Relaypreview
Documentation map

Read the docs by the job you need to do.

This docs set is organized around what actually exists in the code: lane policy, signed-link access, promotion and retention, the CLI transport and sync loop, relay doctor diagnostics, .relayignore, cached manifests, user accounts and roles, secrets encryption, audit log, build tracking, the Go agent's control surface, guided DNS and TLS setup, blue-green routing, plugins, services, and webhook-driven deploys.

Recommended path

1. Quickstart for the first running lane.

2. relay CLI for lane targeting, transport, and deploy flow.

3. relayd for auth, access policy, webhooks, services, and runtime state.

Starting points

Open the guide that matches the task in front of you.

Each page is anchored to a real surface in the repo: a command group, an API family, a config file, or a runtime subsystem.

Get started

Start the agent, connect the CLI, and land the first running lane with the shortest path possible.

Open guide

relay CLI

Command groups, relay doctor, lane-aware deploy targeting, transport modes, browser login, workspace pull, smarter stale-workspace handling, plugin search/install-url, and config resolution.

Open guide

relayd agent

Lane policy, edge access, user accounts, manual deploy APIs, admin operations telemetry, secrets encryption, audit log, build tracking, runtime state, /api/doctor, and the control APIs the UI depends on.

Open guide

Buildpack plugins

Install server-side framework support from files, catalog search, verified HTTPS URLs, or the owner dashboard without widening scope.

Open guide

GitHub and webhooks

Connect repo URLs, set webhook secrets, and follow how a push becomes a deploy.

Open guide

Project services

Use relay.json for Postgres, Redis, MySQL, Mongo, and managed companion containers.

Open guide

MCP server

Connect any MCP-aware AI tool to your agent. Deploy, roll back, stream logs, manage secrets, and approve promotions from Cursor, Claude Desktop, and VS Code Copilot.

Open guide
Operator surface

The docs now reflect what main.go and relay.js already ship.

Relay is no longer just deploy and logs. The server and CLI now include first-class lanes, edge access policies, signed-link sharing, promotion approval, manual dashboard deploys, lane expiry, user accounts with RBAC, secrets encryption at rest, a full audit log, sequential build numbers, workspace pull, browser-based CLI login, socket auth, relay doctor diagnostics, .relayignore with cached manifests, local workspace fingerprints, guided DNS and TLS checks, dashboard sessions, projects inventory, app controls, companion service APIs, plugin mutation policy, admin operations telemetry, and live event streams.

First-class lanes

Relay treats production, staging, dev, and preview as first-class lanes with policy-backed defaults for routing, retention, promotion, and edge access.

User accounts and edge access

The same Relay identity model now gates app traffic. dev and staging default to relay-login, while lanes can also use public, signed-link, or ip-allowlist policies.

Promotion and retention

staging can promote into prod with approval and health checks, while dev and preview can expire automatically from lane retention policy.

Operations telemetry

Owners can inspect live Docker CPU, memory, and storage usage per app and lane, then compare the latest deploy against the previous successful deploy for build duration, request volume, bandwidth, and server error rate.

Secrets encryption and audit log

Set RELAY_SECRET_KEY to encrypt all secrets at rest with AES-256-GCM. Every deploy, promotion request, secret write, and user management action is recorded in the audit log, visible in the Server tab.

Runtime posture

Docker is the default production path again. Station remains available as an experimental per-app engine, but the docs now treat it as secondary until it is production-stable.

Operator diagnostics

relay doctor and /api/doctor give one shared view of socket access, Docker, data-dir writability, ACME, dashboard host, managed subdomain DNS, Caddy proxy health, and webhook exposure.

Useful API paths
POST   /api/auth/login
POST   /api/auth/setup
GET    /api/users
POST   /api/users
PATCH  /api/users/:id
DELETE /api/users/:id
GET    /api/audit
GET    /api/deploys
GET    /api/projects
GET    /api/events
GET    /api/doctor
GET    /api/admin/ops
POST   /api/apps/config
GET    /api/apps/signed-link
GET    /api/edge/authz
GET    /api/promotions
POST   /api/promotions/approve
POST   /api/plugins/buildpacks/install-url
GET    /api/apps/companions
POST   /api/apps/secrets
GET    /api/sync/pull/:app/:env/:branch
POST   /api/webhooks/github
All endpoints are implemented in relayd and documented in the agent reference.
Config model

Four files, four jobs.

Most confusion comes from mixing local CLI defaults with build hints, runtime topology, or sync filters. Relay keeps those concerns in separate files on purpose.

.relay.json

CLI defaults for one project folder: socket or URL, token, app, env, branch, and optional dir.

relay.config.json

Buildpack hints, command overrides, and monorepo layout fields such as project_root, build_context, and dockerfile.

relay.json

Runtime topology for project services and companion containers.

.relayignore

Project-local sync exclusions layered on top of Relay's built-in ignores so large or irrelevant paths stay out of deploy manifests.

relay.config.json
{
  "kind": "next-standalone",
  "service_port": 3000,
  "install_cmd": "npm ci",
  "build_cmd": "npm run build",
  "start_cmd": "node server.js"
}
Use relay.config.json when you need to steer the buildpack, override install/build/start, or point Relay at a monorepo app root and Dockerfile.
Full manual

The pages operators usually need after the first lane works.

Lane routing

See how port mode, managed lane hosts, public_host, traffic_mode, access_policy, RELAY_BASE_DOMAIN, and dashboard host routing decide the stored route.

Open guide

GitHub wiring

Follow repo_url matching, per-app webhook secrets, and the global webhook fallback.

Open guide

Project services

Understand relay.json, managed companions, injected URLs, and the projects inventory view.

Open guide

Plugin support

Install or author buildpack plugins and keep mutation disabled except during admin work.

Open guide
Operator notes

The API accepts both Authorization: Bearer and X-Relay-Token.

The dashboard stores its token in an HttpOnly relay_session cookie.

dev and staging lanes default to relay-login unless you override the lane policy.

Docker is the default engine. Treat Station as experimental unless you need it deliberately.

Plugin install and remove stay disabled unless the server enables mutation explicitly.

Remote plugin installs are HTTPS-only and can be pinned with SHA256.

The owner-only Operations tab shows live Docker usage and deploy-over-deploy comparisons.