Architecture

Request Lifecycle

Every API call proxied through RequestRocket passes through a well-defined pipeline of stages — from authentication to response delivery. Understand each stage, how it can be configured, and what happens when one short-circuits.

Start for Free Read the Docs

Overview

Gateway Architecture

RequestRocket sits between your application and any third-party API. Every request passes through authentication, authorization, and rate limiting before being forwarded to your upstream target. Responses pass back through payload operations and logging before reaching the caller.

Consumers

Agents

Applications

Developers

Intelligence

Webhooks

Regional / Customer Deployments

Data Planeruntime proxy

Operations

Rate LimitingAuthenticationAuthorizationValidationFilteringAI Redaction

3rd Party APIs

AI / ML

Comms

CRM

Data

Finance

Pipeline

Sequence of Operations

Click any stage to see when it runs, how it works, and which documentation covers it. Stages marked short-circuit will return a response to the caller immediately if their condition is met — meaning the remaining pipeline stages are skipped.

Your Request

PURPOSE

Every call to a RequestRocket proxy endpoint starts here. Any HTTP method and content type is accepted.

APPROACH

The inbound HTTP request arrives at the RequestRocket API Gateway. The proxy identifier is resolved from the URL path, and the request is handed off to the authorizer.

LEARN MORE

Proxy Overview →Configure your proxy endpoints

Authentication short-circuit

If the caller's credential is missing, expired, or invalid, RequestRocket returns a 401 Unauthorized immediately. The request never reaches your upstream — protecting your APIs from unauthenticated traffic.

Rules short-circuit

If any rule layer — proxy credential, target credential, proxy, or target — denies the request, a 400 is returned with the matching rule metadata. All four layers must allow before the request is forwarded.

Platform

How RequestRocket Runs

Serverless Runtime

Our hosted solution runs on AWS Lambda behind API Gateway — no servers to manage, no warm-up required. The gateway scales with your traffic automatically. Binary responses are supported up to Lambda payload limits. Contact us for self-hosted options.

Regional Deployment

Our hosted solution runs in any AWS region. Each region is an independent stack with its own API Gateway endpoint. Configuration is fully API-driven — no GitOps workflow required. Contact us to enable additional regions for your account.

Protocol Support

Proxies any HTTP traffic: REST, GraphQL, and webhook calls. All standard HTTP methods are supported. Upstream communication uses HTTPS with a configurable timeout enforced per request. Check out examples in the documentation.

Examples →

Core REST API

Every gateway resource — proxies, targets, credentials, rules, filters, and telemetry — is managed through a versioned REST API. Everything the dashboard does is API-accessible for automation and CI/CD integration.

API Reference →

Not sure where your API risk is?Free 15-question assessment aligned to OWASP, SOC 2 & ISO 27001.

Take the API Security Assessment

Proxy Design

Choosing the Right Components

RequestRocket provides multiple points throughout the pipeline where you can apply logic. Use this reference to pick the right one for your use case.

Authenticate API callers

Restrict which routes a credential can call

Limit how many requests a proxy accepts

Forward requests to a third-party API

Remove sensitive fields from API responses

View per-request audit records

Stream logs to an external SIEM

Manage everything from code or CI/CD

Enhance ISO 27001

Enhance SOC 2

Enhance GDPR

Enhance HIPAA

Add outbound API security
without changing code

Start on your own or talk to our team about improving the security of every API call you make.

Start for Free Book a Demo