MCPcopy
hub / github.com/gravitational/teleport

github.com/gravitational/teleport @v19.0.1-espadolini.20260421 sqlite

repository ↗ · DeepWiki ↗ · release v19.0.1-espadolini.20260421 ↗
117,868 symbols 455,133 edges 8,560 files 40,879 documented · 35%
README

Teleport provides connectivity, authentication, access controls and audit for infrastructure.

You might use Teleport to:

  • Set up single sign-on (SSO) for all of your cloud and on-prem infrastructure.
  • Protect access to servers, Kubernetes clusters, databases, Windows desktops, web applications, and cloud APIs without long-lived keys or passwords.
  • Establish secure tunnels to reach resources behind NATs and firewalls without VPNs or bastion hosts.
  • Record and audit activity across SSH, Kubernetes, database, RDP, and web sessions.
  • Apply consistent Role-Based and Attribute-Based Access Control (RBAC/ABAC) across users, machines, workloads, and resource types.
  • Enforce least privilege and Just-in-Time (JIT) access requests for elevated roles or sensitive systems.
  • Maintain a single identity and access layer for both human users and workloads.

Teleport works with SSH, Kubernetes, databases, RDP, cloud consoles, internal web services, Git repositories, and Model Context Protocol (MCP) servers.

  <a href="https://goteleport.com/download">
  <img src="https://img.shields.io/github/v/release/gravitational/teleport?sort=semver&label=Release&color=651FFF" />
  </a>
  <a href="https://golang.org/">
  <img src="https://img.shields.io/github/go-mod/go-version/gravitational/teleport?color=7fd5ea" />
  </a>
  <a href="https://github.com/gravitational/teleport/blob/master/CODE_OF_CONDUCT.md">
  <img src="https://img.shields.io/badge/Contribute-🙌-green.svg" />
  </a>
  <a href="https://www.gnu.org/licenses/agpl-3.0.en.html">
  <img src="https://img.shields.io/badge/AGPL-3.0-red.svg" />
  </a>

More Information

Teleport Getting Started
Teleport Architecture
Reference Guides
FAQ

Table of Contents

  1. Introduction
  2. Why We Built Teleport
  3. Supporting and Contributing
  4. Installing and Running
  5. Docker
  6. Building Teleport
  7. License
  8. FAQ

Introduction

Teleport includes an identity-aware access proxy, a CA that issues short-lived certificates, a unified access control system, and a tunneling system to access resources behind the firewall.

Teleport is a single Go binary that integrates with multiple protocols and cloud services, including

You can set up Teleport as a Linux daemon or a Kubernetes deployment.

Teleport focuses on best practices for infrastructure security, including:

  • No shared secrets such as SSH keys or Kubernetes tokens; Teleport uses certificate-based auth with automatic expiration for all protocols.
  • Multi-factor authentication (MFA) for everything.
  • Single sign-on (SSO) for everything via GitHub Auth, OpenID Connect, or SAML with endpoints like Okta or Microsoft Entra ID.
  • Session sharing for collaborative troubleshooting for issues.
  • Infrastructure introspection to view the status of every SSH node, database instance, Kubernetes cluster, or internal web app through the Teleport CLI or Web UI.

Teleport uses Go crypto. It is fully compatible with OpenSSH, sshd servers, and ssh clients, Kubernetes clusters and more.

Project Links Description
Teleport Website The official website of the project.
Documentation Admin guide, user manual and more.
Features Explore the complete list of Teleport capabilities.
Blog Our blog where we publish Teleport news and helpful articles.
Forum Ask us a setup question or post tutorials, feedback, or ideas.
Developer Tools Dozens of free browser-based tools for code processing, cryptography, data transformation, and more.
Teleport Academy How-to guides, best practices, and deep dives into topics like SSH, Kubernetes, MCP, and more.
Slack Need help with your setup? Ping us in our Slack channel.
Cloud & Self-Hosted Teleport Enterprise is a cloud-hosted option for teams that require easy and secure access to their computing environments.

Why We Built Teleport

While working together at Rackspace, the creators of Teleport noticed that most cloud users struggle with setting up and configuring infrastructure security. Many popular tools designed for this are complex to understand and expensive to maintain across modern, distributed computing infrastructure.

We decided to build a solution that's easy to use, understand, and scale. A real-time representation of all your servers in the same room as you, as if they were magically teleported. And thus, Teleport was born!

Today, Teleport is trusted by everyone from hobbyists to hyperscalers to simplify security across cloud CLIs and consoles, Kubernetes clusters, SSH servers, databases, internal web apps, and Model Context Protocol (MCP) used by AI agents.

Learn more about Teleport and our history

Supporting and Contributing

We aim to make Teleport easy to adopt and contribute to, starting with clear and comprehensive documentation.

If you have questions, are exploring ideas, or want to sanity-check something, please start with a GitHub Discussion. Discussions help us answer questions, explore use cases, and decide together whether something should become a bug report or feature request.

  • Start a conversation in Teleport Discussions
    This is the best place to ask questions, share ideas, and get help. Our engineers actively participate there, and discussions can be promoted to issues when there is a clear, actionable next step.

  • Issues are for confirmed bugs and well-defined feature requests
    If something has already been validated as a bug or an enhancement, feel free to open an issue. When in doubt, start a discussion and we will help guide it.

  • Enterprise and POC support
    If you are evaluating Teleport Enterprise or need more responsive support during a POC, we can set up a dedicated Slack channel. You can reach out to us through our website to get started.

Installing and Running

To set up a single-instance Teleport cluster, follow our getting started guide. You can then register your servers, Kubernetes clusters, and other infrastructure with your Teleport cluster.

You can also get started with Teleport Enterprise Cloud, a managed Teleport deployment that makes it easier to enable secure access to your infrastructure.

Sign up for a free trial of Teleport Enterprise Cloud, and follow this guide to register your first server.

Docker

Deploy Teleport

If you wish to deploy Teleport inside a Docker container see the installation guide.

For Local Testing and Development

To run a full test suite locally, see the test dependencies list

Building Teleport

The teleport repository contains the Teleport daemon binary (written in Go) and a web UI written in TypeScript.

If your intention is to build and deploy for use in a production infrastructure a released tag should be used. The default branch, master, is the current development branch for an upcoming major version. Get the latest release tags listed at https://goteleport.com/download/ and then use that tag in the git clone. For example git clone https://github.com/gravitational/teleport.git -b v18.5.0 gets release v18.5.0.

Dockerized Build

It is often easiest to build with Docker, which ensures that all required tooling is available for the build. To execute a dockerized build, ensure that docker is installed and running, and execute:

make -C build.assets build-binaries

This command will build Linux binaries matching the host architecture. It is not possible to cross-compile to a different target architecture.

Local Build

Dependencies

The following dependencies are required to build Teleport from source. For maximum compatibility, install the versions of these dependencies using the versions listed in build.assets/versions.mk:

  1. Go
  2. Rust
  3. Node.js
  4. libfido2
  5. pkg-config

For an example of dev environment setup on macOS, see these instructions.

Perform a build

Important

  • The Go compiler is somewhat sensitive to the amount of memory: you will need at least 1GB of virtual memory to compile Teleport. A 512MB instance without swap will not work.
  • This will build the latest version of Teleport.

Get the source

git clone https://github.com/gravitational/teleport.git
cd teleport

To perform a build

make full

tsh dynamically links against libfido2 by default, to support development environments, as long as the library itself can be found:

$ brew install libfido2 pkg-config  # Replace with your package manager of choice

$ make build/tsh
> libfido2 found, setting FIDO2=dynamic
> (...)

Release binaries are linked statically against libfido2. You may switch the linking mode using the FIDO2 variable:

make build/tsh FIDO2=dynamic # dynamic linking
make build/tsh FIDO2=static  # static linking, for an easy setup use `make enter`
                             # or `build.assets/macos/build-fido2-macos.sh`.
make build/tsh FIDO2=off     # doesn't link libfido2 in any way

tsh builds with Touch ID support require access to an Apple Developer account. If you are a Teleport maintainer, ask the team for access.

Build output and run locally

If the build succeeds, the installer will place the binaries in the build directory.

Before starting, create default data directories:

sudo mkdir -p -m0700 /var/lib/teleport
sudo chown $USER /var/lib/teleport

Running Teleport in a hot reload mode

To speed up your development process, you can run Teleport using CompileDaemon. This will build and run the Teleport binary, and then rebuild and restart it whenever any Go source files change.

  1. Install CompileDaemon:

    shell go install github.com/githubnemo/CompileDaemon@latest

    Note that we use go install instead of the suggested go get, because we don't want CompileDaemon to become a dependency of the project.

  2. Build and run the Teleport binary:

    shell make teleport-hot-reload

    By default, this runs a teleport start command. If you want to customize the command, for example by providing a custom config file location, you can use the TELEPORT_ARGS parameter:

    shell make teleport-hot-reload TELEPORT_ARGS='start --config=/path/to/config.yaml'

Note that you still need to run make grpc if you modify any Protocol Buffers files to regenerate the generated Go sources; regenerating these sources should in turn cause the CompileDaemon to reb

Extension points exported contracts — how you extend this code

PerformSessionMFARootClient (Interface)
PerformSessionMFARootClient is a subset of Auth methods required for MFA. Used by [PerformSessionMFACeremony]. [8 implementers]
lib/client/cluster_client.go
ErrorHandler (Interface)
ErrorHandler is an interface for handling errors. [30 implementers]
lib/httplib/reverseproxy/handler.go
Resource (Interface)
Resource for which Terraform configuration can be generated. It's a subset of the common methods between types.Resource [44 …
lib/tfgen/tfgen.go
HTTPDoClient (Interface)
HTTPDoClient is an interface that defines the Do function of http.Client. [10 implementers]
lib/utils/http.go
DesktopsGetter (Interface)
DesktopsGetter is responsible for getting desktops and desktop services. [6 implementers]
lib/desktop/conn.go
PolicyAssigner (Interface)
PolicyAssigner can assign a policy to an existing IAM role. [12 implementers]
lib/cloud/provisioning/awsactions/assign_policy.go
AssertDeviceClientStream (Interface)
AssertDeviceClientStream is the client-side device assertion stream. [28 implementers]
lib/devicetrust/assert/assert.go
ValidatedMFAChallengeLister (Interface)
ValidatedMFAChallengeLister is an interface that wraps the ListValidatedMFAChallenges method. [6 implementers]
lib/reversetunnel/watcher_mfa.go

Core symbols most depended-on inside this repo

Wrap
called by 21878
lib/limiter/connlimiter.go
Append
called by 9588
lib/events/athena/querier.go
Errorf
called by 8971
tool/tbot/spiffe.go
Equal
called by 8227
lib/auth/tls_test.go
Wrap
called by 5419
lib/auth/recordingencryption/age.go
String
called by 4407
lib/tbot/bot/service.go
GetName
called by 3343
lib/plugin/registry.go
Add
called by 2815
lib/plugin/registry.go

Shape

Method 72,793
Function 27,865
Struct 11,556
Interface 2,678
Class 1,377
TypeAlias 902
FuncType 496
Enum 201

Languages

Go90%
TypeScript10%
Python1%

Modules by API surface

api/types/types.pb.go7,157 symbols
api/types/events/events.pb.go6,308 symbols
api/client/proto/authservice.pb.go4,771 symbols
api/gen/proto/go/usageevents/v1/usageevents.pb.go1,950 symbols
gen/proto/go/prehog/v1alpha/teleport.pb.go1,697 symbols
api/client/proto/authservice_grpc.pb.go1,389 symbols
gen/proto/ts/prehog/v1alpha/teleport_pb.ts941 symbols
gen/proto/go/teleport/lib/teleterm/v1/service.pb.go717 symbols
gen/proto/go/accessgraph/v1alpha/access_graph_service.pb.go650 symbols
gen/proto/ts/teleport/lib/teleterm/v1/service_pb.ts591 symbols
api/client/client.go495 symbols
api/client/proto/joinservice.pb.go489 symbols

Dependencies from manifests, versioned

buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/gov1.36.3-202501212117 · 1×
buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/gov1.36.11-20251209175 · 1×
buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/gov1.36.3-202410072020 · 1×
buf.build/go/bufpluginv0.9.0 · 1×
buf.build/go/protovalidatev1.1.0 · 1×
buf.build/go/spdxv0.2.0 · 1×
cel.dev/exprv0.25.1 · 1×
cloud.google.com/gov0.123.0 · 1×
cloud.google.com/go/alloydbv1.19.0 · 1×
cloud.google.com/go/auth/oauth2adaptv0.2.8 · 1×
cloud.google.com/go/cloudsqlconnv1.19.0 · 1×

Datastores touched

(mongodb)Database · 1 repos
adminDatabase · 1 repos
(mysql)Database · 1 repos
mydbDatabase · 1 repos
docdbDatabase · 1 repos
mydbDatabase · 1 repos
notadminDatabase · 1 repos
dbDatabase · 1 repos

For agents

$ claude mcp add teleport \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact