Stop stale SSH keys from becoming permanent access
Grant time-limited SSH access to your servers. GrantSSH keeps authorized_keys in sync automatically, so temporary access actually expires.
Every server eventually grows an authorized_keys graveyard. GrantSSH keeps it clean.
No card required
SSH Access Drift Is a Real Security Problem
Over time, SSH access quietly accumulates. Old keys remain. Temporary access becomes permanent. Eventually, nobody is quite sure who can log in anymore.
Keys accumulate
SSH keys are easy to add and easy to forget. Over time, servers collect access for old laptops, former contractors, emergency fixes, and people who no longer need it.
Temporary becomes permanent
Access is often granted for a project, an incident, or a one-off task. Without automatic expiry, it stays around until someone remembers to clean it up.
Nobody knows who can log in
A messy authorized_keys file does not tell you why access exists, who approved it, or when it should end.
Controlled, Time-Bound, Auditable
GrantSSH gives you controlled SSH access with clear boundaries. Access is time-limited by default, centrally managed, and fully auditable.
Scheduled SSH access that expires on time
Grant access for hours, days, or weeks - not forever. When the time is up, access is automatically revoked without manual intervention.
Lightweight activity visibility
See SSH logins, disconnects, sudo use, and failed login summaries from your servers - without logging full command history or adding heavy agents.
Key capabilities
Grant SSH access based on defined schedules such as business hours, on-call windows, or fixed start and end times. Once configured, access follows the schedule automatically without manual intervention.
When an access window ends, the associated SSH keys are removed from the authorized_keys files.
There is no separate cleanup step and no reliance on someone remembering to revoke access.
GrantSSH records SSH activity from your servers, including logins, disconnects, sudo usage, and failed login summaries. This provides a lightweight activity trail without recording full sessions or command output.
Group team members who share access patterns - such as a client dev team or on-call rotation. Grant access to the whole group at once on each server you manage.
Users manage their own SSH public keys, while you control which servers they can access and when. Keys are never manually copied between servers.
GrantSSH works with existing SSH clients and keys. Users connect as normal, with no new tools, commands, or login flows to learn.
GrantSSH works with standard SSH and does not introduce proprietary server-side changes or vendor lock-in.
Simple by Design
GrantSSH focuses on doing one thing well: controlled SSH access.
Setup is fast, ongoing maintenance is minimal.
Install the GrantSSH agent on your server. No SSH replacement, no custom login flow.
Choose who can access which servers, for how long, and under what conditions.
When the access window ends, SSH access is removed automatically.
Access changes are applied by the agent on a short polling interval to avoid affecting server performance. In practice, revocation typically takes between 30 and 120 seconds.
The server agent is fully open source and runs on your infrastructure. You can inspect the code, audit its behaviour, or build and deploy it yourself.
GrantSSH does not hold your private keys or proxy SSH connections. Your servers communicate directly with the GrantSSH API and enforce access locally.
Built for teams who still SSH into servers
Small SaaS teams
Give developers access for the right window without building a full internal access platform.
Agencies and dev shops
Grant client-project access without leaving contractor keys behind after the job ends.
On-call and incident response
Open access quickly during an incident, then let it expire automatically when the window closes.
Founder-led infrastructure
Keep simple SSH workflows while avoiding the slow drift into unknown, unmanaged server access.
Manual SSH access does not scale well
Copying keys into authorized_keys works at first. The problem is remembering what was added, why it was added, and when it should come out.
Manual authorized_keys
- Copy keys by hand
- Track access in tickets, notes, or memory
- Set calendar reminders to remove keys
- Hard to see who can access what
- Cleanup depends on someone remembering
GrantSSH
- Users manage their own public keys
- Access is granted centrally
- Permissions can have start/end dates or schedules
- Keys are removed automatically when access ends
- Activity events give you a lightweight audit trail
Free browser tool
Run a quick authorized_keys check
Paste an authorized_keys file to spot duplicate keys, weak key types, risky options, and entries worth reviewing. It runs locally in your browser, so nothing is uploaded.
Checks for:
- Duplicate keys
- Weak key types
- Risky options
- Unclear labels
Good for a one-off review. GrantSSH keeps access tied to active, time-limited permissions after that.
Built for Real Scenarios
GrantSSH solves the access problems you actually face.
On-call and incident access
Grant immediate, time-limited access during incidents without creating permanent keys.
Contractor SSH access
Give contractors access only for the duration of their work, and to the servers they need — nothing more.
Developer offboarding
Revoke permissions centrally instead of hunting through authorized_keys files on every server.
Agency client servers
Manage SSH access across client projects without leaving old keys behind when work ends.
Built for Transparency
GrantSSH is designed to be transparent, predictable, and under your control.
Open-source agent
The agent running on your servers is open source and fully inspectable.
You control your servers
GrantSSH does not proxy SSH traffic or replace your authentication model.
No hidden automation
Access changes are explicit, logged, and intentional.
Why GrantSSH exists
SSH access usually starts simple: copy a public key, get the job done, move on. But over months and years, those small shortcuts turn into stale keys, shared accounts, unclear ownership, and cleanup nobody wants to touch. GrantSSH is built to keep the simple SSH workflow while making access time-bound, visible, and easier to clean up.
Simple, usage-based pricing
Start free. Pay only for what you use beyond that.
$2
per server / month
after free allowance
$2.50
per team member / month
after free allowance
First server and first 2 team members included free.
Example monthly costs
$0
1 server, 2 team members
$10
3 servers, 4 team members
$35
5 servers, 10 team members
No card required to sign up. Payment details are only requested when you add more servers or team members than the free tier includes. No plans, no contracts.
Frequently Asked Questions
Have a different question? Reach out to us on Bluesky or send us an email.
- How does the agent work?
- The GrantSSH agent is a lightweight, open-source binary that runs on your servers. It polls our API periodically (typically every 30–60 seconds) to check for access changes. When a permission becomes active or inactive, the agent updates the authorized_keys file accordingly. Because the agent is open source, you can inspect exactly what it does.
- Is access revocation instant?
- No, it is near real-time. The agent checks for updates on a schedule, so access changes typically take 30–120 seconds to apply. We trade absolute immediacy for simplicity, robustness, and predictable behavior across all network conditions. If you need instant revocation for compliance reasons, GrantSSH may not be the right fit.
- What happens when access expires?
- When a time-bounded access grant expires, the agent automatically removes the user's public key from the server's authorized_keys file during its next sync cycle. The user's existing SSH sessions are not terminated (that's a different problem), but they cannot establish new connections.
- Do users need to change how they SSH?
- No. Users SSH exactly as they normally would, using their existing SSH keys and standard SSH clients. GrantSSH manages which keys are present in authorized_keys behind the scenes. From the user's perspective, either they can SSH to a server (their key is present) or they cannot (their key has been removed).
- Can I self-host the agent?
- Yes. The GrantSSH agent is open source and can be self-hosted if you prefer. The SaaS platform (dashboard, sync coordination, audit logs) is not open source. Most users use our hosted SaaS for the management layer and either use our hosted agent binary or self-host it.
- What servers are supported?
- Any Linux server that can run a small binary and has SSH enabled. We've tested on Ubuntu, Debian, CentOS, RHEL, and Amazon Linux. The agent requires minimal resources (a few MB of RAM) and no special privileges beyond the ability to modify authorized_keys files.
- How is this different from PAM solutions?
- Privileged Access Management (PAM) solutions are comprehensive enterprise platforms with session recording, bastion hosts, complex workflows, and significant cost. GrantSSH is focused: we manage SSH authorized_keys cleanly and simply. No session recording. No bastion hosts. No proxying. Just clean, time-bounded SSH access management.
- Do you store private keys?
- No. We never see or store your users' private SSH keys. Users upload only their public keys. The agent manages which public keys are present in authorized_keys. Private keys remain on users' machines where they belong. Public keys are safe to share and store and alone cannot be used to authenticate.
- Will you be able to access my servers?
- No. GrantSSH never SSHs into your servers and never holds private keys. The open-source agent only modifies authorized_keys files locally and reports basic host metadata (such as hostname and OS version) so you can identify servers in the dashboard. GrantSSH does not have shell access to your infrastructure.
Ready for Controlled SSH Access?
Create your account and start granting time-limited SSH access in minutes.
Set up controlled SSH access in minutes.