Warded

Warded Identity Access Gateway

Learn how Warded protects AI Agent management surfaces with an out-of-the-box identity access gateway.

Warded is an out-of-the-box identity access gateway for AI Agent management surfaces.

It gives OpenClaw Control UI, Hermes Agent Dashboard, and similar Agent tools a protected HTTPS entrypoint with browser login, workload access tokens, TLS termination, and a local reverse proxy in one operating path.

AI Agent tools increasingly run on cloud servers and expose management surfaces that were not designed to be public. A single shared token or an unprotected dashboard is not a reliable security boundary once the service is reachable from the internet. Warded puts identity, access control, and HTTPS in front of that surface without asking you to assemble DNS, TLS, OAuth, session handling, and reverse proxy rules by hand.

Why Choose Warded

Built for AI Agent tools

Warded is not a generic gateway renamed for Agents. It is built around the way OpenClaw, Hermes Agent, Agent dashboards, bot control panels, and similar management surfaces are actually deployed: one cloud server, one sensitive entrypoint, and a small number of humans or workloads that need controlled access.

Out-of-the-box protected HTTPS entrypoint

Warded combines domain setup, TLS termination, browser-based login, and reverse proxying into one path. Instead of stitching together a DNS provider, certificate automation, OAuth callbacks, cookie sessions, and a proxy config, you create a ward, claim it in the browser, and serve the protected entrypoint from the CLI.

One ward, one clear boundary

One ward maps to one domain and one local upstream port. That keeps the security boundary, billing unit, activation state, and operational status easy to reason about. If you need to protect another domain or another management surface, create another ward instead of hiding unrelated services behind path routing.

Human + workload access

Browser users access the protected service through Warded login and local session cookies. Agent, Bot, CI, monitoring, and automation clients can use Ward Access Tokens. This keeps human access and workload access in the same product boundary without forcing every client into the same authentication shape.

Keeps your traffic direct

Warded manages the control plane, ward lifecycle, identity state, and the local proxy runtime. Customer application traffic goes directly to your server and through your local Warded process. Warded does not relay or host your protected service traffic.

What Warded Is Not

Warded is not a tunnel, NAT traversal service, frp replacement, or Tailscale replacement. Your protected service still runs on your server, and traffic is not relayed through Warded infrastructure.

Warded is not a generic multi-service API gateway. The current product boundary is one ward for one protected management entrypoint, not a general path router for many unrelated services.

Warded is not a general-purpose human identity provider. It consumes supported login providers for owner and browser access flows, while Ward Access Tokens cover workload access to a protected ward.

Warded is not a traffic hosting platform. It provides lifecycle, identity, domain, TLS, and local proxy control for a protected entrypoint; it does not take ownership of your application runtime.

Start Here

Product Boundary

Warded protects one Agent management entrypoint per ward. One ward maps to one domain and one local upstream port.

The current product focuses on Warded Ingress: a protected browser and workload access boundary in front of an existing Agent UI or dashboard. Multi-domain deployments use multiple wards.

How It Works

Warded CLI

The CLI runs on your server. It terminates TLS, handles authentication middleware, validates local sessions and Ward Access Tokens, and proxies authenticated traffic to the configured upstream.

Warded Platform

The platform manages ward lifecycle, identity, domain ownership, TLS material, and billing state. It is the source of truth for whether a ward can be activated and served.

Warded Website

The website provides claim, account, ward detail, and billing flows for human owners.

Once the ward is active, the owner and approved clients use the protected domain as the stable entrypoint for the Agent management surface.

Getting Started

Create and activate a Warded HTTPS entrypoint for a cloud-deployed OpenClaw Control UI.

On this page

Why Choose WardedBuilt for AI Agent toolsOut-of-the-box protected HTTPS entrypointOne ward, one clear boundaryHuman + workload accessKeeps your traffic directWhat Warded Is NotStart HereProduct BoundaryHow It WorksWarded CLIWarded PlatformWarded Website