Skip to content
Rack Gateway

Rack Gateway

Secure your Convox infrastructure with enterprise-grade authentication, authorization, and audit logging. SOC 2 compliant.
Get Started View on GitHub

Why Rack Gateway?

Section titled “Why Rack Gateway?”

Rack Gateway is an open-source, self-hosted authentication and authorization proxy for Convox racks. It provides the security controls you need for SOC 2 compliance without vendor lock-in.

Google Workspace OAuth

Secure single sign-on with domain restrictions. Your team authenticates with their existing Google accounts.

Role-Based Access Control

Four built-in roles (viewer, ops, deployer, admin) with granular permissions. Control who can do what on your infrastructure.

Complete Audit Trail

Every API call is logged with automatic secret redaction. Export to CloudWatch, S3 WORM storage, or your SIEM.

Multi-Factor Authentication

TOTP, WebAuthn (security keys), and YubiKey support. Enforce MFA for all users or specific roles.

Deploy Approvals

Manual approval workflow for CI/CD deployments. Integrates with CircleCI, GitHub, and Slack.

Single-Tenant Design

One gateway per rack. Deployed alongside your Convox API for maximum security and isolation.

How It Works

Section titled “How It Works”

Rack Gateway is a proxy between developers and the Convox API:

Users install the rack-gateway CLI, which handles authentication and wraps Convox commands.

Quick Example

Section titled “Quick Example”
Terminal window
# Install the rack-gateway CLI
# (download from releases or build from source)


# Login with Google OAuth
rack-gateway login staging https://gateway.example.com


# Run Convox commands through the gateway
rack-gateway apps
rack-gateway ps
rack-gateway deploy


# Set up a convenient alias
alias cg="rack-gateway"
cg apps
cg logs -a myapp

Built for Compliance

Section titled “Built for Compliance”

Rack Gateway was built to achieve SOC 2 compliance for production infrastructure. It provides:

  • Immutable audit logs with cryptographic anchoring to S3 WORM storage
  • Automatic secret redaction for passwords, tokens, and API keys
  • Session management with configurable timeouts and revocation
  • MFA enforcement with step-up authentication for sensitive operations

Community Edition

Section titled “Community Edition”

Rack Gateway is an open-source “community edition” alternative to the hosted Convox Console. While Convox Console offers more advanced features and official support, Rack Gateway provides everything you need for secure, compliant infrastructure management.