Bastion
Self-hosted access control — auth, MFA, sessions, and audit logs, with zero third-party access to your data.
Dashboard
Overview of your identity infrastructure
Total Users
2,847
+12Active Sessions
143
-8Policies Enforced
24
+2Events (24h)
8,392
+18%Auth Methods
Detailstotal
Active Sessions
Managealice@corp.com
Chrome / macOS · 10.0.1.42
bob@corp.com
Firefox / Linux · 10.0.1.87
carol@corp.com
Safari / iOS · 203.0.113.42
dave@corp.com
Edge / Windows · 10.0.2.15
Access Decisions (24h)
DetailsMFA Enrollment
Configure2,220 enrolled
627 not enrolled
+5.2% this week
WhatItdoes.
Identity & Access
JWT access and refresh tokens with secure cookie handling. Google and GitHub OAuth with org-lvl policy enforcement — admins can mandate a single identity provider org-wide.
Access Rules
Dynamic RBAC across users, roles, groups, and policies — explicit DENY always wins. Simulate a policy or check per-user effective permissions before it ships.
Stay Verified
TOTP with backup codes and step-up reauth on sensitive actions. Live session viewer with per-session or bulk revocation.
Every Action, Logged
Centralized audit logs — filterable, exportable, streamed, with security alerts. Runs on your infrastructure, no third-party dependency.
Thenewwaytocontrolaccess.
Continuous Integration
Every change proves itself before it ships — linting, unit tests, security scans, and reproducible builds, producing a signed, hardened image only if all of it passes.
Learn more →Continuous Deployment / GitOps
Merging to main resolves the new image SHA, patches it into the Kustomize overlays, and auto-merges via bot PR. ArgoCD reconciles the cluster to match — no manual apply.
Learn more →Boot sequence
Init containers enforce order: DB check, then prisma-migrate, then backend, frontend, and security-engine pods — so nothing boots against a database that isn't ready.
Learn more →Modelthatwatchesitself.
Model Retraining
The model retrains daily using recent activity through a Kubernetes CronJob and hot-swaps updates without restarting the service.
Learn more →Risk Evaluation
An Isolation Forest model scores every request on login history, action, and timing. High risk or rate-limit triggers step-up — password or MFA — before access is granted.
Learn more →Resilient Fallback
Authentication defaults to neutral/low and keeps running. Account lock, rate limits, session checks, and IP blocking stay active independently.
Learn more →Zerotrust,enforcedautomatically.
Nothing connects without permission.
Every request is checked against policy first — deny by default.
Only the access it needs.
Workloads get scoped to what their job requires — nothing assumed.
Trust is never permanent.
Sessions are re-verified continuously across every device.