OnePAM Documentation

Comprehensive guides for deploying, configuring, and managing OnePAM Zero Trust Access.

What is OnePAM?

OnePAM is a Unified PAM Solution that provides secure SSH, RDP, VNC, Kubernetes, gRPC, Telnet, database, and web application access to your infrastructure.

It consists of three components: onepam.com (cloud platform), the Gateway (connection proxy), and the Agent (on-host runtime). The control plane never stores target credentials, agents resolve them locally, gateway-backed database sessions use ephemeral in-memory credentials only while active, every session is recorded, and all access is governed by identity-aware RBAC policies.

How It Works

1. AUTHENTICATE User logs in via SSO / MFA / OAuth2 2. AUTHORISE RBAC policies checked on onepam.com 3. CONNECT Gateway proxies to Agent on target 4. RECORD & AUDIT Session fully recorded Full audit trail Supported Protocols SSH Access Terminal + SFTP RDP Access Remote Desktop Database SQL + NoSQL engines Web Apps Reverse proxy + SSO HTTPS Tunnel Internal services 🔒 Zero Trust: No legacy VPN required. No open ports. Credentials encrypted at rest. Every session is fully recorded.

Key Capabilities

Secure Tunnelling Encrypted tunnels No open ports needed Endpoint Trust Enrol and verify endpoints Posture checks Session Recording SSH, RDP, VNC, K8s, gRPC, Telnet, DB, HTTPS Tamper-proof storage Lightweight Agent Single Go binary, <50 MB RAM <1% CPU overhead Smart Alerting Rules, dedup, escalation Email, Slack, Discord RBAC & Teams Org > Team > Group hierarchy Fine-grained permissions SSO & OAuth2 GitHub, Google, Azure AD Okta, Auth0, SAML, OIDC Secret Management Encrypted credential store HashiCorp Vault integration Health Checks HTTP, TCP, ICMP probes Automated monitoring IaC Automation Ansible, Puppet, Terraform Deploy at scale Alerting PagerDuty, Slack, Email Smart notifications

Quick Start

Install on Linux (recommended)
curl -sSL https://onepam.com/install/YOUR_ORG_UUID | sudo bash

Ensure outbound HTTPS (443) to onepam.com and updates.onepam.com.

Or run with Docker
docker run -d --name onepam-agent \
  --privileged --pid=host --network=host \
  -v /sys:/sys:ro -v /proc:/proc:ro \
  -e AGENT_API_URL=https://onepam.com \
  -e AGENT_TENANT_ID=00000000-0000-0000-0000-000000000000 \
  onepam/agent:latest
Verify Installation
# Check service status
sudo systemctl status onepam-agent

# View logs
sudo journalctl -u onepam-agent -f

Platform Support

Platform Architecture Minimum Kernel Status
Linux amd64, arm64 4.9+ GA
Docker amd64, arm64 4.9+ (host) GA

Feature Documentation

Resources

Manage SSH, RDP, VNC, database, HTTP, and TCP resources

Sessions & Recordings

Monitor live sessions, replay recordings, audit file transfers

Access Policies

RBAC policies, data masking, and access reviews

Endpoints & Clients

Deploy agents and install workstation clients

Secrets

Encrypted credential storage and management

Gateways

Dedicated gateways for data residency and low latency

Users, Teams & Groups

Organisation management with RBAC

Alerts

Smart alerting with multi-channel notifications

Audit Logs

Tamper-proof audit trail and log forwarding

VPN

WireGuard VPN with exit nodes and mesh networking

Compliance & Cloud IAM

Security posture and cloud entitlement management

Discovery

Automatic service discovery and onboarding

Getting Started

Architecture

Deep dive into components and data flow

Installation Guide

Step-by-step deployment instructions

Configuration

Complete configuration reference

Troubleshooting

Common issues and their solutions