Architecture

    How WebXTerm Works

    Agent-based, zero-trust architecture. The agent connects outbound — no open ports, no VPN, no firewall changes.

    Browser

    Web Terminal

    VS Code

    Extension

    VSAY CLI

    Shell Tool

    Client Layer

    WebXTerm Portal

    Central Hub

    AuthRouterAuditRegistry

    vsay-agent

    On your machine

    Outbound onlySystemdHeartbeat

    prod-server-01

    Linux / x86

    dev-laptop

    macOS / ARM

    bare-metal-02

    Linux / ARM

    Machine Layer

    Client connection (HTTPS/WSS)
    Agent tunnel (gRPC/TLS — outbound)
    Active session
    Portal Internals

    What Lives Inside the Portal

    The WebXTerm portal is the control plane — it handles identity, routing, monitoring, and audit without ever storing your credentials.

    Auth Service

    JWT-based authentication with bcrypt. Enterprise: OIDC/OAuth2 via Keycloak, Microsoft, GitHub, Okta.

    Session Router

    Routes encrypted terminal sessions between users and agents over persistent gRPC tunnels.

    Audit Logger

    Immutable log of every login, session, and command. Full trail for compliance and forensics.

    Machine Registry

    Tracks agent heartbeats, CPU/memory/disk stats, connection status, and machine metadata.

    Agent Architecture

    Lightweight. Outbound-only.

    The vsay-agent is a small binary that runs as a system service on any machine. It initiates an outbound gRPC connection to the WebXTerm portal — meaning zero firewall changes and zero open ports on your end.

    • Connects outbound over gRPC + TLS
    • Runs as systemd / launchd / Windows Service
    • Sends heartbeats: CPU, memory, disk stats
    • Handles terminal sessions & port forwarding
    • Minimal footprint — single binary, no dependencies
    vsay-agent — setup & connect
    Security Model

    Security at Every Layer

    TLS Encryption

    All data in transit is encrypted via TLS.

    mTLS (Enterprise)

    Certificate-based mutual authentication.

    RBAC

    Per-user, per-machine access policies.

    Audit Trail

    Every session and command is recorded.

    SSO / OIDC

    Enterprise: Keycloak, Microsoft, GitHub, Okta.

    No Inbound Ports

    Agent connects outbound — zero firewall changes.

    Platform Support

    Runs Everywhere

    Deploy the agent on any machine — cloud, bare-metal, or laptop.

    Linux

    x86_64arm64

    macOS

    IntelApple Silicon

    Windows

    x86_64
    Get Started

    Deploy in Under 5 Minutes

    Install the agent on any machine and see it appear in your portal instantly. No firewall rules, no VPN setup, no certificates to manage.

    Read the Docs Open Console