Teleport is an open-source identity-aware access proxy that unifies secure access to servers, Kubernetes clusters, databases, Windows desktops, internal web applications, and AI agents via Model Context Protocol (MCP). It solves the problem of credential sprawl and fragmented access controls by replacing long-lived keys and passwords with short-lived certificates, SSO, and just-in-time privileges. Built in Go, it integrates with existing infrastructure like OpenSSH and Kubernetes while providing a centralized audit trail and policy engine.
Teleport deploys as a single Go binary and supports Linux daemons, Kubernetes Helm charts, and Docker containers. It integrates with GitHub Auth, Okta, Microsoft Entra ID, and SAML for SSO, and works with PostgreSQL, MongoDB, MySQL, CockroachDB, RDP, and internal web apps. Its architecture eliminates standing privileges and enables auditability across human and machine identities, including AI agents.
What You Get
- Certificate-Based Authentication - Replaces SSH keys and passwords with short-lived, cryptographically signed certificates issued by Teleport’s built-in CA, automatically expiring to reduce credential exposure.
- Single Sign-On (SSO) Integration - Supports GitHub Auth, OpenID Connect, and SAML with identity providers like Okta and Microsoft Entra ID for unified human identity management across all infrastructure.
- Kubernetes Access Control - Provides role-based access to Kubernetes clusters via kubectl with native RBAC enforcement, session recording, and SSO authentication without kubeconfig files.
- Database Access Proxy - Secures PostgreSQL, MySQL, MongoDB, and CockroachDB connections with mTLS, SSO, and audit logs — no database passwords or static credentials required.
- Windows Desktop Access (RDP) - Enables secure, audited RDP access to Windows hosts with MFA, session recording, and integration with existing Active Directory or SSO systems.
- AI Agent & MCP Support - Extends identity and access control to AI agents and Model Context Protocol (MCP) tools, enabling secure, auditable interactions between LLMs and infrastructure.
- Session Recording & Audit Trail - Records and stores all SSH, Kubernetes, database, RDP, and web app sessions with full video and command logs for compliance and forensic analysis.
- Just-in-Time (JIT) Access - Enforces ephemeral privileges with approval workflows and time-bound access grants, eliminating standing permissions and reducing lateral movement risk.
- Unified Access Portal - Provides a single web UI and CLI (tsh) to discover, connect to, and audit access to all infrastructure resources — servers, clusters, databases, and AI tools — from one interface.
- No VPN or Bastion Hosts Required - Uses reverse tunneling to securely expose resources behind NATs and firewalls without requiring public IPs, VPNs, or traditional jump servers.
Common Use Cases
- Securing Kubernetes clusters in regulated environments - A DevOps team uses Teleport to grant engineers temporary, audited access to production Kubernetes clusters via SSO, eliminating kubeconfig files and enforcing MFA.
- Enabling secure database access for data scientists - A finance team connects to PostgreSQL and MySQL databases without storing credentials, using Teleport’s database proxy with session recording for compliance audits.
- Managing access to Windows desktops in enterprise networks - An IT team deploys Teleport to provide MFA-protected RDP access to Windows servers, replacing legacy RDP gateways and reducing attack surface.
- Controlling AI agent access to infrastructure - An AI engineering team uses Teleport’s MCP integration to authenticate and audit LLMs accessing internal APIs and databases, preventing unauthorized model behavior.
Under The Hood
Architecture
- Clear separation of concerns through modular Go packages that encapsulate domain-specific logic such as access control, audit logging, and tunneling.
- Protocol buffers with gRPC and Connect RPC enforce typed, versioned service contracts between frontend and backend components.
- Dependency injection patterns decouple core logic from infrastructure concerns like TLS configuration and resource pooling.
- Interface-based storage abstractions enable pluggable backends without modifying business rules.
- Frontend monorepo structure with module aliases and isolated packages promotes component reuse and maintainability across UI applications.
- Cross-platform authentication implementations are cleanly isolated, avoiding cross-cutting concerns.
Tech Stack
- Go backend leveraging gRPC and Protocol Buffers for high-performance, typed APIs with buf for schema management.
- React 19 and TypeScript frontend with Vite, TanStack Query, and React Hook Form for scalable UI development.
- gRPC and Connect RPC code generated via protoc plugins to ensure type-safe bidirectional communication.
- Jest, Playwright, and MSW provide comprehensive testing with API mocking, while Storybook enables component-driven design.
- Rust toolchain configured for WebAssembly targets to optimize performance-critical browser-side operations.
- Monorepo managed with pnpm, using workspace dependencies and patches, with Oxlint and Oxfmt for consistent code quality.
Code Quality
- Extensive test coverage across unit, integration, and end-to-end scenarios with deep structural assertions.
- Strong type safety enforced through protobuf-generated types, strict interfaces, and comprehensive domain validation.
- Consistent error handling using trace.Wrap for trace-preserving errors and clear error classification aligned with Go idioms.
- Modular code organization with well-defined layers: API definitions, service logic, caching, and adapters.
- Descriptive naming conventions and test helper prefixes ensure readability and maintainability.
- Automated golden file testing ensures serialization consistency and configuration reliability.
What Makes It Unique
- Machine & Workload Identity integration via file descriptor interception enables agentless SSH authentication with minimal overhead.
- Unified access control plane unifies SSH, databases, and Kubernetes under a single identity and RBAC system.
- MCP architecture provides protocol-agnostic database proxying, supporting complex protocols like MongoDB’s wire protocol without client modifications.
- Direct parsing of enterprise identity provider event streams into native resources enables deep identity integration.
- Log limiter with substring deduplication and time-windowed sampling reduces noise while preserving operational context.
- WebAuthn mock testing with PKCS#8 key injection allows full FIDO2 authentication testing without physical hardware.