One binary.
Protects everything.
One DaemonSet or systemd service. eBPF kernel enforcement + WireGuard encrypted mesh + HTTP proxy fallback + auto service discovery + infrastructure audit. Deploy once β it handles the rest.
How it works
Deploy the agent. It discovers your services, observes traffic, learns your API routes. You create policy. eBPF enforces. Five steps. Zero code changes.
Deploy 
One DaemonSet. That's it.
β daemonset.apps/authfi-agent created
β Running on 2/2 nodes
Agent auto-discovers services 
No config needed. Reads /proc/net/tcp on VMs, watches K8s API on clusters.
β admin:3000Β Β Β Β Β Β Β Β (K8s, ayush-admin)
β postgres:5432Β Β Β Β Β (K8s, ayush-infra)
β redis:6379Β Β Β Β Β Β Β Β (Docker container)
Agent observes live traffic
Learns API routes, request patterns, who accesses what.
GETΒ Β /api/patientsΒ Β Β Β Β Β β 847 hits/dayΒ Β (doctors, nurses)
POST /api/prescriptions β 124 hits/dayΒ Β (doctors only)
DELETE /api/recordsΒ Β Β Β Β β 3 hits/dayΒ Β Β Β (admin only)
Create policy
Natural language or manual. Either way, eBPF enforces at kernel level.
β Translates to:
Β Β GETΒ Β /api/patients/*Β Β Β roles: [doctor]
Β Β POST /api/patients/*Β Β Β roles: [doctor]Β Β MFA: required
β eBPF enforces at kernel level, ~45ΞΌs
Protected. Zero code changes.
Your app never sees unauthorized requests. Every decision logged.
What is eBPF? 
eBPF lets you run sandboxed programs inside the Linux kernel. AuthFI uses it to intercept network packets and validate identity before they reach your application β at kernel speed, with zero overhead.
WireGuard Mesh 
Every agent automatically joins an encrypted mesh network. Peer-to-peer WireGuard tunnels between all your hosts β identity-aware, NAT-traversing, no VPN appliance needed.
Encrypted peer-to-peer tunnels
Every agent establishes WireGuard tunnels to every other agent. All inter-service traffic is encrypted end-to-end. No central VPN gateway bottleneck.
node-01 βββWGβββ node-03
node-02 βββWGβββ node-03
// Full mesh. Every link encrypted.
Identity-aware routing
Not just network-level access. The mesh carries identity context β AuthFI JWT claims are available at every hop. Policies follow the user, not the IP.
// roles, groups, MFA status travel with the request
NAT traversal
Works across data centers, cloud regions, and home offices. WireGuard handles NAT punching automatically. No static IPs or port forwarding needed.
No VPN needed
Replace your VPN with identity-aware mesh. Users authenticate with AuthFI β the agent handles the encrypted tunnel. No VPN client, no VPN appliance, no split tunneling headaches.
Infrastructure Audit
The agent continuously audits your infrastructure. Detects misconfigurations, security risks, and compliance violations. Produces a security posture score per host.
K8s Pod Audit
Detects privileged containers, hostNetwork, hostPID, missing resource limits, containers running as root, missing security contexts.
Container Audit
Scans Docker containers for exposed ports, privileged mode, root user, missing health checks, outdated base images, mounted sensitive paths.
VM Process Audit
Lists listening processes, open ports, root services, missing network policies. Identifies unexpected listeners and shadow IT services.
Architecture
Control Plane
AuthFI API manages policies, JWKS keys, and agent configuration. Agents poll for updates using ETags β changes propagate in <30 seconds.
Agent (per host)
Single binary. Discovers services, loads eBPF programs, establishes WireGuard mesh, runs infrastructure audit, syncs policies, reports access decisions. Runs as systemd service or DaemonSet.
eBPF (in kernel)
Sandboxed program in the kernel's network stack. Validates JWT, checks policies, allows or blocks β all before packets reach userspace.
Setup in 3 steps
Install the agent
β Agent installed to /usr/local/bin/authfi-agent
β Systemd service created
$ AUTHFI_TENANT=acme AUTHFI_AGENT_TOKEN=as_xxx authfi-agent
Services auto-discovered
:3000 node admin-panel
:3001 grafana monitoring
:8080 myapi patient-api
:8081 myapi imaging-api
:8082 myapi billing-api
:8888 java jenkins
:5432 postgres database
:6379 redis cache
On Linux: reads /proc/net/tcp. On Kubernetes: watches the K8s API for Services and Pods.
Create a policy
Granular policy control
Route-level rules
Match HTTP method + path pattern. Protect specific endpoints, not just ports.
POST /api/patients/* roles: [doctor]
MFA enforcement per route
Sensitive operations require MFA verification. The JWT must contain mfa_verified: true.
roles: [admin] require_mfa: true
Group-based access
Require group membership. Combined with roles and permissions for fine-grained control.
required_groups: [devops]
Monitor or enforce
Start in monitor mode to observe traffic. Switch to enforce when confident.
mode: enforce β block unauthorized
Monitor first. Enforce when ready.
Monitor Mode
Log all decisions but never block. See who's accessing what before you enforce.
- β See all traffic patterns
- β Discover required permissions
- β Test policies safely
- β Zero risk of breaking production
Enforce Mode
Block unauthorized requests at the kernel. Returns 401/403 before your app sees the request.
- β Unauthorized requests never reach your app
- β MFA enforced per route
- β Every decision logged with latency
- β ~45ΞΌs overhead (kernel-level)
Automatic API discovery
The agent observes traffic and discovers API endpoints automatically. Know exactly which routes exist before writing policies.
Real-time access logs
Every access decision is logged with who, what, when, from where, and how fast.
| TIME | USER | REQUEST | DECISION | LATENCY |
|---|---|---|---|---|
| 10:30:05 | alice@acme.com | GET /api/patients/123 | allow | 45ΞΌs |
| 10:30:06 | alice@acme.com | POST /api/patients/123/notes | allow | 52ΞΌs |
| 10:31:00 | bob@acme.com | DELETE /api/patients/456 | deny | 12ΞΌs |
| 10:31:02 | (no token) | GET /api/patients | deny | 8ΞΌs |
| 10:31:05 | charlie@acme.com | POST /api/admin/settings | deny | 15ΞΌs |
Works everywhere
Linux (eBPF)
Kernel-level interception. ~45ΞΌs latency. Zero overhead. Requires kernel 5.4+.
Kubernetes
DaemonSet deployment. Auto-discovers Services, Pods, Endpoints. Namespace-aware policies.
HTTP Proxy (fallback)
For non-Linux or older kernels. Reverse proxy mode with JWT validation. Injects user headers.
vs. other approaches
| AuthFI Agent |  Istio |  Envoy Sidecar |  Nginx Auth | |
|---|---|---|---|---|
| Code changes | None | None | Sidecar config | Auth module |
| Latency overhead | ~45ΞΌs | ~2ms | ~1ms | ~500ΞΌs |
| Service discovery | Automatic | K8s only | Manual | Manual |
| API discovery | Automatic | β | β | β |
| Identity source | AuthFI JWT | mTLS certs | JWT/mTLS | JWT |
| Policy management | Dashboard + API | YAML | YAML | Config files |
| MFA per route | Yes | β | β | β |
| WireGuard mesh | Built-in | β | β | β |
| Infra audit | Built-in | β | β | β |
| Audit trail | Built-in | External | External | Log parsing |
| Non-K8s support | Yes (VMs, Docker) | No | Partial | Yes |
Related features
Available on Pro and above. See pricing β
One platform. Every identity layer.
Free to start.
Free for 5,000 users. Upgrade when you're ready.
Start building free β