Stop stale SSH keys from becoming permanent access

Grant time-limited SSH access to your servers. GrantSSH keeps authorized_keys in sync automatically, so temporary access actually expires.

Every server eventually grows an authorized_keys graveyard. GrantSSH keeps it clean.

Automatic key cleanup
No shared SSH keys
SSH access that actually expires
Grant SSH Access
Demo
Security

SSH Access Drift Is a Real Security Problem

Over time, SSH access quietly accumulates. Old keys remain. Temporary access becomes permanent. Eventually, nobody is quite sure who can log in anymore.

Keys accumulate

SSH keys are easy to add and easy to forget. Over time, servers collect access for old laptops, former contractors, emergency fixes, and people who no longer need it.

Temporary becomes permanent

Access is often granted for a project, an incident, or a one-off task. Without automatic expiry, it stays around until someone remembers to clean it up.

Nobody knows who can log in

A messy authorized_keys file does not tell you why access exists, who approved it, or when it should end.

Access

Controlled, Time-Bound, Auditable

GrantSSH gives you controlled SSH access with clear boundaries. Access is time-limited by default, centrally managed, and fully auditable.

Scheduled SSH access that expires on time

Grant access for hours, days, or weeks - not forever. When the time is up, access is automatically revoked without manual intervention.

No forgotten keys
No calendar reminders
No cleanup scripts
Scheduled Access Window 09:00 to 17:00
Access status Live window
Access granted
Alex Morgan has SSH access during the window.
0 1
9 7
:
0 0
0 0

Lightweight activity visibility

See SSH logins, disconnects, sudo use, and failed login summaries from your servers - without logging full command history or adding heavy agents.

Activity stream
Login detected
Just now
Riley Chen logged in as somesite using ssh-ed25519.
web-04 rchen
Sudo event
2 min ago
Morgan Patel used sudo while logged in to queue-02.
queue-02 mpatel
Failed login summary
10 min ago
Multiple failed SSH attempts reported on api-servers.
api-servers auth failures

Key capabilities

Time-scheduled access

Grant SSH access based on defined schedules such as business hours, on-call windows, or fixed start and end times. Once configured, access follows the schedule automatically without manual intervention.

Automatic cleanup

When an access window ends, the associated SSH keys are removed from the authorized_keys files. There is no separate cleanup step and no reliance on someone remembering to revoke access.

Activity logging

GrantSSH records SSH activity from your servers, including logins, disconnects, sudo usage, and failed login summaries. This provides a lightweight activity trail without recording full sessions or command output.

Member groups

Group team members who share access patterns - such as a client dev team or on-call rotation. Grant access to the whole group at once on each server you manage.

User key management

Users manage their own SSH public keys, while you control which servers they can access and when. Keys are never manually copied between servers.

Zero workflow change

GrantSSH works with existing SSH clients and keys. Users connect as normal, with no new tools, commands, or login flows to learn.

GrantSSH works with standard SSH and does not introduce proprietary server-side changes or vendor lock-in.

Install

Simple by Design

GrantSSH focuses on doing one thing well: controlled SSH access.
Setup is fast, ongoing maintenance is minimal.

Setup Flow
1 Install the agent

Install the GrantSSH agent on your server. No SSH replacement, no custom login flow.

2 Define access rules

Choose who can access which servers, for how long, and under what conditions.

3 Access expires automatically

When the access window ends, SSH access is removed automatically.

SSH activity from your servers is recorded automatically
Predictable, Near Real-Time Enforcement

Access changes are applied by the agent on a short polling interval to avoid affecting server performance. In practice, revocation typically takes between 30 and 120 seconds.

Open Source Agent

The server agent is fully open source and runs on your infrastructure. You can inspect the code, audit its behaviour, or build and deploy it yourself.

You Control Your Servers

GrantSSH does not hold your private keys or proxy SSH connections. Your servers communicate directly with the GrantSSH API and enforce access locally.

Built for teams who still SSH into servers

Small SaaS teams

Give developers access for the right window without building a full internal access platform.

Agencies and dev shops

Grant client-project access without leaving contractor keys behind after the job ends.

On-call and incident response

Open access quickly during an incident, then let it expire automatically when the window closes.

Founder-led infrastructure

Keep simple SSH workflows while avoiding the slow drift into unknown, unmanaged server access.

Scale

Manual SSH access does not scale well

Copying keys into authorized_keys works at first. The problem is remembering what was added, why it was added, and when it should come out.

Manual authorized_keys

  • Copy keys by hand
  • Track access in tickets, notes, or memory
  • Set calendar reminders to remove keys
  • Hard to see who can access what
  • Cleanup depends on someone remembering

GrantSSH

  • Users manage their own public keys
  • Access is granted centrally
  • Permissions can have start/end dates or schedules
  • Keys are removed automatically when access ends
  • Activity events give you a lightweight audit trail

Free browser tool

Run a quick authorized_keys check

Paste an authorized_keys file to spot duplicate keys, weak key types, risky options, and entries worth reviewing. It runs locally in your browser, so nothing is uploaded.

Checks for:

  • Duplicate keys
  • Weak key types
  • Risky options
  • Unclear labels
Open analyzer →

Good for a one-off review. GrantSSH keeps access tied to active, time-limited permissions after that.

Trust

Built for Transparency

GrantSSH is designed to be transparent, predictable, and under your control.

Open-source agent

The agent running on your servers is open source and fully inspectable.

You control your servers

GrantSSH does not proxy SSH traffic or replace your authentication model.

No hidden automation

Access changes are explicit, logged, and intentional.

Why GrantSSH exists

SSH access usually starts simple: copy a public key, get the job done, move on. But over months and years, those small shortcuts turn into stale keys, shared accounts, unclear ownership, and cleanup nobody wants to touch. GrantSSH is built to keep the simple SSH workflow while making access time-bound, visible, and easier to clean up.

Pricing

Simple, usage-based pricing

Start free. Pay only for what you use beyond that.

$2

per server / month

after free allowance

$2.50

per team member / month

after free allowance

First server and first 2 team members included free.

Example monthly costs

$0

1 server, 2 team members

$10

3 servers, 4 team members

$35

5 servers, 10 team members

No card required to sign up. Payment details are only requested when you add more servers or team members than the free tier includes. No plans, no contracts.

FAQ

Frequently Asked Questions

Have a different question? Reach out to us on Bluesky or send us an email.

How does the agent work?
The GrantSSH agent is a lightweight, open-source binary that runs on your servers. It polls our API periodically (typically every 30–60 seconds) to check for access changes. When a permission becomes active or inactive, the agent updates the authorized_keys file accordingly. Because the agent is open source, you can inspect exactly what it does.
Is access revocation instant?
No, it is near real-time. The agent checks for updates on a schedule, so access changes typically take 30–120 seconds to apply. We trade absolute immediacy for simplicity, robustness, and predictable behavior across all network conditions. If you need instant revocation for compliance reasons, GrantSSH may not be the right fit.
What happens when access expires?
When a time-bounded access grant expires, the agent automatically removes the user's public key from the server's authorized_keys file during its next sync cycle. The user's existing SSH sessions are not terminated (that's a different problem), but they cannot establish new connections.
Do users need to change how they SSH?
No. Users SSH exactly as they normally would, using their existing SSH keys and standard SSH clients. GrantSSH manages which keys are present in authorized_keys behind the scenes. From the user's perspective, either they can SSH to a server (their key is present) or they cannot (their key has been removed).
Can I self-host the agent?
Yes. The GrantSSH agent is open source and can be self-hosted if you prefer. The SaaS platform (dashboard, sync coordination, audit logs) is not open source. Most users use our hosted SaaS for the management layer and either use our hosted agent binary or self-host it.
What servers are supported?
Any Linux server that can run a small binary and has SSH enabled. We've tested on Ubuntu, Debian, CentOS, RHEL, and Amazon Linux. The agent requires minimal resources (a few MB of RAM) and no special privileges beyond the ability to modify authorized_keys files.
How is this different from PAM solutions?
Privileged Access Management (PAM) solutions are comprehensive enterprise platforms with session recording, bastion hosts, complex workflows, and significant cost. GrantSSH is focused: we manage SSH authorized_keys cleanly and simply. No session recording. No bastion hosts. No proxying. Just clean, time-bounded SSH access management.
Do you store private keys?
No. We never see or store your users' private SSH keys. Users upload only their public keys. The agent manages which public keys are present in authorized_keys. Private keys remain on users' machines where they belong. Public keys are safe to share and store and alone cannot be used to authenticate.
Will you be able to access my servers?
No. GrantSSH never SSHs into your servers and never holds private keys. The open-source agent only modifies authorized_keys files locally and reports basic host metadata (such as hostname and OS version) so you can identify servers in the dashboard. GrantSSH does not have shell access to your infrastructure.

Ready for Controlled SSH Access?

Create your account and start granting time-limited SSH access in minutes.

Set up controlled SSH access in minutes.