Skip to main content

Self-hosted Temporal Nexus

SUPPORT, STABILITY, and DEPENDENCY INFO

Temporal Nexus is now Generally Available.

NEW TO NEXUS?

This page explains how to self-host Nexus. To learn about Nexus, see the how Nexus works page. To evaluate whether Nexus fits your use case, see the evaluation guide.

Enable Nexus

Nexus can be configured by setting static configuration and dynamic configuration entries.

note

Nexus is supported in single-cluster setups only. See Nexus Architecture for operational details.

note

Replace $PUBLIC_URL with a URL value that's accessible to external callers or internally within the cluster. Currently, external Nexus calls are considered experimental so it should be safe to use the address of an internal load balancer for the Frontend Service.

To enable Nexus in your deployment:

  1. Enable the HTTP API in the server's static configuration.

    services:
      frontend:
        rpc:
          # NOTE: keep other fields as they were
          httpPort: 7243

    clusterMetadata:
      # NOTE: keep other fields as they were
      clusterInformation:
        active:
          # NOTE: keep other fields as they were
          httpAddress: $PUBLIC_URL:7243

  2. Set the required dynamic configuration

    1. Prior to version 1.30.X, you must set the public callback URL and the allowed callback addresses.

      NOTE: the callback endpoint template and allowed addresses should be set when using the experimental "external" endpoint targets.

      component.nexusoperations.callback.endpoint.template:
        # The URL must be publicly accessible if the callback is meant to be called by external services.
        # When using Nexus for cross namespace calls, the URL's host is irrelevant as the address is resolved using
        # membership. The URL is a Go template that interpolates the `NamepaceName` and `NamespaceID` variables.
        - value: https://$PUBLIC_URL:7243/namespaces/{{.NamespaceName}}/nexus/callback
      component.callbacks.allowedAddresses:
        # Limits which callback URLs are accepted by the server.
        # Wildcard patterns (*) and insecure (HTTP) callbacks are intended for development only.
        # For production, restrict allowed hosts and set AllowInsecure to false
        # whenever HTTPS/TLS is supported. Allowing HTTP increases MITM and data exposure risk.
        - value:
            - Pattern: "*" # Update to restrict allowed callers, e.g. "*.example.com"
              AllowInsecure: true # In production, set to false and ensure traffic is HTTPS/TLS encrypted

    2. Version 1.30.X+: Nexus is enabled by default. Only the system callback URL is needed.

      component.nexusoperations.useSystemCallbackURL:
        - value: true

Build and use Nexus Services

See how Nexus works for an architectural overview, then follow an SDK guide to build your first Nexus Service.

SDK GUIDES