Boundary is HashiCorp's identity-aware proxy designed to provide secure, identity-based access management for dynamic infrastructure environments. Written in Go, the project enables organizations to implement zero-trust security principles by controlling access to hosts and critical systems across networks without requiring agents on individual endpoints. The platform integrates with identity providers through OpenID Connect, allowing users to authenticate securely while receiving just-in-time network access to resources wherever they reside.
The architecture consists of two primary server components: Controllers that serve the API and coordinate session requests, and Workers that handle actual session management. This separation allows for scalable deployments where multiple controllers and workers can be paired together. A single Boundary binary can operate in either or both modes, providing flexibility for different deployment scenarios. The system supports both cloud and on-premises installations, secure enclaves, and container-based workflows without requiring host-level software installation, making it suitable for managed services and modern infrastructure patterns.
Boundary's credential management capabilities distinguish it from simpler access solutions. Organizations can manage session credentials through a native static credential store or dynamically generate unique per-session credentials by integrating with HashiCorp Vault. The platform includes automated discovery of new endpoints and provides session controls for managing privileged access. These features enable teams to standardize access workflows across heterogeneous infrastructure spanning multiple cloud providers and on-premises systems.
The system has two external dependencies: a SQL database for storing configuration and session information with encryption of sensitive values, and a Key Management System for protecting secrets and authenticating workers. PostgreSQL is currently supported as the database backend, with both hosted and self-managed instances compatible. Boundary uses key derivation extensively to minimize key sprawl when managing high-value cryptographic keys, supporting any cloud KMS or HashiCorp Vault's Transit Secrets Engine.
Development activity shows consistent engagement with a median issue and pull request response latency of zero hours and a mean of 35.8 hours across 85 tracked items. The most active issue categories are bugs and enhancements, each with 36 tracked items, alongside 8 triage items. Key contributors include learhy with 26 events, moduli with 23 events, and achetronic with 18 events. The project maintains connections with other infrastructure and security-focused repositories including Angular, Argo CD, and Envoy through overlapping contributor networks.
Boundary provides multiple client interfaces including a Desktop client and command-line interface for end-users to request and establish authorized sessions. The project includes a development mode for testing that automatically provisions PostgreSQL and ephemeral KMS keys, allowing rapid experimentation. Production deployments require configuration files specifying database and KMS endpoints. The repository explicitly warns against using the main branch for long-term deployments due to potential migration renumbering, recommending release branches instead. Documentation, tutorials, and community forums are available through HashiCorp's developer platform and Discuss community.