plane, prefer probing via the gateway with correct Host headers—see Environment variables (FLUX_TENANT_PROBE_GATEWAY_URL).

Next steps

• Mental model
• First request
• Troubleshooting