Zero-credential • Agent-first • TLS 1.3

Secure control plane for agent-managed infrastructure.No passwords. Just signed commands.

Each server is represented by a mutually authenticated agent. Commands are signed over TLS 1.3, verified on-device, and streamed back with full telemetry and audit detail.

Launch DashboardExplore Features

Prefer automation? The same actions are available via CLI and REST API with signed envelopes.

mTLS agent connections
Signed command envelopes
Full audit trail

Command Envelope

restart-service

Signed

tenant: acme-prod

targets: web-01, web-02, web-03

signature: SHA256 9c1b...a4

Policy checks

  • ✔ Agent identity validated
  • ✔ Command approved (Operator role)
  • ✔ Audit stream armed

Live Telemetry

CPU

32%+2%

Memory

58%-5%

Latency

14ms-1ms

Control Plane UI

One dashboard to trigger agents and watch telemetry

Log into platform.axinode.com, browse your servers, and trigger actions. The agent handles execution with zero credentials stored, while telemetry and audit logs update in real time.

Trigger commands on Windows or Linux nodes directly from the dashboard—agents execute on your behalf.

Command Builder uses signed envelopes and policy checks before dispatching to agents.

Live telemetry widgets show CPU/memory and agent heartbeat without leaving the UI.

Audit feed records every button click with ProblemDetails IDs for downstream review.

Launch Dashboard Overview →

Command Center

Restart IIS on win-iis-01

Signed envelope

Target group

iis-prod

Policy

AllowRestart

Live Output

[win-iis-01] 10:42:01 Restart-WebAppPool DefaultAppPool

[win-iis-02] 10:42:01 Restart-WebAppPool DefaultAppPool

auditId=cmd-01h8zq... • agent=agt_win_02

Dashboard Features

Everything you need in one control plane

From server inventory to audit trails, platform.axinode.com keeps all zero-credential workflows in a single UI.

Servers & Health

Filter Windows and Linux nodes by tags, see heartbeat latency, OS version, and agent status in one table.

Command Center

Build signed envelopes with arguments, preview policy checks, and dispatch commands to groups or single nodes.

Telemetry & Logs

Live CPU/memory charts and streaming logs keep you informed without SSH or RDP.

Audit Trail

Append-only feed with ProblemDetails IDs showing who triggered which action and when agents executed.

Security Baseline

Zero-credential by default

Inbound access is eliminated. Every change flows through signed envelopes, outbound agents, and an append-only audit trail.

Zero Credentials

No SSH keys, root passwords, or shared secrets are stored. Agents only accept signed envelopes bound to their identity.

Signed Commands

Every action is enveloped, signed, and verified on the agent. Tampering attempts fail cryptographically.

Outbound Agents

Agents dial out over TLS 1.3, so you never expose inbound firewall ports. Heartbeats and telemetry stay continuous.

Infrastructure Coverage

One agent covers OS roles and managed services

Install the agent once, then orchestrate Windows Server roles, Linux workloads, and managed services like Elastic, Redis, or CDN edges from the same zero-credential surface.

Windows Server Roles

Manage IIS sites, Windows Services, Event Viewer logs, and PowerShell scripts through the same signed command pipeline.

Linux & Containers

Control systemd units, package updates, and container runtime tasks while streaming journal metrics over gRPC.

Managed Services

Provision and restart Elastic clusters, Redis caches, or CDN edges through agent-run playbooks without leaving the control plane.

Hybrid Topology

Mix on-prem racks and cloud VMs in one tenant. Agents authenticate outbound, so topology doesn’t change your workflow.

CLI & Automation

Automate everything from the same zero-credential surface

Operators can script Windows/Linux actions, bootstrap agents, or drive managed services directly through the CLI. UI and CLI share the exact API contracts, so policies and audit logs remain consistent.

Same REST/gRPC API as the dashboard — zero separate surface to secure.

Login via API tokens with automatic refresh and secure keychain storage.

Structured output: human readable by default, `--json` for pipelines.

Parallel command dispatch with signed envelopes and ProblemDetails errors.

$ axinode auth login --token $AXINODE_TOKEN
$ axinode servers list --json
$ axinode agents exec --group iis-prod "Restart-WebAppPool DefaultAppPool"

Outputs ProblemDetails errors and JSON responses that mirror the HTTP API.

Developer Surface

Versioned REST & gRPC APIs out of the box

Everything you automate via CLI or UI runs on the same HTTP + gRPC contracts. Bring the control plane into CI pipelines, internal portals, or runbooks without custom SDKs.

Versioned REST API at /api/v1 with OpenAPI schema for every endpoint.

ProblemDetails errors and consistent JSON envelopes across UI and CLI.

API tokens scoped by tenant/user; rotate or revoke from UI or CLI.

Agents use gRPC package axinode.agent.v1 over mTLS for heartbeats and commands.

gRPC service: axinode.agent.v1 (mTLS required)

GET /api/v1/servers

{
  "data": [
    {
      "id": "srv_01h8v...",
      "hostName": "win-iis-01",
      "os": "Windows",
      "tags": ["prod", "iis"],
      "lastSeenAt": "2025-11-28T18:02:11Z"
    }
  ],
  "pagination": {
    "page": 1,
    "pageSize": 20,
    "total": 6
  }
}

Errors conform to RFC 7807 ProblemDetails with correlation IDs for audit trails.

Multi-Tenant Control

Tenant isolation, roles, and API tokens by design

Every resource is scoped with TenantId and backed by append-only audit logs. Role tiers keep operators focused while API tokens inherit the same policies.

Tenant metadata, servers, agents, commands, telemetry and audit logs all carry a TenantId. Global filters enforce isolation inside the modular monolith, while audit entries use ProblemDetails correlation IDs.

  • • Roles: Owner → Admin → Operator → Viewer with least privilege defaults.
  • • API tokens are minted per user & tenant; hashed server-side and revocable anytime.
  • • No server credentials stored, so a compromised tenant still can’t expose SSH/RDP secrets.

Tenant: Acme Prod

Role Matrix

Audit ID: LOG-6f32

Owner

Full tenant control, billing, bootstrap tokens

Admin

Manage servers, agents, roles

Operator

Run commands, view telemetry

Viewer

Read-only dashboards and audit trails

POST /api/v1/api-tokens
{
  "name": "CI Deploy",
  "expiresAt": "2025-12-31T00:00:00Z"
}

Response includes hashed token reference only. Raw token shown once and scoped to tenant.

Core Modules

Servers, agents, commands, telemetry, and audit

The modular monolith keeps each responsibility isolated while sharing a single secure control plane.

Servers

Logical nodes with environment, OS, and tags. No credentials stored—only metadata required for grouping and audit scope.

Agents

Identity-per-agent lifecycle with bootstrap tokens, heartbeat tracking, and capability reporting.

Commands

Signed envelopes with execution logs, deterministic fan-out, and policy enforcement per tenant role.

Telemetry

CPU, memory, and latency samples streamed over gRPC, aggregated for dashboards and alerts.

Audit

Append-only records linking every command, actor, and server for compliance-grade traceability.

Lifecycle

Agent-based operations in five steps

From bootstrap token to verified execution, every hop is authenticated, authorized, and recorded.

Step 1

Bootstrap

Tenant operators mint a single-use bootstrap token via the dashboard or CLI.

Step 2

Enroll Agent

Agent generates its own keypair, registers over mTLS, and binds to a server record.

Step 3

Authenticate

Engineers sign in with SSO or API tokens; CLI and UI share the same API surface.

Step 4

Sign & Dispatch

Commands are signed, policy-checked, and queued for the intended agents.

Step 5

Verify & Execute

Agents verify signatures, run locally with least privilege, and stream telemetry + audit logs.

UI Trigger

Restart IIS from the dashboard

Signed command

• Button click: “Restart IIS” (Group: iis-prod)

• Policy check: AllowRestart

• Agent output streams back into the UI log

[UI] 10:42:01 user@acme triggered restart

[Agent] win-iis-01 OK • win-iis-02 OK

auditId=cmd-01h9... • zero credentials stored

Bootstrap Snippet

Issue token → register agent → confirm heartbeat

$ axinode agents bootstrap create --server win-iis-01
TOKEN=agt_boot_01H8ZPXND...
$ axinode agent register --token $TOKEN --url https://api.axinode.com

agent[win-iis-01] ▸ online

lastHeartbeat=2025-11-28T18:04:11Z

policy=prod-windows, zero stored credentials

Telemetry & Audit

Observability and auditability built in

Command output, agent heartbeats, and audit logs ride the same data path, giving you a complete forensic view.

Telemetry Snapshot

Live
CPU32%+2%
Memory58%-5%
Latency14 ms-1 ms

agent[web-01] ▸ streaming logs…

cpu=0.32 mem=0.58 disk=0.41 latency=14ms

heartbeat=ok certificate=v3 rotation=2025-11-20

Audit Trail

Append-only records answer who executed what, where, and when in seconds.

10:42:05ops@tenant.io

Executed run-script on web-west group

10:39:11system

Agent agt_x8293 rotated certificate

10:33:55cli-token

Created bootstrap token for db shard

Optional roadmap: anchor log hashes to external chains for tamper evidence.