Docs / Signed dev links

Signed dev links create scoped browser sessions.

EnvForge signed dev links are app handoffs, not tunnels. A signed URL names the service, workspace, organization, route family, and expiration before the gateway creates a browser session for dev.envforge.ai traffic.

signed dev linkbrowser session

service: web

workspace: signed-links

org: acme

host: web--signed-links--acme.dev.envforge.ai

session: web, /api, assets, websockets; expires 2h

wake: verified dev request can start sleeping runtime

blocked: ssh, secrets, logs, runtime admin

Session lifecycle

The gateway checks the signed scope before any runtime traffic.

The host shape keeps links readable, but the signed session is the permission boundary. Runtime wake, route readiness, and request forwarding happen only after the signed dev link scope is verified.

lifecyclegateway enforced
  1. Issueservice + workspace + org + expiration

    A signed URL mints the browser session.

    EnvForge signs the service, workspace, organization, route family, and expiration before the reviewer gets a shareable signed dev link.

  2. Opendev.envforge.ai/share/token

    The gateway verifies scope before wake or forwarding.

    The first request checks the signature, creates a workspace-scoped browser session, wakes a sleeping runtime when needed, and only then forwards app traffic to the selected service.

  3. Useweb + /api + assets + websockets

    The same session covers the product surface.

    Browser routes, same-origin API calls, static assets, and realtime paths reuse the signed dev session so reviews behave like the real app.

  4. Closeexpire or revoke at gateway

    Removing the session does not delete the workspace.

    Expired or revoked links stop at the gateway while shell access, repo state, runtime sleep, and workspace metadata remain governed separately.

Boundary

Signed dev link access stops at the app surface.

A signed dev link can wake the runtime for review traffic, but it does not become workspace administration. Operational access remains behind Auth0 roles, CLI access, Tailscale policy, and root policy.

Allowed session routesweb / /api / assets / websockets
  • Browser routes for the selected service
  • Same-origin /api calls bound to the workspace
  • Static assets served by the selected service
  • WebSocket and realtime paths declared for the app
Blocked operational surfacesssh / secrets / logs / admin
  • SSH and raw shell access
  • Secret values and environment stores
  • Logs, traces, and private consoles
  • Mailpit, MinIO, databases, and runtime admin
Review handoff checklistscope + readiness + expiration
  • Share the signed dev link, not a raw runtime host, port, VM name, or IP address.
  • Name the service, workspace, organization, and expiration in the handoff so reviewers know the scope.
  • Confirm web, /api, assets, and realtime routes are ready or clearly marked as waking.
  • Revoke or let the link expire when review ends; do not rely on DNS changes for access removal.