Teleport

Infrastructure access platform providing zero-trust privileged access management (PAM) for SSH, Kubernetes, databases, Windows desktops, and web applications. Teleport replaces VPN + bastion hosts with certificate-based, identity-verified access that is fully audited. REST API and tctl CLI enable programmatic access management — creating users, tokens, roles, and audit log queries. Widely used for agent access to infrastructure without long-lived credentials.

Evaluated Mar 06, 2026 (0d ago) v15+
Homepage ↗ Repo ↗ Security zero-trust ssh kubernetes database infrastructure-access privileged-access pam open-source
⚙ Agent Friendliness
59
/ 100
Can an agent use this?
🔒 Security
93
/ 100
Is it safe for agents?
⚡ Reliability
84
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
85
Error Messages
80
Auth Simplicity
72
Rate Limits
75

🔒 Security

TLS Enforcement
100
Auth Strength
95
Scope Granularity
90
Dep. Hygiene
88
Secret Handling
92

SOC2 Type II, FedRAMP, ISO 27001. Certificate-based auth eliminates long-lived passwords/keys. Full session recording for compliance. Hardware key support (YubiKey). Role-based access with fine-grained conditions. Open source for auditability. No standing access — all access time-limited.

⚡ Reliability

Uptime/SLA
88
Version Stability
85
Breaking Changes
80
Error Recovery
85
AF Security Reliability

Best When

You need audited, zero-trust access to infrastructure for both humans and automated agents, replacing VPN + bastion hosts + static SSH keys.

Avoid When

You need application SSO or user authentication — Teleport solves infrastructure access, not end-user authentication.

Use Cases

  • Provide agents secure, time-limited access to production infrastructure (SSH, K8s, databases) without storing long-lived SSH keys or database passwords
  • Audit all agent infrastructure access via Teleport's session recordings and audit logs — every command executed by agents is captured and queryable via REST API
  • Issue short-lived certificates for agent machine identity via Teleport's machine ID (bot) feature — agents get ephemeral, role-limited credentials automatically rotated
  • Implement just-in-time access for agents to sensitive systems via Teleport's access request workflow — agents request elevated access, humans approve, access expires automatically
  • Manage Kubernetes RBAC for agent workloads via Teleport's K8s integration — agents access cluster resources with Teleport-issued, short-lived kubeconfig credentials

Not For

  • Application-layer user authentication — Teleport is for infrastructure access (SSH, K8s, DBs), not web application SSO; use Okta, Auth0, or Casdoor for app auth
  • Small teams with simple SSH needs — Teleport's operational complexity is significant; simple SSH with key management may suffice for small teams
  • Non-technical users — Teleport's value is infrastructure access; non-engineers don't interact with SSH or databases in ways Teleport manages

Interface

REST API
Yes
GraphQL
No
gRPC
Yes
MCP Server
No
SDK
Yes
Webhooks
No
OpenAPI Spec ↗

Authentication

Methods: bearer_token oauth2 x509
OAuth: Yes Scopes: Yes

Teleport uses short-lived X.509 certificates for all access. Users authenticate via SSO (OIDC/SAML) and receive time-limited certificates. Machine ID (bots) use join tokens and certificate renewal. API uses bearer tokens issued by tctl. RBAC with role inheritance.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

Apache 2.0 open source. Community edition has node limits but is fully functional. Teleport Cloud adds managed infrastructure. Enterprise adds Access Requests workflow, Access Monitoring, and compliance features. Widely used at scale.

Agent Metadata

Pagination
cursor
Idempotent
Partial
Retry Guidance
Documented

Known Gotchas

  • Machine ID (tbot) for agent access requires the bot to be running continuously for certificate renewal — if tbot stops, agent certificates expire and access fails; ensure tbot process lifecycle management
  • Short-lived certificates (default 12 hours) mean agent systems must handle re-authentication — build credential refresh into agent infrastructure rather than assuming long-lived credentials
  • Teleport's audit events API has specific event types and JSON schemas that differ between versions — pin Teleport version when building audit log parsers to avoid schema breakage
  • Node registration (adding servers to Teleport) requires bidirectional network connectivity to the Teleport proxy — agents in private networks must configure reverse tunnels for proxy connectivity
  • Role condition expressions use Teleport-specific predicate syntax — LLM-generated role conditions may have syntax errors; always validate with `tctl auth sign` before deployment
  • Database access through Teleport requires a Teleport database agent running alongside the database — additional infrastructure component that must be deployed and maintained
  • Teleport's Community edition node limit (5 free nodes) may force upgrades sooner than expected for agent-heavy deployments; plan for licensing costs when scaling

Alternatives

pomerium-api boundary-api strongdm-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Teleport.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5215
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered