Transport modes
Three ways to wire Root Herald into your stack
In the default Background-Check flow your server is what calls Root Herald (server→server, with your rh_sk_ secret key). The user's device only hands an opaque evidence blob to your backend. These three modes are about where your server's call to Root Herald lands: who owns the DNS, who owns the TLS, and what your egress observability looks like. All three deliver the same verdict and the same wire protocol.
Compare the three
| Mode | Setup | Pricing | Trade-offs |
|---|---|---|---|
| Direct (default) | Your server calls api.rootherald.io server→server. Zero config. | Included in every tier (Free → Enterprise). | Your backend's egress shows rootherald.io. The client never talks to Root Herald, so there are no third-party cookies or storage-partitioning concerns on the user's device at all. |
| Custom domain (coming soon) | Coming soon — not yet live. Will let you add a CNAME (auth.acme.com → tenant-domains.rootherald.io) and validate an ACM cert via a dashboard wizard. Run on rootherald.io until it ships. | Planned: $49/month add-on on Pro · included on Business and Enterprise. Not billed yet. | When live: your domain in your server's egress logs, your brand on the issuer. Slightly more DNS hops than direct mode (one extra CNAME); adds ~3ms p50 latency. |
| Customer proxy | Run a thin reverse proxy on your own infra (Express, ASP.NET, Cloudflare Worker, Lambda@Edge) that forwards Root Herald traffic upstream. We publish reference implementations. | Included in Pro / Business / Enterprise. Free tier excluded. | Maximum control: every byte goes through your TLS, your WAF, your DLP. Adds ~10-30ms of latency depending on where you run the proxy. You become responsible for keeping the proxy alive and patched. |
How to choose
- Starting out / proving the value: use direct. Zero setup, zero pricing impact. You can switch later without redeploying anything client-side; same wire, just a different base URL.
- Production with a brand-conscious team: custom domain (coming soon — not yet live). Once it ships, your server's egress and any portable token issuer will show your domain instead of "rootherald.io". Until then, use direct mode on
rootherald.io. - Regulated / SOC 2 / FedRAMP / regional residency: customer proxy. Every byte flows through infra you control. We publish reference proxies for Express, ASP.NET, and Cloudflare Workers; you run one of them.