Self-hosted Enterprise Edge

Configure Enterprise Edge

If you are using Unleash Enterprise Edge hosted, these configurations are managed for you automatically. You do not need to set environment variables or manage tokens via CLI.

This reference covers all configuration options for Enterprise Edge self-hosted.

Configure the operating mode

Edge supports two modes: Edge mode (default) and Offline mode.

Edge mode

Connects to Unleash and synchronizes feature flags. Use for production deployments.

$unleash-edge edge --upstream-url https://your-unleash.com --tokens your-token

Offline mode

Serves flags from a local file without upstream connection. Use for development, testing, or air-gapped environments. See Offline mode configuration for all available options.

$unleash-edge offline \
>  --bootstrap-file /path/to/features.json \
>  --client-tokens your-token

In offline mode, Edge validates requests against tokens you provide at startup rather than validating with Unleash. Use --client-tokens for backend SDK access and --frontend-tokens for frontend SDK access. These tokens don’t need to exist in Unleash—they serve as shared secrets between your SDKs and Edge.

To use offline mode, you also need to provide a local file that contains your feature flag configurations. You can create one by exporting your feature flags from Unleash:

$curl -H "Authorization: your-token" \
>  https://your-unleash.com/api/client/features > features.json

Alternatively, use a simplified JSON for development:

1{
2  "my-feature": { "enabled": true },
3  "another-feature": { "enabled": false, "variant": "control" }
4}

When using offline mode you must specify one or more tokens at startup. These tokens let your SDKs access Edge. Tokens following the Unleash API format [project]:[environment].<somesecret> allow Edge to recognize the project and environment specified in the token, returning only the relevant features to the calling SDK. On the other hand, for tokens not adhering to this format, Edge will return all features if there is an exact match with any of the startup tokens. Edge does not support multiple environments in offline mode. All tokens added at startup will receive the same list of features passed in as the bootstrap argument.

Configuration reference

Global configuration

These settings apply to the Unleash Edge process regardless of whether it is running in Edge or Offline mode.

Server and network

FeatureEnvironment variableCLI flagDefaultDescription
PortPORT-p, --port3063HTTP port to listen on.
InterfaceINTERFACE-i, --interface0.0.0.0Interface to bind to.
Base pathBASE_PATH--base-path""Base path for all routes.
App nameAPP_NAME-a, --app-nameunleash-edgeApp name for metrics.
Instance IDINSTANCE_ID--instance-idULIDUnique ID for this instance.
Req timeoutEDGE_REQUEST_TIMEOUT--edge-request-timeout5Timeout for incoming requests (seconds).
KeepaliveEDGE_KEEPALIVE_TIMEOUT--edge-keepalive-timeout5Keepalive timeout (seconds).
WorkersWORKERS-w, --workersCPUsDeprecated in 20.0.0.

Security

FeatureEnvironment variableCLI flagDefaultDescription
Enable TLSTLS_ENABLE--tls-enablefalseBind HTTPS.
Server keyTLS_SERVER_KEY--tls-server-key-Path to private key.
Server certTLS_SERVER_CERT--tls-server-cert-Path to certificate.
TLS portTLS_SERVER_PORT--tls-server-port3043Port for HTTPS.
Force HTTPS---redirect-http-to-httpsfalseRedirect HTTP to HTTPS.
CORS originCORS_ORIGIN--cors-origin-Allowed origins (comma-separated).
CORS headersCORS_ALLOWED_HEADERS--cors-allowed-headers-Allowed headers.
CORS max ageCORS_MAX_AGE--cors-max-age172800Pre-flight cache duration.
CORS exposedCORS_EXPOSED_HEADERS--cors-exposed-headers-Exposed headers.
CORS methodsCORS_METHODS--cors-methods-Allowed methods.

Access control and proxy

FeatureEnvironment variableCLI flagDescription
Allow listALLOW_LIST--allow-listCIDRs allowed to connect (Default 0.0.0.0/0).
Deny listDENY_LIST--deny-listCIDRs denied connection.
Trust proxyTRUST_PROXY--trust-proxyEnabled Trust X-Forwarded-* headers. Required if running behind a load balancer to correctly identify client IPs.
Trusted servers---proxy-trusted-serversComma-separated list of specific IPs/CIDRs to trust. Requires TRUST_PROXY to be enabled.
Auth headerEDGE_AUTH_HEADER--edge-auth-headerCustom header to use for Edge authorization checks.
Token headerTOKEN_HEADER--token-headerCustom header to extract tokens from (Default: Authorization).

Logging and debugging

FeatureEnvironment variableCLI flagDescription
Log formatLOG_FORMAT-l, --log-formatplain, json, or pretty.
Disable all---disable-all-endpointDisables /api/proxy/all (Security hardening).
Disable metrics batchDISABLE_METRICS_BATCH_ENDPOINT--disable-metrics-batch-endpointDisables /internal-backstage/metricsbatch.
Disable metricsDISABLE_METRICS_ENDPOINT--disable-metrics-endpointDisables /internal-backstage/metrics.
Disable featuresDISABLE_FEATURES_ENDPOINT--disable-features-endpointDisables /internal-backstage/features.
Disable tokensDISABLE_TOKENS_ENDPOINT--disable-tokens-endpointDisables /internal-backstage/tokens.
Disable infoDISABLE_INSTANCE_DATA_ENDPOINT--disable-instance-data-endpointDisables /internal-backstage/instancedata.

Edge mode configuration

These settings apply when running Unleash Edge in Edge mode.

Upstream connection

FeatureEnvironment variableCLI flagDefaultDescription
URLUPSTREAM_URL-u, --upstream-url-Required. URL to Unleash (no /api).
Startup tokensTOKENS-t, --tokens-Backend tokens to bootstrap cache and set scope.
Skip SSLSKIP_SSL_VERIFICATION-s, --skip-ssl-verificationfalseInsecure. Skips upstream TLS verification.
HeadersCUSTOM_CLIENT_HEADERS-H, --custom-client-headers-Custom headers to send upstream.
Req timeoutUPSTREAM_REQUEST_TIMEOUT--upstream-request-timeout5Upstream request timeout (seconds).
Sock timeoutUPSTREAM_SOCKET_TIMEOUT--upstream-socket-timeout5Upstream socket timeout (seconds).
KeepaliveCLIENT_KEEPALIVE_TIMEOUT--client-keepalive-timeout15Keepalive duration.
Auth headerUPSTREAM_AUTH_HEADER--upstream-auth-header-Header for upstream authorization.

Synchronization and polling

FeatureEnvironment variableCLI flagDefaultDescription
Metrics intervalMETRICS_INTERVAL_SECONDS-m, --metrics-interval-seconds60How often to push metrics upstream.
Refresh intervalFEATURES_REFRESH_INTERVAL_SECONDS-f, --features-refresh-interval-seconds15How often to poll for feature updates.
Token revalidationTOKEN_REVALIDATION_INTERVAL_SECONDS--token-revalidation-interval-seconds3600How often to re-validate tokens.
StreamingSTREAMING--streamingfalseEnables real-time updates.

Persistence

FeatureEnvironment variableCLI flagDefaultDescription
Backup folderBACKUP_FOLDER-b, --backup-folder-Local folder for backups (mutually exclusive with Redis).
S3 bucketS3_BUCKET_NAME--s3-bucket-name-S3 bucket for snapshots.
Redis URLREDIS_URL--redis-url-Redis connection string.
Redis modeREDIS_MODE--redis-modesingleSingle or cluster mode.
Redis hostREDIS_HOST--redis-host-Redis hostname (alternative to REDIS_URL).
Redis portREDIS_PORT--redis-port-Redis port (alternative to REDIS_URL).
Redis userREDIS_USERNAME--redis-username-Redis username.
Redis passREDIS_PASSWORD--redis-password-Redis password.
Redis TLSREDIS_SECURE--redis-securefalseEnable TLS.
Redis schemeREDIS_SCHEME--redis-schemeredistcp, tls, redis, rediss, unix.
Read timeoutREDIS_READ_CONNECTION_TIMEOUT_MILLISECONDS--redis-read-connection-timeout-milliseconds2000Timeout for restoring from Redis.
Write timeoutREDIS_WRITE_CONNECTION_TIMEOUT_MILLISECONDS--redis-write-connection-timeout-milliseconds2000Timeout for persisting to Redis.

Observability

FeatureEnvironment variableCLI flagDescription
Prometheus URLPROMETHEUS_REMOTE_WRITE_URL--prometheus-remote-write-urlURL for remote metric write.
Push intervalPROMETHEUS_PUSH_INTERVAL--prometheus-push-intervalInterval for pushing metrics (Default 60).
Prometheus userPROMETHEUS_USERNAME--prometheus-usernameAuth username.
Prometheus passPROMETHEUS_PASSWORD--prometheus-passwordAuth password.
Prometheus IDPROMETHEUS_USER_ID--prometheus-user-idUser ID.
DatadogDATADOG_URL--datadog-urlDatadog agent URL.
OpenTelemetryOTEL_COLLECTOR_URL--otel-collector-urlOTel collector endpoint.
Sentry DSNSENTRY_DSN--sentry-dsnSentry DSN.
Sentry rateSENTRY_TRACING_RATE--sentry-tracing-rateTracing rate (Default 0.1).
Sentry debugSENTRY_DEBUG--sentry-debugEnable Sentry debugging.
Sentry logsSENTRY_ENABLE_LOGS--sentry-enable-logsEnable sending application logs to Sentry

OpenTelemetry exporting

Edge v20.2 Enterprise

Unleash Enterprise Edge allows you to export tracing and logs to an OpenTelemetry Protocol (OTLP) compatible collector.

If OTEL_EXPORTER_OTLP_ENDPOINT is not set, Edge logs to stdout using RUST_LOG settings and the LOG_FORMAT setting (json, pretty, or plain).

GRPC exporter

To export to an OTLP/GRPC compatible collector:

$# Default GRPC collector listens on port 4317
$unleash-edge edge \
>  --otel-exporter-otlp-endpoint http://localhost:4317 \
>  --upstream-url https://your-unleash.com \
>  --tokens your-token

HTTP exporter

Edge supports HTTP/JSON for OTLP export. HTTP/Protobuf is not supported.

To export to an HTTP/JSON compatible collector:

$# Default HTTP collector listens on port 4318
$unleash-edge edge \
>  --otel-exporter-otlp-endpoint http://localhost:4318 \
>  --otel-exporter-otlp-protocol http \
>  --upstream-url https://your-unleash.com \
>  --tokens your-token
FeatureEnvironment variableCLI flagDescription
EndpointOTEL_EXPORTER_OTLP_ENDPOINT--otel-exporter-otlp-endpointURL of the OTLP collector.
ProtocolOTEL_EXPORTER_OTLP_PROTOCOL--otel-exporter-otlp-protocolSet to http for HTTP/JSON export. Default is GRPC.

Custom headers

You can add custom headers to OTLP requests using standard OpenTelemetry environment variables. Headers use W3C Baggage format.

Environment variableDescription
OTEL_EXPORTER_OTLP_HEADERSHeaders for both tracing and logs.
OTEL_EXPORTER_OTLP_TRACES_HEADERSHeaders for tracing only.
OTEL_EXPORTER_OTLP_LOGS_HEADERSHeaders for logs only.

Configuring different endpoints for tracing and logs is not currently supported.

Upstream mTLS

Environment variableCLI flagDescription
PKCS8_CLIENT_CERTIFICATE_FILE--pkcs8-client-certificate-fileClient cert chain (PEM).
PKCS8_CLIENT_KEY_FILE--pkcs8-client-key-fileClient private key (PKCS#8).
PKCS12_IDENTITY_FILE--pkcs12-identity-fileIdentity file (.pfx / pkcs12).
PKCS12_PASSPHRASE--pkcs12-passphrasePassphrase for pkcs12 file.
PEM_CERT_FILE--pem-cert-filePEM cert file.
UPSTREAM_CERTIFICATE_FILE--upstream-certificate-fileExtra CA certs for trust chain.

Offline mode configuration

These settings apply when running Unleash Edge in Offline mode.

FeatureEnvironment variableCLI flagDefaultDescription
Bootstrap fileBOOTSTRAP_FILE-b, --bootstrap-file-Path to features.json file.
Reload intervalRELOAD_INTERVAL-r, --reload-interval0Seconds between reloading the file.
Backend tokensCLIENT_TOKENS-c, --client-tokens-Tokens for backend SDK access.
Frontend tokensFRONTEND_TOKENS-f, --frontend-tokens-Tokens for frontend SDK access.

Debugging

View internal state

EndpointShows
/internal-backstage/tokensKnown tokens
/internal-backstage/featuresCached features
/internal-backstage/metricsPrometheus metrics

Health check

$unleash-edge health [OPTIONS]
$
$Options:
$  -e, --edge-url <URL>   Edge URL [default: http://localhost:3063]
$  -c, --ca-certificate-file <FILE>   CA cert for self-signed TLS

Ready check

$unleash-edge ready [OPTIONS]
$
$Options:
$  -e, --edge-url <URL>   Edge URL [default: http://localhost:3063]
$  -c, --ca-certificate-file <FILE>   CA cert for self-signed TLS