Running the gateway

This section assumes you have completed the setup and have a my_gateway directory with a config.yaml and NKey files.

Starting the gateway

$ protect start --config my_gateway/config.yaml

WARNING: If you are running the gateway as a demo, you will need to provide your license JWT via --license.file /path/to/license.jwt. Alternatively, you can add it to my_gateway/config.yaml:

license:
  file: /path/to/license.jwt

Output:

[84241] 2026/04/01 17:14:22.191130 [INF] audit log directory dir=logs
[84241] 2026/04/01 17:14:22.195274 [INF] embedded nats started port=4911
[84241] 2026/04/01 17:14:22.200603 [INF] registered listener endpoint=$PROTECT.v1.server.info
[84241] 2026/04/01 17:14:22.200623 [INF] registered listener endpoint=$PROTECT.v1.profiles.add
...
[84241] 2026/04/01 17:14:22.201228 [INF] control plane service started
[84241] 2026/04/01 17:14:22.201345 [INF] monitoring started port=8080
[84241] 2026/04/01 17:14:22.204129 [INF] tracer service started trace_profiles=0
[84241] 2026/04/01 17:14:22.206442 [INF] bundle service started ports=[clients]
[84241] 2026/04/01 17:14:22.206468 [WRN] no rules specified - proxy requests will evaluate to per-port unmatched action
[84241] 2026/04/01 17:14:22.206514 [WRN] leafnodes are not enabled
[84241] 2026/04/01 17:14:22.206518 [INF] listening for clients port=4222

These warnings appear because no rules are installed yet and no leafnode port was configured.

Setting up admin access

The protect admin commands connect to the management API. Set up a NATS context for the admin key:

$ nats context add --server 127.0.0.1:4911 --nkey my_gateway/admin.nk admin

If you do not wish to add a NATS context, you can provide the admin key directly in the CLI:

$ protect admin --nkey my_gateway/admin.nk info

Verify the gateway is running:

$ protect admin --context admin info
Gateway Information

             Name: my_gateway
          Version: dev
             Time: 2026-04-09 19:53:59
           Uptime: 10.83s
      Connections: 0

Ports:

   clients:

     Connection Kind: client
                Name: clients
                Port: 4222
             Backend: nats://demo.nats.io:4222

Testing connectivity

First, verify the backend is reachable directly:

$ nats --no-context account info --server nats://demo.nats.io:4222

The command prints account information from the backend.

Now try connecting through the gateway:

$ nats --no-context account info --server 127.0.0.1:4222
nats: error: setup failed: nats: Authorization Violation denied by policy: 5QKehYmcAo21BQHqv7FSyH

The gateway denies all traffic by default. When no rules match a connection or message, the unmatched_rule_to_backend_action applies — and it defaults to deny. You must install and activate a bundle with rules that explicitly allow traffic before clients can connect or change the default to allow.

The error includes an event ID that appears in the audit log.

The gateway logs the denial:

[PID] 2026/04/01 10:35:47.589950 [INF] session ended cid=1 port=clients addr=127.0.0.1 remote=127.0.0.1 kind=client err=denied by policy: 5QKehYmcAo21BQHqv7FSyH

And the audit log (logs/audit.log) will contain a matching entry:

time=2026-04-01T10:35:47.589+00:00 type=com.synadia.protect.v1.policy.action id=5QKehYmcAo21BQHqv7FSyH device=my_gateway protocol=client ts=2026-04-01T10:35:47.589Z port=clients src=127.0.0.1 ... action=deny reason=no rules matched

The gateway is proxying connections and enforcing policy.