Out-of-the-box Access Gateway

Out-of-the-box
access gateway

With very little configuration, turn Coolify, OpenClaw, Hermes Agent, admin panels, and private services into protected HTTPS domain entrypoints. Warded combines login, access tokens, SSL, and reverse proxying at your server edge, with traffic going directly to your server instead of through a tunnel or relay.

Protect a service
https://admin.example.com Login required Token access enabled
Run on your server
$ warded ingress new --commit
$ warded ingress status
$ warded ingress proxy run

USE CASES

Protect the entrypoints you actually expose

Warded fits self-hosted services that need an identity boundary without requiring a full enterprise access platform.

Self-hosted platforms

Coolify, Dokploy, Portainer, CapRover, and other management panels.

Internal tools

Admin, BI, webhook consoles, operations dashboards, and private APIs.

Agent services

OpenClaw, Hermes Agent, agent dashboards, and automation control planes.

Automated access

CI, scripts, Prometheus, and bots using revocable Ingress Access Tokens.

WORKFLOW

One runtime takes over the access boundary

01

Enroll the Node

Authorize the machine once and bind it to the Organization that owns its resources.

Entrypoint config
admin.example.com → 127.0.0.1:3000
$ warded node enroll
✓ Device authorization complete
✓ Node credential stored
02

Create an ingress

Validate the domain, upstream, quota, and public entrypoint, then create the Ingress directly.

$ warded ingress new
$ warded ingress new --commit
✓ Ingress created in Organization quota
03

Start the gateway

warded ingress proxy run takes over HTTPS, login, token checks, and reverse proxying, then keeps state synced through heartbeats.

Local runtime
$ warded ingress proxy run
Serving https://a1b2c3d4.warded.me
Login and token checks enabled

WHY WARDED

Complete identity boundaries with lower configuration cost

Warded sits between a bare reverse proxy and a heavy enterprise access platform: close to an IdP + IAP + certificates + proxy stack, but with a more direct setup flow.

Warded

  • One CLI and one local runtime
  • Priced by ingress and service boundary, not by seat count
  • HTTPS, login, access tokens, and reverse proxying built in

Traditional choices

  • ×Bare reverse proxies forward traffic but lack a unified identity boundary
  • ×Enterprise access platforms can be heavy in deployment, policy, and SSO setup
  • ×Tunnels and VPNs change the traffic path or require client-side networking

DIRECT TO SERVER

Not a tunnel, not a VPN, not temporary exposure

Warded does not relay your traffic or require visitors to join a private network. DNS points to your server, HTTPS requests reach your entrypoint directly, and the local Warded runtime decides who can continue upstream.

Traffic path
Visitor
your domain
your server
Warded runtime
upstream app
127.0.0.1:3000

Direct traffic path

Public traffic goes directly to your server without passing through a Warded relay.

Own your domain

Use a platform subdomain or your own domain. The entrypoint is a normal HTTPS URL.

No client network

Visitors do not install a VPN, join a Tailnet, or use a temporary tunnel URL.

CAPABILITIES

Less configuration, no missing pieces

IdP, IAP, HTTPS, access tokens, reverse proxying, and runtime state sync at each service boundary.

HTTPS by default

Platform subdomains use managed certificates. Custom domains support automatic certificates, so every entrypoint is a standard HTTPS URL.

Browser login

Human users sign in before reaching the upstream service, instead of exposing admin surfaces behind a bare reverse proxy.

Ingress Access Token

Scripts, CI, monitoring, and agents use revocable access tokens for automated workload access.

Behind-proxy mode

Run Warded behind your existing Caddy, Traefik, or Nginx setup without replacing your public entry architecture.

Multi-ingress shared listener

Multiple ingresses on one machine can share the same entry port while staying isolated by Host and SNI.

Explicit auth bypass

Webhook and callback paths must be explicitly allowlisted. There are no default bypasses.

PRICING

Simple, Transparent Pricing

Choose an Organization plan based on the capacity and features your team needs.

Starter

The simplest protected HTTPS domain entrypoint

$3/ month
  • 1 random subdomain (xxxx.warded.me)
  • 1 upstream port mapping
  • GitHub & Google login
  • Organization-scoped quota
RECOMMENDED

Pro

For production nodes and custom domains

$6/ month
  • Custom subdomain or bring your own domain
  • 1 upstream port mapping
  • GitHub, Google & Email login
  • Organization-scoped quota
  • Priority support

All plans include automatic HTTPS, built-in authentication, and webhook bypass support.

Organization subscriptions renew automatically until canceled. Payments are processed by Paddle (Merchant of Record).

By clicking the button, you agree to our Terms, Privacy, Refunds and Billing.