eBPF Zero-Trust Access
Protect any HTTP service at the Linux kernel level. No code changes, no sidecars, no reverse proxies. Deploy one agent and AuthFI validates identity on every request.
How It Works
┌─────────────────────────────────────┐
│ Linux Kernel │
│ │
HTTP Request ──── │──▶ eBPF Program │
(with JWT) │ │ │
│ ├── Extract JWT from header │
│ ├── Verify signature (cached JWKS)│
│ ├── Check roles/permissions │
│ ├── Check MFA if required │
│ │ │
│ ├── ALLOW → forward to app │
│ └── DENY → return 401/403 │
│ │
│ Zero overhead. Kernel-level speed. │
└─────────────────────────────────────┘The eBPF program hooks into the kernel’s network stack. It intercepts HTTP requests before they reach your application, validates the JWT, checks the access policy, and either allows or blocks the request. Your application code is untouched.
Architecture
┌─────────────┐ ┌──────────────────┐ ┌───────────────┐
│ AuthFI API │◄────│ AuthFI Agent │────▶│ Your Services │
│ (Control │ │ (per host) │ │ │
│ Plane) │ │ │ │ :3000 admin │
│ │ │ eBPF loader │ │ :8080 api │
│ • Policies │ │ Policy syncer │ │ :3001 grafana │
│ • JWKS │ │ Service discover │ │ :5432 postgres│
│ • Logs │ │ Log reporter │ │ │
└─────────────┘ └──────────────────┘ └───────────────┘Components
Agent — Runs on each host. Registers with the control plane, receives policies, loads eBPF programs, reports access logs.
Service Discovery — Automatically finds services listening on the host:
- procfs scanner — Reads
/proc/net/tcpto find listening ports and their process names - Kubernetes observer — Watches the K8s API for Services, Pods, and Endpoints
Policy Syncer — Polls the control plane for policy updates using ETags for efficiency. Pushes rules to the eBPF program in kernel memory.
eBPF Loader — Loads the eBPF program into the kernel, attaches it to network interfaces, manages the maps (policy rules, JWKS cache).
Log Reporter — Batches access decisions and sends them to the control plane for the audit trail.
Setup
1. Register an Agent
curl -X POST https://api.authfi.app/manage/v1/acme/access/agents/register
-H "X-API-Key: sk_..."
-d '{
"hostname": "web-server-01",
"agent_version": "1.0.0",
"os": "linux",
"kernel_version": "5.15.0",
"arch": "amd64",
"labels": { "env": "production", "team": "platform" }
}'Response:
{
"agent_id": "agent-uuid",
"agent_secret": "as_abc123...",
"hostname": "web-server-01",
"note": "Save this secret — it won't be shown again"
}2. Run the Agent
AUTHFI_TENANT=acme
AUTHFI_AGENT_TOKEN=as_abc123...
AUTHFI_API_URL=https://api.authfi.app
./authfi-access-agentThe agent will:
- Connect to the control plane
- Discover services on the host
- Report discovered services
- Start syncing policies
- Load the eBPF program
3. Create an Access Policy
curl -X POST https://api.authfi.app/manage/v1/acme/access/policies
-H "X-API-Key: sk_..."
-d '{
"name": "Admin Panel Protection",
"port_match": 3000,
"mode": "enforce",
"default_action": "deny",
"rules": [
{
"method": "GET",
"path_pattern": "/api/*",
"required_roles": ["admin", "viewer"],
"priority": 10
},
{
"method": "POST",
"path_pattern": "/api/admin/*",
"required_roles": ["admin"],
"require_mfa": true,
"priority": 20
},
{
"method": "GET",
"path_pattern": "/health",
"priority": 1
}
]
}'Policy Fields
| Field | Description |
|---|---|
port_match | TCP port this policy applies to |
host_match | Optional hostname filter |
mode | enforce (block unauthorized), monitor (log only), disabled |
default_action | deny (whitelist mode) or allow (blacklist mode) |
Rule Fields
| Field | Description |
|---|---|
method | HTTP method (GET, POST, PUT, DELETE, PATCH, *) |
path_pattern | URL path glob (/api/*, /admin/users/{id}) |
required_roles | User must have at least one of these roles |
required_permissions | User must have at least one of these permissions |
required_groups | User must be in at least one of these groups |
require_mfa | User must have verified MFA in this session |
priority | Higher priority rules are evaluated first |
Service Discovery
The agent automatically discovers what’s running on the host.
Linux (procfs)
Scans /proc/net/tcp and /proc/{pid}/cmdline:
[
{ "port": 3000, "protocol": "tcp", "process_name": "node", "process_cmdline": "node server.js" },
{ "port": 8080, "protocol": "tcp", "process_name": "myapi", "process_cmdline": "./myapi serve" },
{ "port": 5432, "protocol": "tcp", "process_name": "postgres" }
]Kubernetes
Watches the K8s API server:
[
{ "port": 8080, "protocol": "tcp", "k8s_namespace": "default", "k8s_service_name": "patient-api", "k8s_pod_name": "patient-api-7d4f..." },
{ "port": 3000, "protocol": "tcp", "k8s_namespace": "monitoring", "k8s_service_name": "grafana" }
]Services appear in the console with status: unprotected, monitoring, or protected.
API Auto-Discovery
The agent can discover API endpoints by observing traffic patterns:
[
{ "method": "GET", "pattern": "/api/patients", "port": 8080, "hit_count": 1547 },
{ "method": "POST", "pattern": "/api/patients", "port": 8080, "hit_count": 234 },
{ "method": "GET", "pattern": "/api/patients/{id}", "port": 8080, "hit_count": 8921 },
{ "method": "DELETE", "pattern": "/api/patients/{id}", "port": 8080, "hit_count": 12 }
]This helps you write policies — you can see exactly which endpoints exist before protecting them.
Access Logs
Every decision is logged:
{
"agent_id": "agent-uuid",
"service_id": "svc-uuid",
"source_ip": "10.0.1.50",
"destination_port": 8080,
"method": "POST",
"path": "/api/patients/123",
"user_id": "user-uuid",
"user_email": "alice@acme.com",
"roles": ["doctor"],
"decision": "allow",
"decision_reason": "matched rule: POST /api/patients/* requires role doctor",
"policy_id": "policy-uuid",
"rule_id": "rule-uuid",
"latency_us": 45,
"token_cache_hit": true,
"mfa_verified": true,
"timestamp": "2026-03-22T10:30:05Z"
}Query logs via API:
curl "https://api.authfi.app/manage/v1/acme/access/logs?decision=deny&limit=50"
-H "X-API-Key: sk_..."Modes
Monitor Mode
Log all decisions but never block requests. Use this to:
- See who’s accessing what
- Test policies before enforcing
- Discover required permissions
{ "mode": "monitor", "default_action": "allow" }Enforce Mode
Block unauthorized requests. Returns HTTP 401 (no token) or 403 (insufficient permissions).
{ "mode": "enforce", "default_action": "deny" }HTTP Proxy Mode
For environments where eBPF isn’t available (non-Linux, older kernels), the agent can run as an HTTP reverse proxy:
Client → AuthFI Proxy (:9090) → Your App (:8080)The proxy validates the JWT, checks policies, and forwards authorized requests. It also injects the verified user identity as headers:
X-AuthFI-User-ID: user-uuid
X-AuthFI-User-Email: alice@acme.com
X-AuthFI-User-Roles: doctor,adminAgent Config Sync
The agent periodically fetches its config bundle from the control plane:
GET /manage/v1/acme/access/agents/{agentId}/config
If-None-Match: "v1abc..."The bundle includes:
- JWKS — Public keys for JWT verification (cached in kernel eBPF map)
- Policies — All policies with rules for this agent’s services
- Version hash — ETag for efficient polling (304 Not Modified)
Default poll interval: 30 seconds. Config changes propagate to all agents within one poll cycle.
Plan Availability
| Feature | Scale | Enterprise |
|---|---|---|
| Access agents | 3 | Unlimited |
| Protected ports | 10 | Unlimited |
| Access log retention | 14 days | 365 days |
| API auto-discovery | Yes | Yes |
| Monitor mode | Yes | Yes |
| Enforce mode | Yes | Yes |
| HTTP proxy fallback | Yes | Yes |
| Kubernetes discovery | Yes | Yes |
Comparison
| AuthFI eBPF | Istio | Envoy | Nginx Auth | |
|---|---|---|---|---|
| Code changes | None | None | Sidecar config | Auth module |
| Overhead | Kernel-level (~50μs) | Sidecar (~2ms) | Sidecar (~1ms) | In-process |
| Discovery | Automatic | K8s only | Manual | Manual |
| Identity source | AuthFI JWT | mTLS certs | JWT/mTLS | JWT |
| Policy management | Dashboard + API | YAML | YAML | Config files |
| Audit trail | Built-in | External | External | Log parsing |
| Non-K8s support | Yes (VMs, Docker) | No | Partial | Yes |