Teleport is an open-source infrastructure access platform that combines an identity-aware access proxy, a short-lived certificate authority (CA), unified role-based access control (RBAC), and a tunneling system — all in a single Go binary. It replaces long-lived SSH keys, static database passwords, and VPN credentials with short-lived certificates tied to your identity provider, so every session is authenticated, authorized, and recorded. Whether you are protecting a handful of Linux servers in a homelab or thousands of Kubernetes clusters across multiple clouds, Teleport gives you a single pane of glass for access, audit, and compliance — without forcing your team to learn a new workflow.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/gravitational/teleport/llms.txt
Use this file to discover all available pages before exploring further.
What can Teleport do?
Server Access
SSH into Linux servers using short-lived certificates. No shared keys. Full session recording and audit logging included out of the box.
Kubernetes Access
Connect
kubectl and Helm to any Kubernetes cluster — EKS, GKE, AKS, or self-hosted — without distributing long-lived kubeconfig tokens.Database Access
Proxy connections to PostgreSQL, MySQL, MongoDB, CockroachDB, and more. Enforce RBAC at the query level and log every interaction.
Application Access
Protect internal web applications and cloud provider APIs (AWS Console, GCP, Azure) behind Teleport’s identity gateway — no VPN required.
Windows Desktop Access
Provide browser-based RDP access to Windows desktops with full session recording, clipboard controls, and role-based restrictions.
Machine & Workload Identity
Automatically issue and renew short-lived credentials for CI/CD pipelines, microservices, and AI agents — no static secrets required.
Key security principles
Teleport is built around a set of security best practices that apply consistently across every resource type and protocol:- Certificate-based authentication — Teleport’s built-in CA issues short-lived X.509 and SSH certificates for every user and service. There are no shared passwords, long-lived API tokens, or SSH keys that can be forgotten on a developer’s laptop.
- Multi-factor authentication (MFA) — Teleport enforces MFA by default. It supports one-time passwords (OTP/TOTP), hardware security keys (WebAuthn/FIDO2), and per-session MFA challenges for sensitive resources.
- Single sign-on (SSO) — Authenticate users through your existing identity provider — GitHub, Okta, Microsoft Entra ID, Google Workspace, or any SAML/OIDC provider — so Teleport roles stay in sync with your HR system.
- Session recording and playback — Every SSH, Kubernetes shell, RDP, and database session is recorded and indexed for playback, compliance audits, and forensic investigation.
- RBAC and ABAC — Roles define exactly which resources a user can access, which OS logins they may use, and what cluster-level operations they can perform. Attribute-based conditions let you express policies like “only allow access to
env: productionservers during business hours.” - Just-in-time (JIT) access requests — Users can request temporary elevation to a higher role and receive approval through Slack, PagerDuty, Jira, or a custom webhook, with the access automatically expiring after a configurable window.
- No open inbound ports — Teleport Agents establish outbound reverse tunnels to the Proxy Service, so your internal servers never need to open firewall ports to the internet.
Teleport editions
Teleport is available in three editions that share the same open-source core:| Edition | Description |
|---|---|
| Teleport Enterprise Cloud | Fully managed Auth and Proxy Services hosted by Teleport. Each customer gets a dedicated yourorg.teleport.sh subdomain. No infrastructure to run. |
| Teleport Enterprise (Self-Hosted) | All Enterprise Cloud features plus FIPS 140-2 support, hardware security module (HSM) integration, and a commercial support agreement. You manage the infrastructure. |
| Teleport Community Edition | Free, open-source distribution. Core SSH, Kubernetes, database, app, and desktop access. Ideal for homelabs, small teams, and evaluation. |
Get started now
Cloud Quickstart
Sign up for a free 14-day Teleport Enterprise Cloud trial and enroll your first server in under 10 minutes. No infrastructure to provision.
Self-Hosted Quickstart
Deploy Teleport Community Edition on a Linux host in three steps — install, configure, and start. Full control over your cluster.