Kandaga
Multi-tenant SSH vault & client

Your team's servers, safely at hand.

Kandaga stores your hosts and SSH credentials in an encrypted, team-scoped vault — then connects through a secure server-side relay. Terminal, SFTP and port forwarding, without your secrets ever leaving the server.

Get started — it's freeSee features

Everything you need to reach your fleet

A credential vault and an SSH client in one — built for teams that care where their secrets live.

Encrypted credential vault

SSH keys, passwords and certificates are encrypted at rest. The API exposes only metadata and presence flags — secrets are never serialized back to a client.

Terminal, SFTP & port forwarding

Open an interactive shell, browse and transfer files between hosts, or tunnel a TCP service — all relayed by the server so credentials stay put.

Teams & organizations

Scope every host and keychain to an organization. Invite members, assign owner / admin / member roles, and keep personal and team resources separate.

Snippets & host groups

Save commands you run often and organise hosts into nested categories, so the right server is always one tap away.

Host-key trust on first use

The first successful connection pins the host's fingerprint; later connections are refused on a mismatch, flagging a possible man-in-the-middle.

Works on mobile and the web

A native mobile client today, with the same vault and relay behind it — sign up once and your hosts are everywhere you are.

Security first

Built so your secrets stay yours

Encrypted at rest

Secret fields are sealed with Fernet (AES) symmetric encryption and support key rotation. Lose the database and the secrets stay unreadable.

Secrets never leave the server

The relay opens SSH server-side and streams only bytes to your device — the private key or password is never sent to the client.

JWT authentication

Short-lived access tokens with refresh rotation guard every request, and every WebSocket relay session is authenticated at the handshake.

Egress controls

Outbound SSH can be restricted to an allowlist and blocked from private networks, mitigating SSRF, with per-user session caps and idle timeouts.

Create your vault in under a minute

Sign up to get a personal organization instantly — invite your team whenever you're ready.

Get started