Security
Security is the product, not a feature
GrantSSH exists to make SSH access controlled and auditable. That goal only holds if the tool itself is trustworthy, so we keep our security model small, explicit, and easy to verify.
We never see private keys
Only public keys are uploaded. Private keys stay on users' machines.
The agent is open source
It runs inside your infrastructure and you can inspect exactly what it does.
We never log into your servers
GrantSSH has no shell access to your machines and is not in your SSH path.
SSH key handling
GrantSSH works exclusively with public keys. Public keys are safe to share and store, and on their own cannot be used to authenticate.
What we store
- Public keys uploaded by team members
- Which keys should be present, for which accounts, and when
What we never store
- Private keys, in any form
- SSH passwords or login credentials
You can confirm what a key is before trusting it with the public key inspector.
The agent
Enforcement happens locally on your servers via a lightweight, open-source agent. It is the only GrantSSH component that touches your infrastructure.
Inspectable
Open source, so you can read exactly what it does before running it.
Minimal scope
It only updates authorized_keys for the accounts you define.
Outbound only
The agent polls our API. GrantSSH never initiates connections into your servers.
Data we hold
We aim to hold as little as possible while still giving you a useful audit trail.
Identity and access
Team members, their public keys, and the permissions that grant access to server accounts.
Server metadata
Basic details such as hostname and OS version, reported by the agent so you can identify servers.
Activity events
SSH logins, disconnects, sudo usage, and failed login summaries — not full session recordings.
For details on how this website handles visitor data, see our privacy policy.
Access control and revocation
Access is explicit and time-bounded. A key is present only while a permission is active.
Time-bounded by design
Permanent, date-range, and recurring time windows are all supported, so access does not outlive its purpose.
Near real-time revocation
When access ends, the agent removes the key on its next poll — typically within 30 to 120 seconds.
Honest boundaries
Being clear about what GrantSSH does not do is part of being trustworthy.
Not a bastion or proxy
SSH goes directly to your servers with your usual client. We are not in the connection path.
Not session recording
We report activity events, not keystrokes or full session captures.
Not instant for compliance edge cases
Revocation is near real-time, not instantaneous. If you need guaranteed instant cutoff, GrantSSH may not fit.
Not a command filter
Permissions decide who can connect and when, not which commands run after login.
For the full model, read how it works.
Responsible disclosure
If you believe you have found a security issue in GrantSSH, please tell us before disclosing it publicly. We will acknowledge your report, investigate promptly, and keep you updated.
Email [email protected] with details and steps to reproduce.
Ready for Controlled SSH Access?
Create your account and start granting time-limited SSH access in minutes.
Set up controlled SSH access in minutes.