Skip to content
Sylo

How It Works

Architecture

Section titled “Architecture”

Sylo runs as a single container with three internal services:

┌─────────────────────────────────────────────────┐
│                  Sylo Container                   │
│                                                   │
│  Platform API (:3000)      Tunnel Server (:8443) │
│    POST /api/v1/tokens       │                   │
│    GET  /api/v1/audit        │ TLS 1.3           │
│    Dashboard                 │                   │
│         │                    ▼                   │
│         │              mitmproxy (:8080)          │
│         │                │                       │
│         │                ├── Load session         │
│         │                ├── Inject credentials   │
│         │                ├── Enforce policies     │
│         │                ├── Scan PII             │
│         │                └── Log audit            │
│         │                    │                   │
│         ▼                    ▼                   │
│      Postgres             Target API             │
│      + Redis              (openai, github, etc.) │
└─────────────────────────────────────────────────┘

Request flow

Section titled “Request flow”
  1. Agent makes an HTTP request (e.g., POST api.openai.com/v1/chat/completions)
  2. iptables redirects all outbound TCP to the tunnel client (port 1080)
  3. Tunnel client wraps the connection in TLS and sends it to the gateway (port 8443)
  4. Tunnel server injects the session token and sends an HTTP CONNECT to mitmproxy
  5. mitmproxy addon processes the request:
    • Loads the session from Redis (or Postgres)
    • Checks policies (allow/deny/rate-limit)
    • Injects credentials (replaces sylo_cred:name with real values)
    • Scans for PII (redact/block)
    • Forwards to the real API
  6. Response flows back through the same path
  7. Audit entry is written to Postgres

Two proxy modes

Section titled “Two proxy modes”
Tunnel modeProxy mode
Howiptables + tunnel clientHTTPS_PROXY env var
Installcurl | sudo bash at build timeNothing
SDKsandboxEnv()proxyEnv()
Works onE2B, DockerModal, any container
Bypass-proofYes (all TCP redirected)Needs CIDR restriction

Credential lifecycle

Section titled “Credential lifecycle”
1. Your server calls createSandboxToken() with raw credentials
2. Sylo API encrypts with AES-256-GCM, stores in Postgres + Redis
3. Session token (sylo_stk_...) returned — contains no credentials
4. Token passed to sandbox as env var
5. On each request, gateway decrypts credentials in memory
6. Real credential injected into the HTTP header
7. Session expires or is revoked — credentials deleted from cache

Pass-through domains

Section titled “Pass-through domains”

Domains in the passthrough list skip TLS interception:

  • Traffic forwarded as encrypted TCP (no MITM)
  • No credential injection or PII scanning
  • Audit logged as mode: "passthrough" with destination only
  • Routing decided by TLS SNI (Server Name Indication)

Use pass-through for your own APIs that don’t need credential injection.

Session states

Section titled “Session states”
pending  → token created, not yet used
active   → tunnel client connected
revoked  → manually revoked via API
expired  → TTL reached

Revoked and expired tokens are rejected immediately. Redis TTL auto-cleans expired sessions.