Every Tool You Need to Control SSH Access at Scale

Map SSH keys to specific hosts and OS users, or deploy them team-wide. Assignments are the core abstraction - they define the desired state of every authorized_keys file in your fleet.

Create or delete an assignment in the dashboard, and the change propagates to all affected hosts on the next daemon sync cycle. Assignments can include an optional description and record who created them for audit. No SSH sessions, no manual edits, no forgotten servers.

Soft revocation: delete an assignment to remove a key from specific hosts. The key remains available for future use.

Hard block: block a key (temporarily or indefinitely) to immediately prevent it from being deployed anywhere. Blocked keys are removed from all authorized_keys files on the next sync.

On every sync, the daemon compares the actual authorized_keys file against the desired state from the control plane. Any discrepancy - a manually added key, a deleted key - is reported as drift.

Drift is automatically corrected on the next sync cycle. The control plane is always the source of truth. Drift events are logged for audit.

In a security incident, activate break-glass to instantly freeze all SSH key deployments for your team. Every daemon will purge all managed keys on the next sync, effectively locking down your entire fleet.

Only Owners and Admins can activate or deactivate break-glass. Every activation and deactivation is recorded with the actor, timestamp, and reason. Scope can be team-wide, a specific host, or a specific host user.

When enabled per host, the daemon deploys an sshd drop-in configuration to disable password and keyboard-interactive authentication. Only key-based access remains.

The drop-in is written under /etc/ssh/sshd_config.d/ (e.g. 99-lockwave.conf), validated with sshd -t, then sshd is reloaded. This keeps compatibility with your existing sshd config while enforcing key-only access.

Per host or per OS user, you can make the managed block the only keys in authorized_keys. When exclusive keys mode is enabled, the daemon replaces the entire file with only Lockwave-provisioned keys - no keys outside the block are preserved.

Use this for strict compliance or clean-slate enforcement when the host user must have only Lockwave-managed access.

The server records the IP address used when the daemon first registers. This IP is never automatically updated. On each sync, the server compares the daemon's request IP to the registered value. On mismatch, an audit event is logged and the dashboard shows a warning.

You must manually accept the new IP from the host detail page to clear the mismatch. Optional enforcement can reject syncs from a different IP until an admin accepts the change.

Every action - key generation, assignment, revocation, break-glass, team membership changes - is recorded in an immutable audit log. Filter by date, actor, event type, or target resource.

Generate PDF and CSV compliance reports showing exactly who had access to which host at any given time. Designed for SOC 2 and ISO 27001 evidence requirements.

Four roles provide granular access control:

• Owner - Full control including billing, team deletion, and break-glass
• Admin - Manage keys, hosts, assignments, and members
• Member - Manage own keys and view hosts
• Auditor - Read-only access to audit logs and compliance reports

Data Subject Access Requests are built in. Any team member can request a full export of their personal data - keys, assignments, audit events, and profile data - in machine-readable format.

Exports are generated as background jobs and made available for download. GDPR Article 15 and Article 20 compliant.

Receive real-time HTTP callbacks when events occur in your team - key creation, assignment changes, host enrollment, break-glass activations, and more. Configure webhook endpoints from the dashboard and point them at your internal tooling.

Every webhook payload is signed with HMAC-SHA256 so you can verify authenticity. Failed deliveries are retried with exponential backoff, and a delivery log lets you inspect payloads, response codes, and timing for every attempt.

Webhooks are available on all plans: Free (3 endpoints), Standard (10), Business (25), Enterprise (unlimited).

Get alerted where your team already works. Connect Slack, Discord, Microsoft Teams, or email notification channels to receive instant alerts for key events - drift detected, break-glass activated, host enrollment, and more.

Each channel can be configured with granular event filters so you only receive the notifications that matter. Available on Standard plans and above.

Stream your immutable audit log to external destinations in real time. Forward events to your SIEM, data lake, or compliance archive via webhook delivery or S3-compatible storage.

Audit log streaming ensures your security team has a durable, independent copy of every action taken in Lockwave - outside of the control plane itself. Available on Business plans and above.

Manage Lockwave resources as code with the official Terraform provider (lockwave-io/lockwave). Define hosts, host users, SSH keys, assignments, webhook endpoints, notification channels, and audit log streams in HCL and apply them through your existing IaC pipeline.

The provider wraps the Lockwave API v1 and supports all CRUD operations, data sources for reading existing resources, and terraform import for adopting existing infrastructure. Version-control your access policies alongside your infrastructure definitions.

Lockwave exposes a Model Context Protocol (MCP) server so AI assistants and agents can interact with your team's SSH infrastructure. Query hosts, manage keys, create assignments, and trigger break-glass - all through natural language via your preferred AI client.

Compatible with Cursor, Claude Desktop, Claude Code, Gemini CLI, and OpenAI. Authenticate with the same API token used for the REST API.

The Lockwave dashboard shows host sync status, daemon heartbeats, drift events, and assignment changes at a glance. Monitor your fleet with counters for active hosts, deployed keys, pending syncs, and recent audit events.

Monitor your fleet at a glance with live counters for active hosts, deployed keys, pending syncs, and recent audit events.