Teleport is an identity-aware access proxy that provides unified, short-lived certificate-based access to infrastructure: SSH servers, Kubernetes clusters, databases, internal web applications, Windows desktops, and cloud provider APIs. It replaces the sprawl of static SSH keys, bastion hosts, VPNs, and per-tool credentials with a single control plane that knows who you are and what you’re allowed to touch.
A Teleport cluster consists of an Auth Service (a certificate authority and policy engine), a Proxy Service (the user-facing entry point that terminates TLS and brokers connections), and Agents that run next to the resources being protected and register themselves with the cluster. Users authenticate via SSO (SAML, OIDC, GitHub) and optional hardware MFA, and the Auth Service issues short-lived X.509 and SSH certificates scoped by role. Every session is recorded and audit-logged; interactive SSH and kubectl sessions can be replayed afterward. Features like Access Requests, Session Moderation, and Device Trust layer zero-trust controls on top of that baseline.
Teleport is used as a common access layer across clouds and on-prem, and integrates with Kubernetes RBAC, AWS IAM, and existing IdPs so permissions remain grounded in the upstream identity provider rather than in Teleport-specific users.