Teleport

Teleport is an open-source identity-aware access platform that unifies secure access to SSH servers, Kubernetes clusters, PostgreSQL, MySQL, MongoDB, and CockroachDB databases, Windows desktops via RDP, internal web applications, Git repositories, and AI agents via Model Context Protocol (MCP). It eliminates credential sprawl — no more SSH keys, database passwords, or kubeconfig files — by issuing short-lived certificates from a built-in certificate authority and integrating with existing SSO providers like Okta, Microsoft Entra ID, and GitHub Auth.

Built in Go as a single binary, Teleport deploys as a Linux daemon or a Kubernetes Helm chart and establishes reverse tunnels to reach resources behind NATs and firewalls without VPNs or traditional bastion hosts. Its architecture separates the Auth Service (CA + policy engine), Proxy Service (reverse tunnel), and Node/Agent processes, enabling high-availability multi-cluster deployments across hybrid cloud environments.

Beyond connectivity, Teleport enforces Role-Based and Attribute-Based Access Control (RBAC/ABAC) across all protocols, supports Just-in-Time (JIT) privilege escalation with approval workflows, records every session with full playback, and streams audit events to SIEM platforms. The tbot workload identity service extends the same certificate-based model to machine-to-machine access, enabling CI/CD pipelines and AI agents to authenticate without long-lived secrets.

Teleport is trusted by teams from startups to hyperscalers for securing production infrastructure. It ships with a web UI, a tsh CLI, and first-party plugins for Slack, PagerDuty, Jira, Mattermost, and Microsoft Teams for access request workflows. An enterprise cloud-hosted version (Teleport Enterprise Cloud) provides managed infrastructure, additional compliance controls, and commercial support.

What You Get

• Certificate-Based Authentication - Replaces SSH keys, database passwords, and kubeconfig tokens with short-lived cryptographic certificates issued by Teleport’s built-in CA, with automatic expiration to eliminate standing credentials.
• Single Sign-On (SSO) for All Infrastructure - Integrates with OpenID Connect, SAML 2.0, GitHub Auth, Okta, and Microsoft Entra ID so every login to every server, database, or cluster flows through your identity provider.
• Kubernetes Access Without kubeconfig Files - Proxies kubectl and Helm commands through Teleport’s identity layer with native RBAC enforcement, per-session certificates, SSO authentication, and full command recording.
• Database Access Proxy - Terminates mTLS at the proxy and forwards authenticated sessions to PostgreSQL, MySQL, MongoDB, CockroachDB, Redshift, and Cloud SQL — no database passwords stored anywhere.
• Windows Desktop Access (RDP) - Provides MFA-protected, recorded RDP access to Windows hosts discovered via LDAP or registered manually, integrated with Active Directory or Teleport’s own certificate authority.
• Machine & Workload Identity (tbot) - Issues short-lived certificates to CI/CD pipelines, Kubernetes workloads, and AI agents so machine-to-machine calls authenticate without injecting secrets into environment variables.
• AI Agent & MCP Server Access - Extends Teleport’s identity and RBAC model to Model Context Protocol (MCP) servers, providing authenticated, audited access for LLM-powered agents to infrastructure resources.
• Just-in-Time (JIT) Access Requests - Lets users request elevated roles or access to sensitive resources with approval workflows via Slack, PagerDuty, Jira, or the web UI, with automatic privilege revocation after a time limit.
• Session Recording and Audit Trail - Records every SSH, Kubernetes, database, RDP, and web session with full video playback and command logs, streaming structured events to S3, Athena, or SIEM platforms in real time.
• Reverse Tunneling Without VPNs - Agents behind NATs and firewalls connect outbound to Teleport’s proxy, making resources reachable without public IPs, VPN concentrators, or traditional jump boxes.

Common Use Cases

• Zero-trust SSH access for distributed teams - A platform team deploys Teleport to give engineers time-limited, MFA-enforced SSH access to production Linux servers authenticated via Okta, replacing static SSH keys and eliminating shared credentials entirely.
• Audited database access for compliance - A fintech company routes all PostgreSQL and MySQL connections through Teleport’s database proxy so every query session is logged, recorded, and tied to a specific human identity for SOC 2 and PCI DSS audits.
• Kubernetes RBAC across multi-cloud clusters - A DevOps team registers EKS, GKE, and on-premises clusters in a single Teleport cluster and uses its RBAC engine to grant teams scoped kubectl access without distributing kubeconfig files.
• Machine identity for CI/CD pipelines - A DevSecOps team uses tbot to issue short-lived Teleport certificates to GitHub Actions runners so pipelines authenticate to staging databases and Kubernetes clusters without any stored secrets.
• Secure AI agent infrastructure access - An AI engineering team registers internal MCP servers with Teleport so that LLM agents can query databases and call internal APIs with the same identity enforcement and audit logging applied to human operators.
• JIT privileged access for incident response - An SRE team configures Teleport’s access request workflow so engineers can request temporary production database access during incidents, requiring peer approval via Slack before a time-limited session is granted.

Under The Hood

Architecture Teleport’s architecture follows a strict service decomposition: the Auth Service acts as the root certificate authority and policy engine; the Proxy Service terminates all inbound connections and establishes reverse tunnels to agents running inside private networks; individual Node, Kubernetes, Database, Application, and Desktop Services run alongside target resources and authenticate to the cluster via short-lived certificates. This separation ensures that the trust boundary is enforced at the crypto layer, not at the network perimeter. Backend state is abstracted behind a pluggable interface with implementations for SQLite, DynamoDB, Firestore, PostgreSQL, and etcd, allowing the same codebase to run on a single laptop or across a globally distributed control plane. Protocol Buffers with gRPC and Connect RPC enforce typed, versioned contracts between all services, and code generation via buf ensures API consumers remain in sync. The frontend is a pnpm-managed React 19 monorepo with strict module boundaries.

Tech Stack The backend is pure Go, built on the standard library’s crypto stack (augmented by golang.org/x/crypto) with gRPC, Connect RPC, and custom SSH and TLS handshake logic. Persistent state uses a backend abstraction that can target DynamoDB, Firestore, etcd, CockroachDB, PostgreSQL, or a local SQLite/BoltDB store. The web frontend uses React 19, TypeScript, Vite, TanStack Query, and React Hook Form, with Storybook for component development. End-to-end tests run under Playwright; unit tests use Jest with MSW for API mocking. Rust compiled to WebAssembly handles performance-sensitive browser-side cryptographic operations. Infrastructure is packaged as Helm charts, Docker images, and pre-built Linux binaries distributed via Teleport’s CDN.

Code Quality With over 2,000 test files against roughly 6,200 Go source files, Teleport maintains an extensive test surface that spans unit, integration, golden-file, and end-to-end scenarios. Error handling consistently uses trace.Wrap for stack-preserving errors and typed sentinel errors (trace.BadParameter, trace.NotFound, trace.AccessDenied) with clear categorization. Domain logic is organized into well-defined packages — auth, authz, services, cache, backend, reversetunnel, proxy — with explicit interface contracts that enable both dependency injection in tests and swappable implementations in production. The codebase enforces contributor conventions via lint tooling (golangci-lint, Oxlint), golden-file tests for serialization stability, and a structured CONTRIBUTING guide with enforced code review.

What Makes It Unique Teleport’s most distinctive technical achievement is treating every resource type — SSH nodes, Kubernetes clusters, databases, desktops, web apps, Git repos, and AI agents — as a first-class identity-aware entity secured by the same short-lived certificate model. Unlike PAM-level tools that secure a single protocol, Teleport extends cryptographic identity across all major infrastructure access patterns from one control plane. The agentless SSH path (via fdpass-teleport) intercepts file descriptors to authenticate existing sshd processes without installing an agent, and the MCP proxy applies the same RBAC rules that govern human engineers to LLM agents calling internal APIs. The reverse-tunnel model lets resources behind firewalls join a cluster without inbound firewall rules, making cloud-agnostic multi-cluster deployments viable without VPN infrastructure.

Self-Hosting

Teleport is released under the GNU Affero General Public License v3.0 (AGPL-3.0). The AGPL grants full freedom to run, study, modify, and distribute the software, but it extends the GPL’s copyleft requirement to network use: if you modify Teleport and make it accessible over a network, you must make the modified source available to users of that network service. For most self-hosters running the software internally for their own organization, the AGPL’s network clause is unlikely to trigger, but if you plan to offer a managed Teleport service to external customers using modified code, you are required to publish those modifications. The enterprise modules in the e/ directory are maintained separately and are not included in the open-source repository.

Running Teleport yourself is operationally substantial. A minimal single-node cluster is approachable via the Linux daemon or Docker Compose, but production deployments require a highly available Auth Service backed by DynamoDB, etcd, Firestore, or PostgreSQL; a Proxy Service exposed with valid TLS certificates (Teleport supports ACME automatically); and individual agents co-located with each SSH host, database, Kubernetes cluster, or Windows desktop you want to protect. You are responsible for certificate rotation (Teleport automates this but you must monitor it), session recording storage (S3 or compatible), log retention, cluster upgrades across all registered agents, and hardware security module (HSM) integration if required. Agent version skew policies and Teleport’s managed update mechanism (tbot’s update service) reduce the upgrade burden, but multi-cluster federation and audit log aggregation add coordination overhead.

Teleport Enterprise Cloud removes the operational burden entirely: Gravitational manages the Auth and Proxy Services, provides a 99.9% uptime SLA, handles certificate rotation and cluster upgrades, and offers native integrations with Okta, Microsoft Entra ID, and PagerDuty at scales that would require significant self-hosted tuning. Enterprise-only features include the Identity Security (Access Graph) visualization layer for access path analysis, hardware device trust enforcement, Okta SCIM synchronization, Access Monitoring with Athena-backed audit log queries, FIPS 140-2 compliant builds, and dedicated commercial support with guaranteed response times. Self-hosters get the full core feature set — SSH, Kubernetes, database, RDP, MCP, JIT access, session recording — but give up the managed control plane, tiered support, and some compliance-focused analytics features that are exclusive to the Enterprise tier.