Truly keyless SSH.
The world's first web SSH client where private keys don't exist - not on servers, not in browsers, not even in memory. Powered by Tide's decentralised threshold cryptography.
Traditional web SSH clients have a fundamental problem: private keys. Whether stored on a server, uploaded by users, or generated in the browser, private keys are always a liability - they can be stolen, leaked, or compromised.
KeyleSSH eliminates private keys entirely.
Instead of managing keys, KeyleSSH uses Tide Protocol and TideCloak for cryptographic operations. SSH signing happens across a decentralised network of independent nodes called ORKs (Orchestrated Recluded Keys) - no single point holds a complete key. This isn't just distributed (copies everywhere), it's truly decentralised (the key never exists as a whole).
- No key import, no key storage - Users authenticate via TideCloak (OIDC), receiving a "doken" (delegated token)
- Policy-based authorization - Admins define who can SSH as which user via Forseti contracts (C# policies executed in sandboxed ORKs)
- Decentralised signing - When SSH needs a signature, ORKs validate the policy and collaboratively sign the challenge
- Threshold cryptography - The signing key is mathematically split across multiple independent ORKs; no single node can sign alone
The result: enterprise-grade SSH access control without any private keys to manage, rotate, or protect.
- Browser-side SSH via
@microsoft/dev-tunnels-ssh+xterm.js - SFTP file browser - Browse, upload, download, rename, delete files via split-panel UI
- OIDC login with TideCloak - no passwords, no keys — https://tide.org
- Policy:1 authorization with Forseti contracts for SSH signing
- Role-based SSH access (e.g., only
ssh:rootrole holders can SSH as root) - Admin UX: servers, users, roles, policy templates, approvals, sessions, logs
- Optional external
tcp-bridge/for scalable WS↔TCP forwarding
- Architecture: docs/ARCHITECTURE.md
- Deployment: docs/DEPLOYMENT.md
- Developer guide: docs/DEVELOPERS.md
npm install
npm run devApp: http://localhost:3000
npm run dev- start server + Vite dev integrationnpm run build- build client + bundle servernpm start- run production build fromdist/npm run check- TypeScript typecheck
PORT=3000
# Optional external TCP bridge (for scaling)
# Bridge verifies JWTs against same tidecloak.json - no shared secret needed
BRIDGE_URL=ws://localhost:8080
# SQLite (file path)
DATABASE_URL=./data/keylessh.db- Browser adapter config:
client/src/tidecloakAdapter.json - Server JWT verification config (JWKS):
data/tidecloak.json
- Authentication:
@tidecloak/react(wraps/uses@tidecloak/js) - Tide Protocol:
heimdall-tide(Policy, PolicySignRequest, TideMemory for signing) - Terminal:
@xterm/xterm - Browser SSH:
@microsoft/dev-tunnels-sshand@microsoft/dev-tunnels-ssh-keys - API state:
@tanstack/react-query - Server:
express,ws - Storage:
better-sqlite3,drizzle-orm
SSH signing uses the Tide Protocol's Policy:1 auth flow with Forseti contracts:
- Admin creates SSH policies via policy templates (defines role, resource, approval type)
- Policies are signed and committed to the ORK network
- When a user connects via SSH, their doken is validated against the policy
- ORKs execute the Forseti contract (C# code in sandbox) to authorize
- If authorized, ORKs collaboratively produce a signature for the SSH challenge
See docs/ARCHITECTURE.md for the full flow diagram.
See docs/DEVELOPERS.md.
KeyleSSH is open source and designed for flexible deployment:
Deploy KeyleSSH for your organization with no usage restrictions. By default, there are no limits on users, servers, or features. Perfect for:
- Enterprise internal deployments
- Development teams
- Personal/homelab use
Just follow the Deployment Guide - no licensing configuration needed.
If you want to offer KeyleSSH as a commercial service with subscription tiers, configure Stripe billing:
- Free tier: 5 users, 2 servers
- Pro tier: 25 users, 10 servers
- Enterprise tier: Unlimited
See SaaS Configuration in the deployment guide.
MIT