One Gateway. Zero Sprawl.

The identity enforcement gateway — replaces your reverse proxy, bastion, and identity stack.

The identity provider is the proxy is the bastion is the CA.

Human or machine — one identity, one policy engine.
Workload identity via SPIFFE. No sidecars.
Every authenticated request carries verified identity.

Reverse ProxySSH/SQL BastionIdentity ProviderService MeshInternal CAOWASP WAFNo Agents/Sidecars

All your access. One identity.

Identity is enforced on every connection — each capability below is a consequence of that rule.

Identity-Aware Proxy

Auth/authz per request. No plugins or Lua.
HTTP3/QUIC, gRPC, WebSockets.
Per-route SSO and group policies.

SSH Bastion

Threshold CA, short-lived certificates.
No SSH keys to manage. Recordings.
Web terminal and device code auth.

SQL Bastion

MySQL and PostgreSQL access control.
Table permissions and complexity scoring.
Query-level, not just connection-level.

Clientless Access

Browser-based internal access.
No VPN or client software.
Works with any browser, auto-configured.

OIDC Provider

Full OAuth 2.0 authorization server.
No separate identity product to integrate.
Personal access tokens, dynamic clients.

ACME Provider

Internal CA with threshold signing.
No HSM, no cert-manager, no Vault.
Also ACME client for external CAs.

How it fits your stack

Identity: LDAP · AD · SCIM · API · Okta · Entra · Google

↓

Clients Browser · CLI · API · via LB

→

Hexon Cluster Authenticate · Authorize · Forward

→

Backends Signed headers or JWT

↓

Identity-Aware Proxy SSH Bastion SQL Bastion OIDC / SAML Internal CA

Hexon CA issues SPIFFE identities — traffic flows directly

↙↘

Service A

⇄

mTLS SPIFFE · Authenticate · Authorize

⇄

Service B

↕ Non directly reachable networks connect via connectors — no inbound ports

Start as a reverse proxy with your existing IdP. Replace ingress, proxies, bastions, PKI, VPNs and identity as you go.

Expose services. Reach private networks.
No inbound ports. No passwords.

Deploy a lightweight connector behind your firewall. It dials out to Hexon.
SSH, SQL, HTTP — every protocol through one tunnel.
WebAuthn/FIDO2, TOTP, OTP, Magic Link, PAT, or X.509 — user's call.

One disable, all sessions dead

Revoke a user.
Every HTTP, SSH, VPN, and SQL session terminated — cluster-wide, within seconds.

Zero integration gap

The identity provider IS the proxy.
No token exchange between separate products, no attack surface in between.

Minimal attack surface

Single process. No sidecars, no agents, no client software.
Fewer moving parts, fewer things to exploit.

No single point of compromise

CA and OIDC signing keys distributed via threshold cryptography.
Compromise one node — the signing key remains split across the cluster.

Signed requests to backends

Every proxied request is cryptographically signed.
Backends verify origin without network-level trust.

Service-to-service without the gateway

SPIFFE identities for workloads (IANA PEN 64753).
APIs authenticate directly via mTLS — no bottleneck.

AI-native operations

Admin via MCP and CLI.
Built-in AI assistant — bring your own LLM.

Opt-in session recording

Record SSH sessions, log SQL queries, audit HTTP requests — when you need it.
OpenTelemetry-native. Full chain of custody without the noise.

One source of truth

Sync from any LDAP — Active Directory, FreeIPA, OpenLDAP — or via SCIM.
Change a group, access updates everywhere.

Config as code

TOML, Kubernetes CRDs, or Terraform.
GitOps sync, zero-downtime reload. Every change auditable.

Runs anywhere. Your data stays yours.

Kubernetes Docker VM LXC Bare metal

Single region Multi region Self-managed Managed service

Data sovereignty on self-managed deployments. No cloud dependency.
Same runtime, same config, same policy — wherever you run it.

Managed service also available — we operate, you control the policy.

One gateway. Every identity. Zero sprawl.

Contact How It Works