Skip to content
Minh Tu Le edited this page May 6, 2026 · 9 revisions

Twingate Gateway

The Gateway is part of Twingate Identity Firewall, which extends Zero Trust and Privileged Access Management controls to every user, resource, and agent in your organization. The Gateway is an open-source Layer 7 reverse proxy deployed within your environment that enables identity propagation and comprehensive auditing.

The Gateway extends your existing Twingate deployment, leveraging private networking to keep infrastructure hidden from the public internet. Access policies are defined using identity, device posture, and other contextual signals, providing a flexible and extensible foundation for access control.

Key Benefits

  • Seamless Identity Propagation: Twingate passes user identity through to upstream services (e.g., Kubernetes API servers, SSH servers, web applications), eliminating double authentication and removing the need for plaintext credentials stored on end-user machines.
  • Compliance-Ready Auditing: All user activity is logged and attributed to specific identities, with session recording and replay for forensic review and compliance requirements.
  • Simplified Policy Management: A unified policy engine governs both network and application access, reducing management overhead and eliminating credential sprawl.

Supported Protocols

Kubernetes

Secure access to private Kubernetes clusters with identity propagation, RBAC integration, and session recording for kubectl commands.

SSH

Secure access to SSH servers with identity propagation, session recording, and support for shell, exec, SFTP, and port forwarding.

Web App (Coming Soon)

Secure access to web applications with identity-aware reverse proxying.

Database (Coming Soon)

Secure access to databases such as PostgreSQL and MySQL with identity propagation.

How It Works

See How It Works for a detailed architecture overview.

Auditing & Session Recording

Unlike other Twingate components, the Gateway is completely isolated within your environment. Its only external communication is fetching Twingate's public key for identity verification. All audit logs and session recordings stay entirely within your infrastructure and are never uploaded to Twingate. Logs are exported to stdout and can be streamed to your preferred SIEM or storage solution.

Session recordings are captured in Asciicast v2 format and can be replayed via the Twingate Asciicast web player at https://www.twingate.com/sessionplayer.

Clone this wiki locally