System Architecture

TameFlare supports multiple deployment models depending on your team's size and security requirements:

Managed CloudHybrid (coming soon)Source-available
Best forIndividuals, small teamsTeams with compliance needsLarge orgs, air-gapped envs
DashboardHosted at tameflare.comHosted at tameflare.comYou run from source
GatewayHosted at proxy.tameflare.comYou run on your infraYou run from source
CredentialsEncrypted in TameFlare vaultStay in your environmentYour environment
TrafficTransits cloud gatewayStays in your networkYour network
Control planetameflare.comtameflare.com (metadata + approvals)Your infrastructure
CLInpm i -g @tameflare/cliSameSame
PlanAll tiersTeam and EnterpriseELv2 (no support)

Managed Cloud (current default)

Sign up at tameflare.com, configure gateways in the dashboard, and run the CLI on your machine. There is nothing to deploy or install beyond the CLI. The cloud gateway at proxy.tameflare.com handles traffic interception, credential injection, and enforcement. This is the right choice for individuals and small teams who want governance without infrastructure overhead.

Hybrid: self-hosted gateway (coming soon for Team/Enterprise)

For teams where credentials and traffic must not leave the customer environment, TameFlare will offer a self-hosted gateway option. You run the gateway binary on your own infrastructure (server, VM, or container). The gateway connects to the TameFlare dashboard for configuration, approvals, and audit - but credentials stay in your environment and traffic never leaves your network. Only metadata (domain, action type, decision, latency) is sent to the dashboard.

This model is designed for mid-market teams and organizations with compliance requirements (SOC 2, GDPR, NIS2) where a cloud MITM proxy is not acceptable.

Note
The hybrid model is on the roadmap for Team ($79/mo) and Enterprise plans. The gateway is already a standalone Go binary - the architectural foundation is in place. If you're interested in early access, email enterprise@tameflare.com.

Source-available (ELv2)

The full TameFlare source code is available under the Elastic License v2. Organizations that need to run everything on their own infrastructure can build and deploy from source. This is a DIY option - TameFlare does not provide support for source-built deployments. See the Troubleshooting page for self-hosted migration guides.

The rest of this page describes the Managed Cloud architecture.

How it works

Your process → HTTPS_PROXY → proxy.tameflare.com (cloud gateway)
                                   │
                                   ├── domain → connector → parse action
                                   ├── check permissions against dashboard config
                                   ├── inject credentials from encrypted vault
                                   │
                                   ▼
                             External APIs (GitHub, Stripe, OpenAI, ...)
  1. Dashboard (hosted at tameflare.com) - configure gateways, connectors, permissions, credentials, and policies. View traffic logs, approve requests, manage your team.
  2. CLI (npm i -g @tameflare/cli) - runs on your machine. Sets HTTPS_PROXY and spawns your process. No binary download needed.
  3. Cloud gateway (proxy.tameflare.com) - transparent HTTP/HTTPS proxy. Intercepts outbound traffic, parses it via connectors, checks permissions, injects credentials, and logs everything.

The cloud gateway runs at proxy.tameflare.com. Configuration and audit data are stored in the hosted dashboard. Your API keys are encrypted at rest (AES-256-GCM).

Approval channels

TameFlare supports two approval modes:

Dashboard-only (default)

Approvals appear on the Approvals page in the dashboard. Admins and members can approve or deny directly from the UI. No external services required.

Slack integration

For teams that want approval notifications in Slack:

  1. Create a Slack app at api.slack.com/apps
  2. Add the chat:write and chat:read bot scopes
  3. Install the app to your workspace
  4. Copy the Bot Token and Signing Secret to Settings → Integrations in the dashboard
  5. Set the channel ID where approval messages should be posted

Slack approval messages include approve/deny buttons that update the dashboard in real time.

Both modes work simultaneously - Slack notifications are additive, not a replacement for dashboard approvals.

Performance

OperationTypical latencyNotes
Policy evaluation1–5msIn-memory, no DB calls during evaluation
Permission check + credential injection10–30msCloud gateway, cached config (5-min TTL)
End-to-end (agent → external API)50–500msDepends on external API response time

The gateway adds minimal overhead. It runs as a single Go binary using ~20–50 MB RAM.

Security model

  • Deny-all default - no connector configured = no access
  • Credential isolation - your process never sees real API keys
  • Encrypted vault - AES-256-GCM encryption at rest
  • Per-gateway permissions - fine-grained allow/deny per connector, per action type
  • Kill switch - block all traffic instantly, scoped to a connector or gateway
  • Audit trail - every request logged with gateway, action, decision, and latency
  • Source-available - full source code at github.com/tameflare/tameflare under Elastic License v2