Skip to content
Transport modes

Three ways to wire Root Herald into your stack

In the default Background-Check flow your server is what calls Root Herald (server→server, with your rh_sk_ secret key). The user's device only hands an opaque evidence blob to your backend. These three modes are about where your server's call to Root Herald lands: who owns the DNS, who owns the TLS, and what your egress observability looks like. All three deliver the same verdict and the same wire protocol.

Compare the three

ModeSetupPricingTrade-offs
Direct (default)Your server calls api.rootherald.io server→server. Zero config.Included in every tier (Free → Enterprise).Your backend's egress shows rootherald.io. The client never talks to Root Herald, so there are no third-party cookies or storage-partitioning concerns on the user's device at all.
Custom domain (coming soon)Coming soon — not yet live. Will let you add a CNAME (auth.acme.com → tenant-domains.rootherald.io) and validate an ACM cert via a dashboard wizard. Run on rootherald.io until it ships.Planned: $49/month add-on on Pro · included on Business and Enterprise. Not billed yet.When live: your domain in your server's egress logs, your brand on the issuer. Slightly more DNS hops than direct mode (one extra CNAME); adds ~3ms p50 latency.
Customer proxyRun a thin reverse proxy on your own infra (Express, ASP.NET, Cloudflare Worker, Lambda@Edge) that forwards Root Herald traffic upstream. We publish reference implementations.Included in Pro / Business / Enterprise. Free tier excluded.Maximum control: every byte goes through your TLS, your WAF, your DLP. Adds ~10-30ms of latency depending on where you run the proxy. You become responsible for keeping the proxy alive and patched.

How to choose

  • Starting out / proving the value: use direct. Zero setup, zero pricing impact. You can switch later without redeploying anything client-side; same wire, just a different base URL.
  • Production with a brand-conscious team: custom domain (coming soon — not yet live). Once it ships, your server's egress and any portable token issuer will show your domain instead of "rootherald.io". Until then, use direct mode on rootherald.io.
  • Regulated / SOC 2 / FedRAMP / regional residency: customer proxy. Every byte flows through infra you control. We publish reference proxies for Express, ASP.NET, and Cloudflare Workers; you run one of them.