PRODUCT · IDENTITY & ACCESS

SSO, mTLS, JWT — without writing auth code.

Plug any OIDC, SAML or mTLS provider in front of any tunnel in three lines. t-Gates validates tokens, refreshes sessions, and forwards verified identity claims to your origin.

Add your IdP Provider catalog →

Live in 38 regions · 99.99% uptime · SOC 2 Type II

40+

IdP integrations

OIDC, SAML, LDAP, SCIM

0.8ms

Token validation

p99 added latency

256-bit

mTLS everywhere

Edge to origin & client

SOC 2

Type II audited

Annual + penetration test

OIDC + SAML

Bring your existing identity provider — no changes required.

Wire up Okta, Azure AD, Google, Auth0, JumpCloud or any OIDC/SAML 2.0 provider. t-Gates handles the discovery dance, key rotation, and JWKS caching. Your users keep their existing SSO experience.

✓
Auto-discoveryPoint at the issuer URL. We pull config + JWKS automatically.
✓
Group-based accessMap IdP groups to tunnels with one declarative rule.
✓
JIT provisioning + SCIMUsers appear in t-Gates the moment they're added in your IdP.

Okta

Azure AD

Google

Auth0

GitHub

JumpCloud

Keycloak

OneLogin

PingID

MUTUAL TLS

Service-to-service auth without a sidecar mesh.

Issue short-lived workload certificates. Rotate them every 24 hours. Verify them at the edge. t-Gates runs a fully-managed PKI so you don't have to operate cert-manager, Vault PKI, or Istio Citadel.

✓
SPIFFE-compliant IDsWorkload identities follow the SPIFFE spec — interoperable with Istio, Linkerd.
✓
Auto rotationCerts rotate every 24h. Roots every 90 days. Zero downtime.
✓
CRL + OCSP staplingRevocation propagates globally in under 4 seconds.

// workload-cert.json

{

"spiffe_id": "spiffe://t.gate/sa/api",

"valid_for": "24h",

"rotation": "automatic",

"trust_domain": "prod.t.gate"

}

✓ Issued · expires in 23h 47m

STOP WRITING AUTH

Delete your auth middleware.

Every framework has its own. Every framework has its own bugs. Push it to the edge and your origin code shrinks.

BEFOREapp.ts

import jwt from 'jsonwebtoken';
import { jwksClient } from 'jwks-rsa';

const client = jwksClient({
  jwksUri: 'https://auth/.well-known/jwks.json',
  cache: true, rateLimit: true,
});

app.use(async (req, res, next) => {
  const token = req.headers.authorization?.split(' ')[1];
  if (!token) return res.sendStatus(401);
  try {
    const { kid } = jwt.decode(token, { complete: true }).header;
    const key = await client.getSigningKey(kid);
    const claims = jwt.verify(token, key.getPublicKey());
    req.user = claims;
    next();
  } catch { res.sendStatus(401); }
});

Plus refresh handling, leeway, blacklist, audience checks…

AFTERpolicy.tg + app.ts

# policy.tg
route "/*" {
  auth = oidc("auth.t.gate")
}

// app.ts — that's it
app.get('/', (req, res) => {
  res.json({ user: req.headers['x-tg-user'] });
});

Verified claims arrive as headers. App stays focused on business logic.

EVERYTHING INCLUDED

Auth that actually covers the edge cases.

Refresh, revocation, device trust, step-up — all of it built in.

🔄

Token refresh

Silent refresh handled at edge. Origins see a valid token always.

refresh = silent

📵

Step-up auth

Trigger MFA challenges for sensitive routes mid-session.

step_up = mfa_required

🚫

Session revoke

Kill all sessions for a user globally in under 2s.

tgate session revoke

🖥️

Device posture

Block requests from devices missing your CrowdStrike beacon.

device.compliant = true

🪪

Just-in-time access

Time-boxed elevated tokens approved via Slack.

elevate for 30m

🔍

Audit log

Every authn/authz decision logged with full context.

audit_log = retained_1y

We had eleven different auth implementations across our services. Every team rolled their own. Moving auth to t-Gates's edge let us delete a year's worth of duplicated code in two sprints — and our SOC 2 auditor was thrilled.

Daniela Rocha

VP Security · Forge Industries

11 → 1

AUTH IMPLEMENTATIONS

Move auth out of your apps.

One config replaces a dozen middleware libraries. Your engineers stop debugging JWT clock skew.

Start free→Provider catalog →

No card required · Free for 7 days · Cancel anytime