[awaiting eng response, do not merge] Fixing errors about Namespace connectivity and best practices#4127
Closed
[awaiting eng response, do not merge] Fixing errors about Namespace connectivity and best practices#4127
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
📖 Docs PR preview links
|
meiliang86
reviewed
Jan 17, 2026
| - A Namespace is provisioned with [endpoints](constraints-and-limitations) for executing your Workflows. Accessing a Namespace from a Worker or Temporal Client | ||
| requires [API keys](/cloud/api-keys) or [mTLS](/cloud/certificates) authentication. | ||
| - [Workflow Id](/workflow-execution/workflowid-runid#workflow-id)uniqueness is per Namespace. | ||
| - Every [Workflow Id](/workflow-execution/workflowid-runid#workflow-id) in a Namespace must be unique. Workflow Ids in different Namespaces may be the same. |
Contributor
There was a problem hiding this comment.
Should probably point out that only open workflow requires this uniqueness constraints. You can have multiple closed workflows with the same ID.
bechols
approved these changes
Jan 17, 2026
Contributor
bechols
left a comment
bechols
left a comment
There was a problem hiding this comment.
Lots of small comments/suggestions, but this is a big improvement.
| the system. A Namespace's default limit is set at 400 APS and automatically adjusts based on recent usage (over the | ||
| prior 7 days). Your APS limit will never fall below this default value. | ||
| the system. | ||
| - Each Namespace's default limit is set at 400 APS and automatically adjusts based on recent usage (over the |
Contributor
There was a problem hiding this comment.
I think default APS limit is 500 now - updated as we're rolling out capacity units. Worth double checking with TLo but good to fix since we're touching the line.
| permitted at the Namespace level. Isolating applications or environments (development, test, staging, production) | ||
| should take this into consideration. | ||
| - A Namespace is provisioned with an endpoint for executing your Workflows. Accessing a Namespace from a Temporal Client | ||
| - A Namespace is provisioned with [endpoints](constraints-and-limitations) for executing your Workflows. Accessing a Namespace from a Worker or Temporal Client |
Contributor
There was a problem hiding this comment.
Suggested change
| - A Namespace is provisioned with [endpoints](constraints-and-limitations) for executing your Workflows. Accessing a Namespace from a Worker or Temporal Client | |
| - A Namespace exposes [endpoints](#access-namespaces) for executing your Workflows. Accessing a Namespace from a Worker or Temporal Client |
| - A Namespace is provisioned with [endpoints](constraints-and-limitations) for executing your Workflows. Accessing a Namespace from a Worker or Temporal Client | ||
| requires [API keys](/cloud/api-keys) or [mTLS](/cloud/certificates) authentication. | ||
| - [Workflow Id](/workflow-execution/workflowid-runid#workflow-id)uniqueness is per Namespace. | ||
| - Every [Workflow Id](/workflow-execution/workflowid-runid#workflow-id) in a Namespace must be unique. Workflow Ids in different Namespaces may be the same. |
Contributor
There was a problem hiding this comment.
Do we use Id (rather than ID) everywhere?
| - Namespaces should be used to reduce the "blast radius" for mission-critical applications. | ||
| - Workflows that need to communicate with each other should (for now) be in the same Namespace. | ||
| - If you need to share Namespaces across team or domain boundaries, be sure to ensure the uniqueness of Workflow Ids. | ||
| - Environments such as production and development usually have requirements for isolation. We recommend that each |
Contributor
There was a problem hiding this comment.
Link to (and/or replace in favor of) https://docs.temporal.io/best-practices/managing-namespace#organizational-patterns ?
Contributor
Author
There was a problem hiding this comment.
oh yes definitely, this entire section should be taken out and just linked to that ^ much better one
| - This endpoint is unique to each Namespace. It will always connect to the Namespace, no matter which region(s) the Namespace is using. (Recommended for Namespaces with High Availability) | ||
| - A Temporal Client that uses a Namespace endpoint doesn't have to be aware of which region the Namespace is in. | ||
| - Restrictions: | ||
| - If [High Availability](/cloud/high-availability) is not enabled, then accessing a Namespace via API key + Namespace endpoint is not supported. To use the Namespace endpoint with API keys, a Namespace must have [High Availability](/cloud/high-availability) enabled. |
Contributor
There was a problem hiding this comment.
But this is changing soon, right?
| ### Configuring a Temporal Client with API keys or mTLS | ||
|
|
||
| - To use API keys to connect with the [Temporal CLI](/cli), [Client SDK](/develop), [tcld](/cloud/tcld), | ||
| To use API keys to connect with the [Temporal CLI](/cli), [Client SDK](/develop), [tcld](/cloud/tcld), |
Contributor
There was a problem hiding this comment.
Minor: risk of drift vs the list at https://docs.temporal.io/cloud/api-keys#api-key-supported-tooling
| - Set up your allow list for outgoing network requests from your Clients and Workers with the IP address ranges of the | ||
| For enhanced protection: | ||
| - Set up [private connectivity](/cloud/connectivity#private-network-connectivity-for-namespaces) to the Namespace. | ||
| - In your own networking architecture, set up an allow list for outgoing network requests from your Clients and Workers with the IP address ranges of the |
Contributor
There was a problem hiding this comment.
Needs to cover multiple regions if it's a HA namespace
| - Temporal Cloud has only one regional endpoint for each cloud region. The same regional endpoint can access any Namespace that is active in that region (or that has a [replica](/cloud/high-availability) in that region). | ||
| - A Temporal Client can use a regional endpoint to ensure connection to a Namespace always happens within that region. | ||
| - Restrictions: | ||
| - When using mTLS to authenticate, the Temporal Client must set the `server_name` property in its request to the value of the Namespace endpoint. |
Contributor
There was a problem hiding this comment.
I'm not able to easily ctrl+f the linked docs for occurrences of server_name. Should we instead say that the "Temporal Client must override the Server Name Indication (SNI) in its TLS configuration to the value of the Namespace endpoint", perhaps linking to an example, and then refer to SNI later in this doc?
Contributor
Author
There was a problem hiding this comment.
I will attempt to rewrite
Contributor
|
Left one comment inline otherwise LGTM |
Co-authored-by: Ben Echols <benjamin.echols@temporal.io>
bechols
reviewed
Jan 20, 2026
|
|
||
| - **Workflow ID uniqueness**: Temporal guarantees a unique Workflow Id within a Namespace. | ||
| Workflow Executions may have the same Workflow Id if they are in different Namespaces. | ||
| - **Workflow ID uniqueness**: Temporal guarantees that each running Workflow Exeecution within a Namespace has a unique Workflow ID. |
Contributor
There was a problem hiding this comment.
Typo: "Exeecution" should be "Execution"
Suggested change
| - **Workflow ID uniqueness**: Temporal guarantees that each running Workflow Exeecution within a Namespace has a unique Workflow ID. | |
| - **Workflow ID uniqueness**: Temporal guarantees that each running Workflow Execution within a Namespace has a unique Workflow ID. |
bechols
reviewed
Jan 20, 2026
bechols
reviewed
Jan 20, 2026
| There are charges associated with Replication and enabling High Availability features. For pricing details, visit | ||
| Temporal Cloud's [Pricing](/cloud/pricing) page. | ||
|
|
||
| If the Namespace's APS limit has been raised above the [default limit](https://docs.temporal.io/cloud/namespaces#constraints-and-limitations), then it will require a support ticket to to add a replica. Support will ensure that Temporal Cloud has capacity in the replica's region to handle the additional APS. Please |
Contributor
There was a problem hiding this comment.
Two issues on this line:
- Duplicate word: "to to add" should be "to add"
- Not ideal link: suggest using
/cloud/capacity-modes#namespace-capacityinstead
Suggested change
| If the Namespace's APS limit has been raised above the [default limit](https://docs.temporal.io/cloud/namespaces#constraints-and-limitations), then it will require a support ticket to to add a replica. Support will ensure that Temporal Cloud has capacity in the replica's region to handle the additional APS. Please | |
| If the Namespace's APS limit has been raised above the [default limit](/cloud/capacity-modes#namespace-capacity), then it will require a support ticket to add a replica. Support will ensure that Temporal Cloud has capacity in the replica's region to handle the additional APS. Please |
bechols
reviewed
Jan 20, 2026
| - Temporal Cloud has only one regional endpoint for each cloud region. The same regional endpoint can access any Namespace that is active in that region (or that has a [replica](/cloud/high-availability) in that region). | ||
| - A Temporal Client can use a regional endpoint to ensure connection to a Namespace always happens within that region. | ||
| - Restrictions: | ||
| - When using mTLS to authenticate, the Temporal Client override the Server Name Indication (SNI) in the TLS configuration with the value of the Namespace endpoint. |
Contributor
There was a problem hiding this comment.
Grammar: "the Temporal Client override" should be "the Temporal Client must override"
Suggested change
| - When using mTLS to authenticate, the Temporal Client override the Server Name Indication (SNI) in the TLS configuration with the value of the Namespace endpoint. | |
| - When using mTLS to authenticate, the Temporal Client must override the Server Name Indication (SNI) in the TLS configuration with the value of the Namespace endpoint. |
bechols
reviewed
Jan 20, 2026
| - Restrictions: | ||
| - When using mTLS to authenticate, the Temporal Client override the Server Name Indication (SNI) in the TLS configuration with the value of the Namespace endpoint. | ||
| In the Temporal SDKs, this can be done using the "TLS Server Name" property in requests to Temporal Cloud. | ||
| For example, in the [Temporal CLI](/cloud/certificates#configure-temporal-cli, this can be done by using `TEMPORAL_TLS_SERVER_NAME=<namespace endpoint>` or `--tls-server-name <namespace endpoint>`. |
Contributor
There was a problem hiding this comment.
Broken markdown link: Missing closing parenthesis. Should be [Temporal CLI](/cloud/certificates#configure-temporal-cli) (note the closing ) before the comma).
Suggested change
| For example, in the [Temporal CLI](/cloud/certificates#configure-temporal-cli, this can be done by using `TEMPORAL_TLS_SERVER_NAME=<namespace endpoint>` or `--tls-server-name <namespace endpoint>`. | |
| For example, in the [Temporal CLI](/cloud/certificates#configure-temporal-cli), this can be done by using `TEMPORAL_TLS_SERVER_NAME=<namespace endpoint>` or `--tls-server-name <namespace endpoint>`. |
lukeknep
changed the title
lukeknep
changed the title
Contributor
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Fixes some errors on the Namespace "General Guidance" section and on the "Connecting to your Namespace" section.
Notes to reviewers