MTE API Relay

Introduction

MTE API Relay is an end-to-end encryption system that protects HTTP traffic between server applications. It acts as a proxy server that encodes and decodes payloads using Eclypses MTE software, an encryption library combining quantum-resistant algorithms with proprietary, patented techniques to secure data.

Below is an architecture where a server application communicates through an MTE API Relay container, which then transmits proxied traffic to another API Relay that decodes and delivers the request to its upstream API service:

Typical Use Case

View MTE API Relay on the Azure Marketplace

info

MTE API Relay instances are only compatible with each other. Neither an MTE Relay Server nor an MTE Client SDK can communicate with an MTE API Relay. MTE API Relays are strictly for server-to-server communications.

Prerequisites

Technical Requirements

Two services that use HTTP to communicate with each other.

Skills and Knowledge

Familiarity with AKS and/or Kubernetes.
General familiarity with Azure Services.
Experience with the Azure CLI.

Deployment Options

MTE API Relay is provided as a Docker image and can be deployed on Azure AKS, or manually using another container runtime.

Azure Kubernetes Service (AKS)

If kubectl is already configured for your AKS cluster:

Example Deployment File (`deployment.yaml`)

apiVersion: apps/v1
kind: Deployment
metadata:
  name: azure-mte-api-relay-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: azure-mte-api-relay
  template:
    metadata:
      labels:
        app: azure-mte-api-relay
    spec:
      containers:
        - name: azure-mte-api-relay
          image: <CONTAINER_IMAGE>
          ports:
            - containerPort: 8080
          env:
            - name: CLIENT_ID_SECRET
              value: <YOUR CLIENT ID SECRET HERE>
            - name: CORS_ORIGINS
              value: <YOUR CORS ORIGINS HERE>
            - name: UPSTREAM
              value: <UPSTREAM VALUE HERE>
            - name: OUTBOUND_TOKEN
              value: <OUTBOUND TOKEN HERE>
            - name: SECRET
              value: <SERVER SECRET HERE>
---
apiVersion: v1
kind: Service
metadata:
  name: azure-mte-api-relay-service
spec:
  type: LoadBalancer
  selector:
    app: azure-mte-api-relay
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080

Commands

kubectl apply -f deployment.yaml
kubectl get all
kubectl delete -f deployment.yaml

Server Configuration

MTE API Relay is configured using environment variables.

Required Variables

UPSTREAM – Upstream API or service URL.
CLIENT_ID_SECRET – Secret for signing client IDs (minimum 32 characters).
OUTBOUND_TOKEN – Token appended to requests to denote the intended outbound recipient.
SECRET – Shared secret required for exchanges; mismatches will cause decoding failures.
REDIS_URL (recommended for production) – Redis cluster for maintaining session pairs across load-balanced containers.

Optional Variables

PORT – Default: 8080.
LOG_LEVEL – One of trace, debug, info, warning, error, panic, off. Default: info.
PASS_THROUGH_ROUTES – Routes proxied without MTE encoding.
MTE_ROUTES – If set, only listed routes use encoding; others return 404.
CORS_ORIGINS – Comma-separated list of allowed origins.
CORS_METHODS – Default: GET, POST, PUT, DELETE.
HEADERS – Object of custom headers.

Minimal Example

UPSTREAM='https://api.my-company.com'
CLIENT_ID_SECRET='2DkV4DDabehO8cifDktdF9elKJL0CKrk'
OUTBOUND_TOKEN='abcdefg1234567'
CORS_ORIGINS='https://www.my-company.com,https://dashboard.my-company.com'

Full Example

UPSTREAM='https://api.my-company.com'
CLIENT_ID_SECRET='2DkV4DDabehO8cifDktdF9elKJL0CKrk'
OUTBOUND_TOKEN='abcdefg1234567'
SECRET='sharedsecret1234567890'
REDIS_URL='redis://10.0.1.230:6379'
PORT=3000
LOG_LEVEL=info
PASS_THROUGH_ROUTES='/health,/version'
MTE_ROUTES='/api/v1/*,/api/v2/*'
CORS_ORIGINS='https://www.my-company.com,https://dashboard.my-company.com'
CORS_METHODS='GET,POST,DELETE'
HEADERS='{"x-service-name":"mte-api-relay"}'

Testing & Health Checks

Monitor container logs for startup messages
Use the default or custom echo routes to test container responsiveness:
- Default: /api/mte-echo
- Custom Message: /api/mte-echo?msg=test

Expected response:

{
  "message": "test",
  "timestamp": "<timestamp>"
}

Monitoring

Azure Managed Grafana

Create a Grafana workspace in Azure.
- Azure Instructions here
Add Azure Monitor as a data source (service principal auth recommended).
- Azure Monitor Setup.
Import the provided dashboard:
- MTE API Relay Grafana Dashboard

Dashboard Metrics

Requests Processed [req/sec]
Request Time [ms]
Outbound Proxy Time [ms]
Upstream Proxy Time [ms]
Average Request Encode Time [ms]
Average Request Decode Time [ms]
Average Response Encode Time [ms]
Average Response Decode Time [ms]

Performance Metrics

Performance was measured with ~1 kb request/response payloads:

Concurrency	Req/Sec Relay	Req/Sec API	Relay %	Extra Latency (Median)
400	185	188	98.5%	+10 ms
500	298	305	97.8%	+17 ms
550	338	355	95.1%	+45 ms
600	339	402	84.3%	+202 ms

Note: At higher volumes (≥650 concurrent), scaling across multiple Relay instances is recommended.

Troubleshooting

Invalid Configuration
- Check logs for missing/invalid environment variables.
Relay unreachable
- Verify Network Security Groups and load balancer settings.
Redis connection issues
- Ensure Redis is properly deployed and credentials are correct.

Security

No sensitive data is stored in the container.
No root privileges required.
Should be deployed in the same VNet as the upstream service to ensure proxied traffic remains internal.

Costs

The service uses a usage-based cost per instance per hour.
Associated Azure services include:

Azure Service	Purpose
AKS	Container orchestration
Azure Cache (Redis)	State/session management
Azure Monitor	Logging and monitoring
VNet	Networking isolation
Azure Load Balancer	Scaling across Relay containers
Azure Key Vault	Recommended for secrets/env vars

Maintenance

Routine Updates

Updated container images are distributed through the Azure Marketplace.

Fault Recovery

Relaunch the Relay container pod; API Relays will automatically re-pair.

Service Limits

AKS: AKS Service Quotas
Azure Monitor: Limits
Azure Load Balancer: Limits

Key/Variable Rotation Recommendations

Rotate the CLIENT_ID_SECRET and OUTBOUND_TOKEN every 90 days as per security best practices.

Supported Regions

MTE API Relay is supported in most Azure regions, except:

Azure Gov
UAE and Bahrain Regions
China

Support

For assistance, contact Eclypses Support:
📧 customer_support@eclypses.com
🕒 Monday–Friday, 8:00 AM–5:00 PM MST (excluding holidays)

Introduction​

Prerequisites​

Technical Requirements​

Skills and Knowledge​

Deployment Options​

Azure Kubernetes Service (AKS)​

Example Deployment File (deployment.yaml)​

Commands​

Server Configuration​

Required Variables​

Optional Variables​

Minimal Example​

Full Example​

Testing & Health Checks​

Monitoring​

Azure Managed Grafana​

Dashboard Metrics​

Performance Metrics​

Troubleshooting​

Security​

Costs​

Maintenance​

Routine Updates​

Fault Recovery​

Service Limits​

Key/Variable Rotation Recommendations​

Supported Regions​

Support​