Access any machine securely, without opening a port.
No VPN. No inbound firewall rules. No client software.
Install a lightweight agent on any machine — behind NAT, a home router, or CG-NAT — and get a full SSH terminal, an SFTP file browser, and browser access to its local HTTP services, relayed securely to any web browser. The agent only ever dials out.
The agent calls out to the relay and holds the connection open. Your browser talks to the relay too — it matches the two up and forwards traffic between them.
Any device, any OS. Opens a WebSocket to the relay — no client software to install.
Authenticated proxy that looks up which node you're targeting and forwards framed traffic to it.
A small binary on the target machine. Dials out only — never accepts an inbound connection.
SSH, SFTP, or a local HTTP service (Grafana, an admin panel, an API) — never exposed publicly.
A full xterm.js terminal over a real SSH session, plus a visual SFTP file browser — no client install
Terminal, files, and internal web services — all through the same secure tunnel
A real xterm.js terminal backed by a real SSH session — PTY allocation, window resize, paste, the works. The agent opens the SSH connection locally via a pure-Rust SSH implementation and streams it back over the relay.
Browse, upload, and download files over the same tunnel. Transfers are chunked in both directions, so large files and slow links don't block the connection.
Open a dashboard, admin panel, or internal API running on a node directly in your browser — streamed through the relay, with no extra reverse proxy and no public DNS record pointing at it.
See every connected node, its last-seen heartbeat, and its status in one place. Revoke a node's access instantly — it can't reconnect without re-enrolling.
Every credential in the system is short-lived, cryptographically bound to the node, and can be revoked instantly
The agent makes a single outbound WebSocket connection and holds it open. Nothing listens for inbound traffic on the machine it runs on.
A scoped Personal Access Token registers the node exactly once. After that, the token is never used again.
Each agent generates its own keypair on first run. The private key never leaves the device; the public key becomes its permanent identity.
Every reconnect goes through a fresh challenge-sign-verify exchange and gets a JWT that expires in minutes, not days.
Any team that manages private infrastructure and can't open inbound ports
Shell access to a server fleet without keeping port 22 open to the internet.
Reach a Pi or NAS behind CG-NAT with no static IP, no port forwarding, no DDNS.
Onboard a client machine without asking anyone to touch a firewall rule.
Give students access to shared lab servers without handing out network changes.
Jump onto a customer's or colleague's machine for a session, then walk away — nothing left listening.
Phirepass is purpose-built for reaching private machines. No bloated features, no complex identity management — just fast, secure access to SSH, SFTP, and local HTTP services.
Install the agent, connect your node, and access it from any browser in minutes.