Skip to main content

MTE Relay Server v4.5 Release Notes

· 3 min read
Trevor Blackman
Trevor Blackman
Engineering Director

MTE Relay Server v4.5 is a ground-up rewrite of the relay in Go. Releases through v4.4 ran on Node.js; v4.5 reimplements the entire proxy as a single, statically compiled Go service.

The rewrite delivers lower memory use, faster request handling, and a smaller, hardened container image, while keeping the MTE/MKE encryption and Kyber pairing protocol intact so existing clients keep working. It also introduces a new multi-tenant configuration model that becomes the preferred way to run the relay.

New

  • Rewritten in Go. The relay is now a single statically compiled Go binary instead of a Node.js application. This reduces memory footprint and startup time, removes the Node runtime from the deployment, and ships in a minimal, hardened distroless/cc-debian12 container image with no shell or package manager.

  • Multi-tenant domain mapping (DOMAIN_MAP). A single relay instance can now front multiple hostnames, each routed to its own upstream with its own CORS origins and client-ID secret. DOMAIN_MAP is a JSON object keyed by inbound host:

    DOMAIN_MAP='{
      "api.tenant1.com": {
        "upstream": "https://backend1.internal",
        "cors_origins": ["https://app.tenant1.com"],
        "client_id_secret": "secret1"
      }
    }'

    It is mutually exclusive with the single UPSTREAM setting, and per-domain pass-through routes and outbound tokens are supported.

  • Real-time response streaming and Server-Sent Events. Responses are streamed to the client as they arrive rather than buffered. Server-Sent Events (SSE) stream in real time, large MKE payloads are sent as encrypted chunks, and pass-through responses use efficient streaming copies.

  • Cloud marketplace billing. Initial AWS Marketplace usage tracking is built into the server, laying the groundwork for the configurable billing strategies expanded in v4.6.

Changed

  • DOMAIN_MAP is now the preferred configuration. The single UPSTREAM setting still works but is considered legacy and is slated for removal in v5. New deployments should use DOMAIN_MAP.
  • Logging reimplemented on zerolog. Logs are structured JSON in production and pretty, human-readable output in development. Every request carries a correlation ID for end-to-end tracing, and entries include request duration, upstream response time, encryption/decryption timing, and content sizes. Verbosity is controlled by LOG_LEVEL (trace, debug, info, warning, error, panic, off) and logs stream to stdout. The MTE library and relay versions are logged, and effective settings are logged at startup.
  • Larger default encoder/decoder pool. The default POOL_SIZE is now 600 (max 1000), improving throughput under concurrency out of the box.

Fixed

  • 4.5.1 — Updated the Go toolchain to 1.25.6 and removed the unused /public static-file route and its directory from the container images.
  • 4.5.2 — Hardened client-ID retrieval and parsing with clearer error logging that includes the offending client ID.