AccessGate is a policy-driven SSH access broker for AI agents and automation systems, issuing temporary, auditable, and revocable access leases to managed Linux servers.
- Issues short-lived SSH leases instead of permanent shared access.
- Maps automation access to managed users such as
accessgate-normalandaccessgate-elevated. - Supports normal and elevated AI/automation profiles.
- Generates per-lease SSH key material and returns the private key exactly once.
- Keeps an operator web panel for approvals, targets, audit history, and API keys.
- Provides a public Informer API so agents can discover the request contract.
- Pushes desired SSH access state to AG-Agents running on managed targets.
AccessGate is early software. The API, data model, deployment manifests, and security boundaries are still evolving.
cmd/accessgate/ Server, agent, and CLI entrypoint
deploy/k8s/ Kubernetes deployment manifest
docs/ Architecture, security model, API draft, onboarding
docs/workflows/ Sequence/workflow documentation
scripts/ Build helper scripts
Build and test locally:
go test ./...
go build ./cmd/accessgateRun the server:
ACCESSGATE_ADDR=:8080 \
ACCESSGATE_DATA_DIR=./data \
ACCESSGATE_PUBLIC_URL=http://localhost:8080 \
./accessgateRead the public Informer:
curl http://localhost:8080/v1/informer
curl http://localhost:8080/v1/informer/agent-contractThe operator web UI is inactive by default. Create a short-lived Ops Login Link from a trusted runtime context:
Local server:
./accessgate -opskey --operator <name> --ttl 1h --base-url http://localhost:8080Kubernetes:
kubectl -n accessgate exec deploy/accessgate -- \
/accessgate -opskey --operator <name> --ttl 1h \
--base-url https://accessgate.example.comOpen the returned link once. AccessGate consumes the token and redirects to /ops with an operator session cookie.
AI agents should start with:
GET /v1/informer/agent-contractThe contract describes authentication, targets, lease schemas, SSH key handling, retry timing, cleanup rules, and error recovery.
AccessGate is source-available under the PolyForm Noncommercial License 1.0.0.
You may use, study, modify, and share it for permitted non-commercial purposes. Commercial use requires prior written permission from the project owner.
See LICENSE for the full terms.
Important: this is not an OSI-approved open-source license because commercial use is restricted.
For commercial use, hosted offerings, resale, paid customer deployments, or production use in a commercial organization, request permission before using AccessGate.
AccessGate controls SSH access and should be treated as security-sensitive infrastructure. Please read SECURITY.md before reporting vulnerabilities.