Built by Engineers, for Engineers

One PAM for SSH, RDP, VNC, Kubernetes, gRPC, Telnet, databases & web apps

OnePAM combines identity-aware privileged access management, proxying, and session recording in one platform. Every capability addresses a real operational challenge across SSH, RDP, VNC, Kubernetes, gRPC, Telnet, databases, and web apps.

SSH, RDP, VNC, K8s, gRPC, Telnet, databases & web apps in one platform
Unified RBAC across all protocols
Session recording for every access type
8
Access protocols
SSH, RDP, VNC, Kubernetes, gRPC, Telnet, Databases, Web Apps
100%
Sessions recorded
Full audit trail
Identity-Aware Proxying
Native + browser access
<5min
Time to deploy
Start securing immediately
Capabilities

Capabilities Across Every Protocol

Every capability applies consistently to SSH, RDP, VNC, Kubernetes, gRPC, Telnet, database, and web app access — unified identity controls, session recording, RBAC policies, and audit trails across every connection type.

SSH Access Management

Secure shell access with browser-based terminal — no SSH ports exposed to the internet. Full terminal emulation, session recording, keystroke logging, and identity-based access controls for compliance.

Learn more

Secure RDP Access Management

Native RDP access with Kerberos authentication and Active Directory Protected User support. Access Windows desktops through the browser or GUI client — no RDP ports exposed. Includes SSO, MFA, full screen recording, clipboard controls, and file transfer policies.

Learn more

VNC Remote Desktop Access

Embedded VNC access with browser-based remote desktop — no VNC ports exposed to the internet. SSO, MFA, full session recording, clipboard controls, and read-only mode for secure remote management of Linux desktops, Proxmox hosts, and headless servers.

Learn more

Database Access Management

Proxy-based database access for PostgreSQL, MySQL, MongoDB, and more. Role-based access controls, per-user identity, full query audit logging, and dynamic data masking — no shared database credentials.

Learn more

Internal Web App Access

Give every internal web app a permanent URL with SSO, MFA, and zero VPN. Deploy shared gateways for instant access or dedicated gateways with LDAP/AD and full isolation. Users are automatically signed in — works with Grafana, Jenkins, ArgoCD, and any web application.

Learn more

VPN Access

Secure network-level access powered by WireGuard, built into the gateway. Policy-driven access controls enforce who can connect, from which platforms, and to which networks. Native client support for desktop and mobile with automatic peer expiration and dynamic policy re-evaluation.

Learn more

Kubernetes Access Management

Secure Kubernetes API proxy with identity-aware impersonation, kubectl exec session recording, pod log streaming, and short-lived kubeconfig tokens. No direct cluster access required.

Learn more

gRPC-Aware Proxy

HTTP/2-aware reverse proxy for gRPC services with per-method access policies, service discovery via reflection, and full request/response audit logging.

Learn more

Telnet Access Management

Secure Telnet access bridging browser-based terminals to legacy network devices, mainframes, and industrial systems. Full session recording, TLS upgrade support, and Telnet option negotiation.

Learn more

Identity Provider Integration

Works with Okta, Azure AD, Google Workspace, and any SAML/OIDC provider. Full SAML 2.0 Service Provider with JIT user provisioning. One identity, unified access policies across all your infrastructure.

Learn more

Session Recording

Full audit trail with video-like playback. See exactly what happened during any session for compliance, forensics, and training.

Learn more

Just-In-Time Access

Time-limited permissions with approval workflows. Users get access only when needed, automatically revoked when the window closes.

Learn more

Browser-Based Access

SSH, RDP, VNC, Kubernetes, Telnet, and database access directly in the browser. No agents to install, no ports to expose, no VPN to manage. Works from any device, anywhere.

Learn more

Zero Trust Architecture

Verify every request, trust nothing by default. Every connection is authenticated, authorized, and encrypted — no implicit trust zones.

Learn more

Compliance & Audit

SOC 2, GDPR, HIPAA audit support out of the box. Detailed logs, session recordings, and access reports for any compliance framework.

Learn more

Interactive Slack Bot

Approve or deny access requests directly from Slack with interactive messages. Managers receive real-time notifications with one-click approve/deny buttons, eliminating context-switching and reducing access request latency from minutes to seconds.

Learn more

Session Risk Analysis

Automatically detect risky commands and dangerous queries in session recordings. Regex-based pattern matching identifies destructive operations, privilege escalation attempts, credential access, and data exfiltration — triggering real-time alerts for security teams.

Learn more

Approval Workflows

Configurable multi-step approval chains for access requests. Define who approves, in what order, and with what time limits — across web apps, endpoints, groups, resource sessions, and VPN tunnels. Auto-approve trusted roles, auto-deny stale requests, and notify approvers via email, Slack, Discord, or webhooks.

Learn more

Native CLI Client

Use onepam ssh, onepam psql, and onepam mysql to access servers and databases from your native terminal without a browser. The OnePAM CLI authenticates via OAuth2 Device Code Flow and creates secure sessions through the gateway.

Learn more

Security Policies

Enforce organisation-wide and team-level security policies that govern session behaviour. Configure re-authentication windows, idle timeouts, concurrent session limits, and MFA requirements — with team-level overrides for granular control across departments.

Learn more

Gateway Failover

Keep your team connected even when the cloud control plane is unreachable. Gateway Failover maintains a real-time synced local cache of users, resources, and access policies on every gateway — so CLI and GUI clients can authenticate, list resources, and create sessions directly through the gateway when the cloud API is offline.

Learn more

Data Residency

Choose where your data lives — EU, US, or Asia-Pacific. Data residency is selected at signup and permanently determines where session recordings, audit logs, and infrastructure metadata are stored. Regional gateway preference ensures traffic stays close to your data.

Learn more

Live Session Monitoring

Watch privileged sessions in real time with the four-eyes principle. Administrators can observe active SSH, RDP, and database sessions as they happen — and intervene instantly by sending warnings or terminating sessions that violate policy.

Learn more

ITSM / Ticketing Integration

Connect OnePAM to your IT Service Management platform — ServiceNow or Jira — to require valid change tickets before granting privileged access. Approval workflows can validate ticket status automatically and post audit comments back to the ticket.

Learn more

Access Reviews

Run periodic access certification campaigns to verify that every user still needs their privileges. Reviewers approve, revoke, or flag access grants — and OnePAM automatically enforces the decisions, revoking team memberships and access requests that fail review.

Learn more

Command Filtering & Blocking

Define regex-based rules to intercept, log, or block dangerous commands in real time across SSH sessions and database queries. Prevent accidental or malicious operations like DROP TABLE, rm -rf, or shutdown before they reach the target system.

Learn more

Compliance Posture Dashboard

Real-time compliance posture across SOC 2, ISO 27001, PCI DSS, and HIPAA frameworks. See which controls are met, which have gaps, and drill into evidence — with trend tracking and WebSocket-driven live updates.

Learn more

Cloud Entitlement Management

Visibility into cloud IAM permissions across AWS, Azure, and GCP. Identify over-provisioned identities, assess entitlement risk, and get actionable least-privilege policy recommendations — all from a single dashboard.

Learn more

Network & Resource Discovery

Automatically discover servers, databases, and services across your infrastructure. OnePAM agents scan local networks for reachable services and cloud integrations enumerate resources from AWS, Azure, and GCP — giving you a complete inventory of what can be onboarded.

Learn more
How It Works

How It Works — Consistently Across SSH, RDP, VNC, Kubernetes, gRPC, Telnet, Databases & Web Apps

The same identity verification, session recording, and access policies apply to every protocol — a unified approach that eliminates the gaps between siloed access tools.

Identity-First

Every Connection Tied to a Real Identity

SSH keys forwarded between team members, shared RDP admin accounts, database passwords in Slack, web apps behind nothing but a network, legacy VPN tunnels with no identity controls. OnePAM ties every SSH session, RDP connection, VNC session, Kubernetes API call, gRPC request, Telnet session, database query, web app interaction, and network tunnel to a verified identity from your IdP.

  • Identity-based SSH — no more shared keys or authorized_keys sprawl
  • Per-user RDP access — no more shared admin accounts
  • Kubernetes API with user impersonation — every kubectl command tied to a real identity
  • Individual database credentials — no more shared connection strings
  • SSO for web apps — even legacy tools without native auth support
  • Per-user network tunnels — identity-verified WireGuard connections
Explore identity integration
Full Visibility

Session Recording Across All Protocols

Every SSH terminal command, RDP desktop interaction, VNC session, kubectl exec session, Telnet session, gRPC call, database query, web app session, and network connection is recorded with video-like playback and structured logs — providing the complete, cross-protocol audit trail that compliance frameworks require.

  • SSH — full terminal replay with keystroke logging
  • RDP — screen recording with clipboard and file transfer tracking
  • Kubernetes — kubectl exec session recording as asciinema
  • gRPC — request/response audit logging with protobuf-to-JSON
  • Telnet — full session recording for legacy device access
  • Databases — complete query recording with data masking
  • Web Apps — request-level audit trails and session recording
See session recording
REC SSH: prod-server-01 [email protected] • 32m 14s 847 keys 32:14 ✓ Identity verified: [email protected] ✓ MFA verified — hardware key ✓ Connected (cert valid 8h) john@prod:~$ sudo systemctl status nginx ● nginx.service - A high performance web server Active: active (running) john@prod:~$ tail -f /var/log/syslog Feb 8 14:24 nginx: GET /api/users 200 Feb 8 14:24 kernel: OOM killed pid 2847 ● Full Audit 142 commands 3 alerts
Time-Limited

Time-Bound Access Across Every Protocol

Stale SSH keys, dormant RDP accounts, permanent database admin privileges, web app sessions that never expire — every protocol suffers from standing access. OnePAM enforces time-limited permissions across SSH, RDP, VNC, Kubernetes, gRPC, Telnet, databases, and web apps with automatic revocation.

  • SSH sessions with auto-expiring certificates
  • RDP access windows with automatic disconnection
  • Database credentials scoped to individual sessions
  • Web app access with time-boxed session tokens
  • Network tunnels with automatic peer expiration and re-authentication
Learn about JIT access
JIT ACCESS WORKFLOW Access Requested [email protected] · prod-db · 4h read-write Pending Manager Approved [email protected] via Slack · policy: sre-prod-db Approved 4h Session Active Connected · session s-7f3a9e2d · auto-revoke 17:30 Active Auto-Revoked at Expiry Access revoked · session archived · audit logged Expired 13:30:12 REQ john requested prod-db (4h) 13:30:14 OK lisa approved · creds issued 17:30:00 END auto-revoked · session archived 17:30:01 RVK credentials revoked automatically
Your Infrastructure

Gateway You Control, Secrets That Stay Local

Deploy a gateway in your own infrastructure and restrict all access to flow exclusively through it. Secrets are resolved within your infrastructure — Business+ customers can store credentials in an encrypted local database that no external component can access.

  • Install gateway in your network — all access stays internal
  • Restrict to your gateway only (Business+) or use OnePAM shared gateways
  • Secrets resolved gateway-side — never sent to the control plane
  • Local AES-256 encrypted vault for credentials (Business+)
Read the Trust Center
Flexible Authentication

SSO, SAML, or LDAP — Your Identity, Your Rules

OnePAM delegates authentication to your existing identity provider — whether that's OIDC, SAML, or a dedicated LDAP/Active Directory server. Users authenticate once, and every app knows who they are. No extra login pages, no shared passwords, no app-level integration required.

  • Delegate to your OIDC or SAML identity provider
  • Connect to LDAP or Active Directory on dedicated gateways
  • Works with NetBox, Grafana, Jenkins, ArgoCD, and more
  • No code changes needed on the app side
  • Built-in protection against identity spoofing
Explore Web App Access
No Client Software

All Protocols in the Browser

SSH terminals, RDP desktops, VNC sessions, kubectl exec, Telnet terminals, database consoles, and internal web apps — all accessible through the browser. No client software required, no ports to expose. One consistent experience across every access type, on any device.

  • SSH — full terminal emulation with xterm.js
  • RDP — native desktop experience with clipboard and file controls
  • Kubernetes — kubectl exec and pod log streaming in the browser
  • Telnet — browser terminal for legacy network devices and mainframes
  • Databases — query console with schema browser and data masking
  • Web Apps — proxied access with SSO injection and session controls
  • Works on managed and unmanaged devices — no agent required
Explore browser access
access.onepam.com Secured [email protected] | MFA ✓ | Recording REC Welcome to prod-server-01 john@prod-01:~$ kubectl get pods NAME READY STATUS api-7d4f8b-x2k9p 1/1 Running worker-5f9a-m4n7q 1/1 Running john@prod-01:~$ >_ SSH Terminal RDP Desktop SQL Console Web VPN Tunnel Browser access • Native clients • Any device
VPN Access

VPN Access with Policy-Driven Controls

Sometimes you need network-level access, not just application proxying. OnePAM includes a WireGuard-powered network access server in the gateway with a built-in access policy engine. Control who can connect, from which platforms, and to which networks — with automatic enforcement when policies change.

  • WireGuard — modern, fast, and cryptographically sound tunnel protocol
  • Network access policies — allow or deny by user, team, IP, country, and platform
  • CIDR route restrictions — policy controls which networks peers can reach
  • Dynamic re-evaluation — active peers updated instantly when policies change
  • Split tunneling and exit node routing controlled by policy
  • Native clients on macOS, Windows, Linux, iOS, and Android
  • Per-user peer limits enforced by plan and policy
  • Full audit trail for policy denials, revocations, and restriction changes
Explore VPN Access

Focused on Access, Not Identity Management

We complement your IdP—we don't replace it. Here's what we leave to others.

User provisioning (use your IdP)
Password management (use Okta, Azure AD)
Endpoint management (use MDM)
Network segmentation (use your firewall)
Integrates with Okta, Azure AD, Google Workspace, SAML, and OIDC

See How We're Different

Built-in network access plus application-layer access. Compare our Zero Trust approach to traditional access solutions.

vs Teleport vs StrongDM vs Tailscale vs HashiCorp Boundary vs Cloudflare Access vs CyberArk
View All Comparisons Why We're Different

SSH, RDP, VNC, Databases & Web Apps — One Platform

Unified access controls, session recording, and RBAC across every protocol. Deploy in minutes and secure every connection type from a single platform.

Start Free Trial

14-day free trial • Built to SOC 2 standards • No credit card required