Skip to content

Why Hee

Hee exists because every existing option for offering custom domains to SaaS customers has a sharp edge:

The industry default — and the reason many teams pay a five-figure Enterprise contract before they’ve hit 100 customers.

What works: Custom Hostnames API, global POP presence, DDoS protection.

What doesn’t:

  • Custom Origin SNI is Enterprise-only. Without it, TLS fails when your origin’s cert CN doesn’t match the customer’s domain.
  • Worker routes don’t fire on fallback origins. If your architecture depends on edge middleware (auth, routing, A/B) and you expected it to run for SaaS custom hostnames, it won’t. The fallback origin path bypasses routes entirely.
  • Entry price is the Enterprise sales cycle itself. There’s no self-serve path past a few free custom hostnames.

A newer, friendlier alternative. Closed-source, $29+/mo starting tier.

What works: Clean API, automatic TLS, reasonable onboarding.

What doesn’t:

  • Per-domain pricing adds up fast. At ~200 customers you’re paying more than a senior engineer’s annual tooling budget.
  • Closed source — you can’t self-host, you can’t inspect, you can’t fork. If Approximated goes away, you’re re-architecting.
  • Single region (North America primary). Latency-sensitive customers notice.

Absolutely viable. Caddy + Postgres + a €5 box covers 80% of what Hee does.

What works: Full control, any hyperscaler, no vendor tax.

What doesn’t:

  • A month of engineering time to wire on_demand_tls, build the multi-tenant control plane, handle cert rate limits, build the verification probe, and produce a portal your non-engineers can use.
  • Ongoing maintenance — cert rotation, Postgres tuning, DNS changes, deploy automation. None of this is your product.
DecisionReason
Caddy + on_demand_tlsBattle-tested. json config model. Cert management that “just works.”
Let’s Encrypt HTTP-01Free, standard, no cert markup. Renewals are Caddy’s job.
Postgres + TypeORMSmall ops surface. We know it scales past 10k tenants.
NestJS control planeStrongly-typed multi-tenant API with DI. Easy to extend.
Single-region alphaMove fast; multi-region in Phase 2 (Frankfurt + Ashburn first).
Open source edgeEscape hatch. If pricing ever goes sideways, customers fork and self-host.
Magic-link authNo password storage. Postmark handles deliverability.
Portal + API parityEvery portal action has a REST equivalent. Scriptable end-to-end.
  • Regulated industries that need on-premise edge (SOC2 is in roadmap; HIPAA/FedRAMP is not). Self-host instead.
  • Wildcards on apex domains (*.example.com) — coming Phase 3. Today we issue per-hostname.
  • Less than 3 custom domains forever — the free tier has you; no need to buy a plan.
  • Heavy edge logic (transforms, auth at edge, custom response headers per tenant) — roadmap Phase 2. For now, Hee routes to your upstream untouched.

If you’re somewhere between “just one fancy domain” and “Fortune 500 compliance officer,” Hee fits.