Architecture Overview

February 17, 2026 February 17, 2026 v1.0.0+

This page describes the technical architecture of the on-premises deployment, including the service topology, networking, database design, and encryption model.

Services

Service	Internal Port	Purpose
nginx (gateway)	80 / 443	TLS termination, reverse proxy, load balancing
mislata-identity	5100	OpenIddict OAuth2/OIDC server, authentication, user management
mislata-api	5282	QuantumAPI EaaS — encryption, signatures, key management
mislata-worker	5300	Hangfire background jobs, QRNG entropy, license validation
postgresql	5432	Primary data store — application data, identity data, audit logs
redis	6379	Session cache, Data Protection keys, Hangfire job queue

Service topology

                     ┌────────────┐
    Client ──────────▶│  Gateway   │ :443/:80
                      │  (nginx)   │
                      └──────┬─────┘
                             │
              ┌──────────────┼──────────────┐
              ▼              ▼              ▼
        ┌──────────┐  ┌──────────┐  ┌──────────┐
        │ Identity │  │   API    │  │  Worker  │
        │  :5100   │  │  :5282   │  │  :5300   │
        └────┬─────┘  └────┬─────┘  └────┬─────┘
             │              │              │
             └──────────────┼──────────────┘
                            │
              ┌─────────────┴─────────────┐
              ▼                           ▼
        ┌──────────┐              ┌──────────┐
        │PostgreSQL│              │  Redis   │
        │  :5432   │              │  :6379   │
        └──────────┘              └──────────┘

Network architecture

All services run on a private Docker network (mislata-internal). Only the gateway is exposed to the host via ports 80 and 443. Inter-service communication uses Docker DNS resolution (e.g. http://identity:5100). No internal ports are accessible from outside the Docker network.

Database schemas

PostgreSQL uses two schemas: 'mislata' for application data (tenants, plans, keys, secrets, licenses, partners) and 'identity' for authentication data (ASP.NET Core Identity + OpenIddict tables). Each schema has its own migration history table. Migrations run automatically on service startup.

Encryption at rest

All sensitive data is encrypted at rest using envelope encryption. Each tenant has isolated encryption keys. The encryption flow: (1) a per-tenant data key is generated, (2) data is encrypted with AES-256-GCM using QRNG-generated nonces, (3) the data key is wrapped with the master key (QAPI_MASTER_KEY). This ensures that compromising a single tenant's key does not expose other tenants' data.