Out-of-the-box Access Gateway

Out-of-the-box
access gateway

With very little configuration, turn Coolify, OpenClaw, Hermes Agent, admin panels, and private services into protected HTTPS domain entrypoints. Warded combines login, access tokens, SSL, and reverse proxying at your server edge, with traffic going directly to your server instead of through a tunnel or relay.

Protect a service
https://admin.example.com Login required Token access enabled
Run on your server
$ warded new --commit
$ warded status
$ warded serve

USE CASES

Protect the entrypoints you actually expose

Warded fits self-hosted services that need an identity boundary without requiring a full enterprise access platform.

Self-hosted platforms

Coolify, Dokploy, Portainer, CapRover, and other management panels.

Internal tools

Admin, BI, webhook consoles, operations dashboards, and private APIs.

Agent services

OpenClaw, Hermes Agent, agent dashboards, and automation control planes.

Automated access

CI, scripts, Prometheus, and bots using revocable Ward Access Tokens.

WORKFLOW

One runtime takes over the access boundary

01

Create a ward

Run warded new --commit on the server to validate the domain, port, and public entrypoint.

Entrypoint config
admin.example.com → 127.0.0.1:3000
$ warded new
$ warded new --commit
✓ Entry probe passed
✓ Setup link created
Visit: warded.me/activate/x7k9m2
02

Claim it in the browser

Open the setup link, sign in, confirm that you own the service, and choose trial or payment.

1
Sign In
2
Claim
3
Trial / Payment
03

Start the gateway

warded serve takes over HTTPS, login, token checks, and reverse proxying, then keeps state synced through heartbeats.

Local runtime
$ warded serve
Serving https://a1b2c3d4.warded.me
Login and token checks enabled

WHY WARDED

Complete identity boundaries with lower configuration cost

Warded sits between a bare reverse proxy and a heavy enterprise access platform: close to an IdP + IAP + certificates + proxy stack, but with a more direct setup flow.

Warded

  • One CLI and one local runtime
  • Priced by ward and service boundary, not by seat count
  • HTTPS, login, access tokens, and reverse proxying built in

Traditional choices

  • ×Bare reverse proxies forward traffic but lack a unified identity boundary
  • ×Enterprise access platforms can be heavy in deployment, policy, and SSO setup
  • ×Tunnels and VPNs change the traffic path or require client-side networking

DIRECT TO SERVER

Not a tunnel, not a VPN, not temporary exposure

Warded does not relay your traffic or require visitors to join a private network. DNS points to your server, HTTPS requests reach your entrypoint directly, and the local Warded runtime decides who can continue upstream.

Traffic path
Visitor
your domain
your server
Warded runtime
upstream app
127.0.0.1:3000

Direct traffic path

Public traffic goes directly to your server without passing through a Warded relay.

Own your domain

Use a platform subdomain or your own domain. The entrypoint is a normal HTTPS URL.

No client network

Visitors do not install a VPN, join a Tailnet, or use a temporary tunnel URL.

CAPABILITIES

Less configuration, no missing pieces

IdP, IAP, HTTPS, access tokens, reverse proxying, and runtime state sync at each service boundary.

HTTPS by default

Platform subdomains use managed certificates. Custom domains support automatic certificates, so every entrypoint is a standard HTTPS URL.

Browser login

Human users sign in before reaching the upstream service, instead of exposing admin surfaces behind a bare reverse proxy.

Ward Access Token

Scripts, CI, monitoring, and agents use revocable access tokens for automated workload access.

Behind-proxy mode

Run Warded behind your existing Caddy, Traefik, or Nginx setup without replacing your public entry architecture.

Multi-ward shared listener

Multiple wards on one machine can share the same entry port while staying isolated by Host and SNI.

Explicit auth bypass

Webhook and callback paths must be explicitly allowlisted. There are no default bypasses.

PRICING

Simple, Transparent Pricing

No hidden fees. No surprise charges. Pay only for what you use.

Starter

The simplest protected HTTPS domain entrypoint

$3/ month
  • 1 random subdomain (xxxx.warded.me)
  • 1 upstream port mapping
  • GitHub & Google login
  • Free trial (72h for monthly, 14d for yearly)
RECOMMENDED

Pro

For production nodes and custom domains

$6/ month
  • Custom subdomain or bring your own domain
  • 1 upstream port mapping
  • GitHub, Google & Email login
  • Free trial (72h for monthly, 14d for yearly)
  • Priority support

All plans include automatic HTTPS, built-in authentication, and webhook bypass support.

Manual renewal only. No refunds. Payments processed by Paddle (Merchant of Record).

By clicking the button, you agree to our Terms, Privacy, Refunds and Billing.