Identity at the kernel.
Zero code changes.
eBPF intercepts HTTP traffic at the kernel. Validates JWT, checks roles, enforces MFA per route. ~45us overhead. No sidecars, no proxies.
Available on Pro and above. See pricing
Agent dashboard
See every service, every node, every request decision in real-time.
Policy enforcement at the kernel
Route-level rules
Match HTTP method + path. Protect specific endpoints.
GET /api/patients/* roles: [doctor, nurse] POST /api/patients/* roles: [doctor]
MFA per route
Sensitive ops require mfa_verified: true in the JWT.
DELETE /api/patients/:id roles: [admin] require_mfa: true
Group-based access
Require group membership for deployment endpoints.
POST /api/deploy/* required_groups: [devops]
Monitor or enforce
Start in monitor mode, switch to enforce when ready.
mode: monitor -> log only mode: enforce -> block unauthorized
WireGuard mesh networking
Peer-to-peer encrypted tunnels between nodes. Identity-aware routing. No VPN gateway bottleneck.
Encrypted tunnels
WireGuard between every node pair. ChaCha20-Poly1305. ~1ms overhead.
Identity routing
eBPF enforces identity on every packet traversing the mesh. No anonymous traffic.
Auto discovery
New nodes join the mesh automatically. Key exchange via AuthFI control plane.
vs. sidecars and proxies
| Feature | AuthFI | Istio | Envoy |
|---|---|---|---|
| Latency | ~45us | ~2ms | ~1ms |
| Code changes | None | None | Sidecar config |
| MFA per route | Yes | -- | -- |
| WireGuard mesh | Built-in | -- | -- |
| Policy mgmt | Dashboard + API | YAML | YAML |
Ready to get started?
Free for 5,000 monthly active users. No credit card required.