Identity Enforcement Gateway

Every request — HTTP, SSH, SQL, VPN, or browser-based — passes through a central identity and policy engine before reaching any backend. One gateway replaces your proxy, bastion, VPN, and identity stack.

How it works

User access

Users / Consumers Browser, CLI, API, VPN

→

Hexon Cluster Authenticate · Check policy · Forward or deny

→

Backends Ed25519 signed identity headers

Authentication happens at the gateway, not at the backend. Backends receive identity headers signed with Ed25519 — they verify who made the request without implementing auth. The identity provider and the access proxy are the same process. No integration gap, no token exchange between products.

Authentication

Internal methods WebAuthn · TOTP · X.509
Kerberos · Magic link
Email OTP · JIT 2FA

External federation LDAP · AD · Okta · Entra · Google
OIDC RP · SAML
API

↘↙

Hexon Cluster Session · MFA step-up · Audience per application

↙↘

Signed Ed25519 headers User · Email · Groups
Per-request verification

JWT Bearer token OAuth 2.0 SSO
Per-route injection

Users authenticate with any of 10 methods — from WebAuthn passkeys to federated OIDC from your existing IdP. Every session is scoped to an audience (the application being accessed) with optional MFA step-up. Backends receive either Ed25519 signed identity headers or an injected JWT Bearer token — configured per route, no backend code changes.

Identity & policy

Directory sources LDAP · AD · SCIM
Multi-provider merge
Priority resolution

→

Hexon Cluster Groups · Nested DAG traversal
Fresh per request

→

Per-protocol enforcement Proxy: per-route groups
SSH/SQL: group-based ACL
VPN: per-peer firewall
SAML SP: per-SP groups

Identity syncs from LDAP, Active Directory, or SCIM 2.0 with multi-provider merge and nested group resolution via DAG traversal. Groups are resolved from the locally synchronized directory on every request. The same groups control proxy route access, SSH bastion permissions, SQL query ACLs, VPN firewall rules, and SAML SP authorization. Disable a user once — every session, token, and connection revoked cluster-wide.

Service to service

Service A X.509-SVID from ACME CA

⇄

mTLS SPIFFE trust domain

⇄

Service B X.509-SVID from ACME CA

Services authenticate directly to each other via mTLS — traffic flows without routing through the gateway. The built-in ACME CA issues SPIFFE SVIDs with threshold signing (IANA PEN 64753). The gateway issues identities; it doesn't need to be the traffic bottleneck.

Control plane

Node A Leader

⇄

Cluster RPC NATS/JetStream · mTLS · X3DH · AES-256-GCM

⇄

Node B Replica

Every node coordinates through hexdcall — a distributed RPC framework over NATS/JetStream. mTLS between nodes, AES-256-GCM payload encryption, X3DH forward secrecy, and post-quantum ready TLS 1.3 (ML-KEM-768 + X25519). Leader election, saga transactions with automatic compensation, and state replication via JetStream KV. When a user is disabled or a config changes, every node knows instantly.

Threshold signing

Node A Encrypted shard

Node B Encrypted shard

Node C Encrypted shard

↘↓↙

Signed output TLS certificates · OIDC tokens · PATs · SAML assertions · SSH CA

The CA signing key never exists on any single node. Distributed Key Generation splits the key into encrypted shards — each shard encrypted at rest, signing sessions transported over a dedicated AES-256-GCM data plane. Certificates, tokens, and assertions are signed collaboratively via threshold ECDSA (GG18) and threshold EdDSA (FROST). ES256, ES384, ES512, and Ed25519. No external HSM required — threshold signing distributes key material across nodes.

End-to-Origin Encryption

Browser ECDH P-256 + AES-256-GCM
WebCrypto API

E2OE channel (encrypted)

CDN sees ciphertext

WAF sees ciphertext

Hexon Decrypts · Authenticates
Forwards to backend

Baseline ECDH + AES-GCM — encrypted channel

Tier 1 + WebAuthn channel binding — hardware-attested

Credentials and sensitive data are encrypted at the application layer — above TLS. The browser and Hexon perform an ECDH P-256 key exchange and encrypt with AES-256-GCM. Intermediaries that terminate TLS — CDNs, WAFs, proxies — see ciphertext. With Tier 1, the ECDH key exchange is bound to a WebAuthn hardware authenticator, preventing active MitM relay. The channel persists across page loads via HMAC-SHA256 rebind proof — no re-authentication required.

Core capabilities

All capabilities, one deployment, one user directory, one policy engine.

Identity-Aware Proxy

Per-request authentication and authorization. HTTP/3 (QUIC), gRPC, WebSocket with TLS 1.3. Per-route OIDC SSO with group-based policies. Seven load balancing algorithms. Multiple health check protocols. Expression-based circuit breakers. Backends get SSO via Ed25519 signed identity headers — no code changes.

SSH Bastion

Short-lived SSH certificates from the gateway's threshold Ed25519 CA. Session recording in asciinema v2 format. Web terminal via browser. Device code auth (RFC 8628) for headless environments. SFTP with group-based ACL. No SSH keys to distribute.

SQL Bastion

MySQL and PostgreSQL access control at the query level. Eight-layer ACL pipeline: input validation, rate limits, read-only enforcement, database access, pattern matching, table permissions, complexity scoring, auto LIMIT injection.

OIDC & SAML Provider

Full OAuth 2.0 authorization server. Authorization Code + PKCE, Device Code, Client Credentials, JWT Bearer. DPoP, PAR, mTLS cert-bound tokens. SAML 2.0 IdP with per-SP access control. Federate with Azure AD, Okta, or Google.

Identity & Directory

LDAP and SCIM 2.0 directory sync with multi-provider merge. 10 authentication methods: WebAuthn, TOTP, X.509, Kerberos, magic links, JIT 2FA, email OTP, and more. Disable a user once — every session, token, and connection revoked cluster-wide.

ACME & CA

Internal CA with threshold ECDSA signing — the key never exists on any single node. RFC 8555 ACME server with OCSP and CRL. ACME client for Let's Encrypt. SPIFFE SVIDs for workload identity. Near-instant TLS session resumption from local certificate cache.

Clientless Access

Browser-native access to internal networks. Forward proxy with auto-generated PAC files. HTTP CONNECT for TCP tunneling, CONNECT-UDP (RFC 9298 / MASQUE) for UDP over HTTP/3. No VPN client, no agent, no software on the user's machine.

Protection

WAF (Coraza v3, OWASP CRS). Rate limiting with JA4 TLS fingerprinting. firewall with per-peer chain isolation. Geo-IP and time-based access control. Proof-of-work challenges. Seven load balancing algorithms with shadow traffic for canary testing.

L3 Network Access

IKEv2 VPN with kernel IPsec and split tunneling, or HexonConnect light client over QUIC with device-authenticated access. Captive portal for native OS login. WireGuard inter-node mesh with HKDF-SHA256 key derivation. Per-peer firewall with group-based ACL.

Site connectors

Deploy a lightweight connector behind your firewall. It dials out to Hexon over QUIC — no inbound ports. All protocols work through the tunnel: HTTP, SSH, SQL, forward proxy. Channel-bound authentication ties the tunnel to the TLS session (RFC 5705). Epsilon-greedy adaptive instance selection. Three-phase cluster-wide rebalancing with locking protocol to prevent split-brain. Network diagnostics through the tunnel via admin CLI.

Traffic management

Traffic routing, health monitoring, and resilience — built into every proxy route.

Load balancing

Seven algorithms: adaptive (epsilon-greedy) as default, round-robin, weighted (EDF), least-connections (P2C), consistent hash (xxhash), Maglev, and random. Per-route algorithm selection. JA4 fingerprint routing for session affinity.

Health checks

Multiple native protocols: TCP, HTTP, HTTP/3, and gRPC. Configurable intervals, thresholds, and timeouts. Unhealthy backends removed from rotation automatically.

Circuit breakers

Expression-based trip conditions — error_rate > 0.1 && latency_p99 > 2.0. Per-protocol breaking with gRPC-aware status extraction. Automatic recovery with configurable half-open probing.

Outlier detection

Three detection modes: consecutive failures, statistical success rate analysis, and failure percentage threshold. Automatic backend ejection and recovery. Protects the pool from a single degraded backend.

Shadow & canary

Request shadowing copies live traffic to alternate backends for canary testing. Per-route sampling rate. Non-blocking — shadow responses are discarded. Validate new deployments against real production traffic.

Multi-site routing

Proxy mappings route through connector tunnels via the site field. Per-site adaptive backend selection. DNS resolves at the remote site — no IP collision concerns. HTTP, SSH, SQL, and forward proxy work across sites.

Security and identity architecture

Every protocol shares the same user directory, session store, and policy engine. Change once, enforce everywhere.

10 authentication methods

OIDC federation, SAML, WebAuthn/passkeys (FIDO2), X.509 client certificates, Kerberos (SPNEGO), TOTP, email OTP, magic links, JIT 2FA for legacy apps, personal access tokens. Multi-factor with step-up enforcement.

Directory sync

LDAP (Active Directory, FreeIPA, OpenLDAP) and SCIM 2.0 with multi-provider merge. Priority-based conflict resolution, nested group resolution (DAG traversal), deletion safety with per-sync thresholds. Disable a user — all sessions revoked cluster-wide.

Threshold CA

The CA signing key never exists on any single node. Certificates signed collaboratively via threshold ECDSA (ES256/ES384/ES512) using GG18 DKG. No external HSM required — threshold signing distributes key material across nodes. OCSP responder and CRL distribution.

Signed identity headers

Every proxied request includes user, email, and groups signed with Ed25519. Backends verify the signature with a public key — no shared secrets, no auth protocol to implement. PROXY protocol v1/v2 for client IP preservation.

Defense in depth

Six protection layers in fixed order: rate limiting (JA4 fingerprint), size limiting, proof-of-work (SHA-256), WAF (Coraza v3, OWASP CRS with four paranoia levels), geo-access (MaxMind), time-access (IANA timezone). firewall with per-peer chain isolation.

Instant revocation

Disable a user in the directory — every active session, SSH connection, VPN tunnel, and SQL session terminates. Cluster-wide. Not because we poll. Because every node already knows via distributed session store with saga-based atomic operations. Issued bearer tokens expire on their configured TTL; token introspection enforces real-time revocation.

Control plane

NATS/JetStream with mTLS, AES-256-GCM payload encryption, X3DH forward secrecy. Post-quantum ready TLS 1.3 (ML-KEM-768 + X25519). Leader election, saga transactions with automatic compensation, state replication via JetStream KV.

Observability

SSH sessions recorded in asciinema v2 format. SQL query logging per ACL layer. HTTP request auditing with correlation IDs. Structured JSON logging. Prometheus metrics per module. Notifications to Slack, Teams, Discord, PagerDuty, email, and custom webhooks.

Operations

Config as code

One TOML file defines everything. Environment variable overrides with ${VAR} template substitution. 65+ auto-generated Kubernetes CRDs. Terraform provider. Zero-downtime hot-reload with SHA-256 change detection and callback throttling.

GitOps

Point the gateway at a Git repository. SSH or HTTPS with PAT authentication. Leader-only polling, config validation before apply, broadcast reload. Webhook-triggered pulls. Every change auditable through git history.

AI-native admin

MCP server with +60 self-documenting knowledge modules. CLI for operators. Your AI assistant speaks both. Two-phase write confirmation with 128-bit entropy codes. Playbooks as MCP prompts. Full audit trail — who, what, when, where, result.

Deployment

Helm (StatefulSet, Deployment, DaemonSet), Docker, RPM, or bare metal. amd64 and arm64. Rocky Linux and Alpine images. NATS/JetStream clustering with mTLS and leader election. Three or more nodes for HA.

Every capability. One deployment. Zero sprawl.

Contact See what we built