Skip to main content

Security in Temporal Nexus

This page covers the following:

Managing Nexus Endpoints in the Nexus Registry

Similar to Namespaces, a Nexus Endpoint is an account-scoped resource that is global within your Temporal Cloud account.

Any Developer in an account, who is also a Namespace Admin on the endpoint’s target Namespace, can manage (create/update/delete) a Nexus Endpoint.

All users with a Read-only role or higher in an account, can view and browse the full list of Endpoints.

Runtime Access Control

Access to a Nexus Endpoint is controlled by the endpoint's access control policy (allowlist of caller Namespaces) for each endpoint in the Nexus API registry.

Workers in each Namespace may authenticate with Temporal Cloud as they do now with mTLS certificates or API key as allowed by the caller Namespace. Once a Worker has authenticated it can send Nexus Operation commands to Temporal Cloud using a Temporal SDK to start a Nexus Operation in a different Namespace. For example, in the Temporal Go SDK a caller Workflow would use nexusClient.ExecuteOperation to issue a command to start a Nexus Operation.

To process a ScheduleNexusOperation command from a caller Workflow, Temporal Cloud obtains the handler Namespace and Task Queue for the handler endpoint, and restricts access by verifying that the caller’s Namespace is in the endpoint’s allowlist.

In this way, Temporal Cloud acts as a trusted broker across Namespace boundaries, and relies on authenticated workers in each Namespace.

Secure Routing

In Temporal Cloud multiple security provisions are in place to ensure it can act as a trusted broker across Namespace boundaries:

  • Workers authenticate to their Namespaces via mTLS or an API key as allowed by their Namespace configuration.
  • mTLS is used for all Nexus communication, including across cloud cells and regions, to:
    • Start or Cancel a Nexus Operation.
    • Callback on completion of an asynchronous Nexus Operation.
  • Nexus Endpoints are only privately accessible from within a Temporal Cloud account.
    • Accessible from within a caller Workflow using the Temporal SDK.
    • Not externally accessible for arbitrary clients yet.

Payload Encryption and Data Converter

The Data Converter works the same for a Nexus Operation as it does for other payloads sent between a Worker and Temporal Cloud. The caller and handler Workers must have compatible Data Converters as operation inputs and results are passed between the two.

If encryption keys are used to encrypt payloads, they must be available in both the caller and handler. For example, the caller and handler can use a shared symmetric key stored in your KMS.

Please let us know if you need per-Service payload encryption or better handling for asymmetric encryption keys.