Configuration

moq-relay is configured via a TOML file. Pass the path as the only argument:

moq-relay relay.toml
# or
moq-relay --config relay.toml

Minimal Example

[server]
listen = "0.0.0.0:4443"

[server.tls]
cert = "cert.pem"
key = "key.pem"

Full Reference

[log]

Logging configuration.

[log]
# Log level: trace, debug, info, warn, error
# The RUST_LOG environment variable takes precedence
level = "info"

[server]

QUIC/WebTransport server settings.

[server]
# Listen address for QUIC (UDP)
listen = "0.0.0.0:4443"

[server.tls]

TLS configuration for the QUIC endpoint.

[server.tls]
# Option 1: Provide certificate files
cert = "/path/to/cert.pem"   # Certificate chain
key = "/path/to/key.pem"     # Private key

# Option 2: Generate self-signed certificates (development only)
generate = ["localhost", "127.0.0.1"]

# Optional: root CAs to accept for mTLS peer authentication.
# Clients that present a cert signed by one of these CAs are granted
# full access (publish/subscribe/cluster). Intended for relay clustering.
# Quinn backend only.
root = ["/path/to/peer-ca.pem"]

For production, use certificates from Let's Encrypt or another CA.

[web.http]

HTTP server for debugging endpoints.

[web.http]
# Listen address for HTTP (TCP)
# Defaults to disabled if not specified
listen = "0.0.0.0:4443"

See HTTP Endpoints for available endpoints.

[web.https]

HTTPS/WSS server for TCP fallback.

[web.https]
# Listen address for HTTPS/WSS (TCP)
listen = "0.0.0.0:443"

# TLS certificates (can be the same as server.tls)
cert = "cert.pem"
key = "key.pem"

[auth]

Authentication configuration.

[auth]
# Path to the JWT verification key
# - Symmetric: the shared secret key
# - Asymmetric: the public key
key = "root.jwk"

# Path prefix for anonymous access
# Omit to require authentication everywhere
public = "anon"

See Authentication for details on token generation.

[cluster]

Clustering configuration for multi-relay deployments.

[cluster]
# Address of the root relay to connect to
# Omit this to make this relay the root
connect = "root.relay.example.com:4443"

# JWT token file for cluster authentication
token = "cluster.jwt"

# This relay's address, as reachable by other cluster nodes
node = "leaf1.relay.example.com:4443"

See Clustering for deployment patterns.

[client]

Client settings used when connecting to other relays (clustering).

[client]
# Disable TLS verification (development only!)
tls.disable_verify = true

# Or provide trusted root certificates
# tls.root = ["/path/to/root.pem"]

[iroh]

Experimental P2P support via iroh.

[iroh]
# Enable iroh for P2P connections
enabled = false

# Path to persist the iroh secret key
secret = "./relay-iroh-secret.key"

Example Configurations

See the demo/relay/ directory for working configuration files:

• Development - demo/relay/root.toml
• Production - demo/relay/prod.toml
• Cluster Leaf Node - demo/relay/leaf0.toml

Environment Variables

• RUST_LOG - Override the log level (e.g., RUST_LOG=debug)
• MOQ_IROH_SECRET - Set the iroh secret key directly

See Also

• Authentication - JWT setup
• HTTP Endpoints - Debug endpoints
• Clustering - Multi-relay deployments
• Production Deployment - Production checklist