Core free for the foundations. Enterprise for advanced deployments.
Self-hosted, free. Converts to Apache 2.0 per release on a rolling 2-year basis.
FIDO2 passkeys scoped per host. The same user can have distinct credentials per protected application. Replay detection by WebAuthn counter. Single-use, CIDR-restricted, SHA-512 enrollment tokens.
Worker-side sessions with configurable TTL (8h normal, 1h remote, 2h deployment). Per-session or mass revocation by user, in Admin UI and REST API. WebAuthn counter validated Worker-side.
Locked-by-default model: all traffic is authenticated except explicit exceptions. Centralised library of reusable rules attached per host with priority and individual activation.
Single-use codes sent by email, validated Worker-side, rate-limited per email+host with browser fingerprint (User-Agent and IP). Anti-phishing audit-logged. Opt-in per host via enable_email_login.
Workers auto-register on the first API call via the X-Worker-ID header β no manual configuration. Zero-downtime migration: admin sets a pending_worker_id, the new Worker takes over automatically.
Server-side log for authentication, passkey lifecycle, security violations (HMAC, IP, UA), Worker migrations, WAF events. Non-blocking emission from Workers. Queryable by type, severity, IP, time range.
Double TTL: 300Β s for refresh attempt, 86β400Β s for physical eviction. Workers continue serving from their cache during a Server outage. Invalidation by host, user or global.
HMAC-signed cookie with WAF_BYPASS_SECRET, bound to IP and User-Agent, 15Β min revalidation window. Reduces Cloudflare WAF inspection for authenticated traffic. Any forgery attempt is audit-logged.
Two implementations sharing the same Server REST contract. Same security level, same core features, different deployments.
Complete Odoo Community Framework interface (LGPL-3, free): users, hosts, passkeys, rules, workers, sessions, tokens, audit. Drag-drop rule priority. CLI bin/sunray-cli for non-UI operations.
β¬9/month for 20 users Β· +β¬1/user beyond that Β· Billing inactive during beta.
Cross-device flow for kiosks and shared workstations. The desktop displays a QR code with a 6-digit code. The user scans from their mobile, WebAuthn authentication executes on the mobile. Short-duration remote session (1h, max 2h) vs 8h normal.
Soft-launch mode with limited duration. Users authenticate by username only, without credential verification. Auto-deactivation at golive_date. State machine: unprotected β deployment β protected.
External configuration hub synchronised by the Server (daily cron or manual). Change detection by hash. Automatic lockdown if the SCP is unreachable for more than 12h. Supports multiple SCPs via FQDN regex.
Admin wizard to generate enrollment tokens for multiple users at once, with email delivery via customisable template. Automatically skips users with an existing valid token.
Workers automatically register protected hosts on first connection. The Server provides default values (session, auth, remote auth, deployment mode) applied at auto-registration.
UI allowing users to view and revoke their own sessions across all their devices. Separate from admin revocation. Per-host configuration via session_mgmt_enabled.
ChartJS dashboard integrated into the Odoo Community Framework interface. Configurable tiles (bar, line, pie, HTML tables). Seeded dashboards: Protected Hosts (status badges), Users (active/inactive), Setup Tokens (consumption). Drill-down to records.
Additional events for Remote Auth (session listed, terminated), auto-register (triggered, reactivated), SCP (sync, lockdown), email token (success, error, no template).
To avoid misunderstandings