Every device. Its own identity. A URL.
Give every field device a cryptographic identity and a private or public URL — without opening a port.
Online in three steps
No inbound ports. No runtime to install. One static binary.
Register the device
Add a device in the console and choose how its services are exposed.
Run the agent
Download a preconfigured agent or mint an enrollment token, run one installer, and the device connects itself.
Reach it anywhere
The device dials out to the relay; you reach it by hostname. It opens no inbound ports.
Built for fleets, not demos
Per-device PKI
Every device holds its own CA-issued certificate. The private key is generated on the device and never leaves it.
Zero-knowledge passthrough
Passthrough traffic is never decrypted at the relay. We route by TLS SNI without reading a single byte of your payload.
Hostname routing
Many devices share one address, demultiplexed by hostname — no port-per-device sprawl.
Fast revocation
Revoke a device and its live tunnels drop in seconds — the relay re-checks certificate status continuously.
Isolated organizations
Every resource belongs to an organization, and the boundary is enforced and adversarially tested in CI.
Gateway fan-out
One agent can expose anything on the device network — cameras, PLCs, gateways — each service behind its own route.
Edge access rules
Attach IP allowlists, basic auth, or mutual-TLS to a route as edge access rules.
Account security
Console accounts get role-based access, optional TOTP two-factor, and an append-only audit trail.
Boring, ownable infra
No Redis, no Kubernetes, no external broker — infrastructure you could run yourself.
Your traffic is yours
Passthrough traffic is never decrypted at the relay. We route by TLS SNI without reading a single byte of your payload.
Read the security modelSimple, device-based pricing
Beta pricing — validated with our first fleet operators.