Skip to main content
The WireSocket infrastructure is divided into two distinct layers: the Dashboard (Technical Control Plane) and the Data Plane. While the Data Plane handles the real-time synchronization of your Yjs documents, the Dashboard is responsible for the management, security, and regional orchestration of your ecosystem.

Core Elements

The Dashboard manages four primary entities:

1. Tenant

A Tenant represents your organization or root account.
  • Top-level container for resources, billing, and team members.
  • Each Tenant has its own unique Signing Keys for JWT issuance, ensuring cryptographic isolation from other organizations.

2. Apps

Within a Tenant, you can create multiple Apps. Each App represents a specific product or environment.
  • Identity: Each App holds its own unique client_id and client_secret.
  • Data Residency: Every App is pinned to a License Region (e.g., aws-us-east-1) during creation.
  • Data Isolation: Document metadata is stored in isolated, regional database shards, ensuring your data is geographically localized and cryptographically separated.

3. Plans

A Plan defines the performance characteristics and usage limits for an App.
  • Limits: Controls maximum concurrent connections, document counts, and operations per minute (OPM).
  • The “One Free” Rule: Each Tenant is limited to exactly one application on a Free Plan. Additional applications require a paid subscription.
  • Flexibility: Plans can be upgraded or downgraded through the dashboard. Transition between paid tiers is handled seamlessly with prorated billing.

4. Nodes (Infrastructure Registry)

WireSocket maintains a Global Registry for its physical infrastructure to ensure high availability and intelligent routing.
  • Node Management: We manage a global fleet of WebSocket nodes (e.g., eu-central-1.wiresocket.net).
  • Regional Orchestration: The platform allows for zero-downtime maintenance and dynamic fleet scaling.
  • Discovery Backbone: Our infrastructure powers the Discovery process, resolving the best physical node for any document session in real-time.

Security Enforcement

WireSocket defines security boundaries at the management layer that are then enforced at the network edge.

Allowed Domains

To prevent Token Theft, you can pin an application to up to 3 specific domains (e.g., myapp.com, localhost:3000).
  • Baked-in Security: These domains are embedded directly into your JWT claims.
  • Edge Validation: Data Plane nodes check the Origin header of every incoming connection against these claims. If they don’t match, the connection is rejected instantly.

The Token Lifecycle

WireSocket uses standard OAuth 2 flows for account management and synchronization.
  • Machine-to-Machine (M2M): Your backend server exchanges App credentials for a token, which is then passed to collaborative clients.
  • Resource Owner Password: For interactive dashboard access using trusted identifiers (client_id + client_secret).

Best Practice: Token Rotation

We support Refresh Tokens to minimize the exposure of your sensitive credentials.
  1. Access Token: Short-lived. Used by your clients to connect to the Data Plane.
  2. Refresh Token: Long-lived. Used by your backend to request new Access Tokens without needing to re-send the client_secret.
Pro Tip: Your authentication service should fetch the client_secret once during a “cold start” to obtain a token pair, then use the Refresh Token for all subsequent rotations. This allows you to purge the sensitive secret from active memory.
Last modified on March 5, 2026