Thand Agent Documentation

Open-source distributed privilege access management (PAM) and just-in-time access (JIT) to cloud infrastructure, SaaS applications and local systems.

Get Started Now View on GitHub

What is Thand?

Thand eliminates standing access to critical infrastructure and SaaS apps. Instead of permanent admin rights, users request access when needed, for only as long as needed. The Thand server is extensible, customisable and easy to deploy as a standalone service. Thand is completely decentralized - there is no single point of failure or trust.

The Security Crisis

  • Static credentials get leaked: API keys in repos, AWS keys in logs, service account keys shared in Slack
  • Over-privileged users: 90% of permissions are unused, but remain active attack vectors
  • Automatic grants: Users are often granted access without understanding the implications
  • Lack of visibility: No clear audit trail of who accessed what, when, and why
  • Persistent threats: Users with admin access can maintain access indefinitely

The Thand Solution

  • Zero standing privileges: No permanent admin access anywhere
  • No static credentials: All access is temporary and tied to your identity
  • Just-in-time permissions: Request the access you need, when you need it - and lose it once you’re done
  • Complete audit trail: Every access request and action logged for compliance

Quick Start

Get up and running with Thand in just a few steps. If you are ready to request access then simply install the Agent. Otherwise, follow the guides to configure and deploy Thand for your infrastructure.

  1. Install the Agent - Download and install the Thand Agent
  2. Deploy Thand Server - Set up Thand for your infrastructure
  3. Request Access - Make your first access request

Architecture Overview

The Thand architecture breaks down into three components:

Your Machine             Your Infrastructure             Thand Cloud (Optional)
─────────────            ───────────────────             ──────────────────────

Thand Agent  ──HTTPS──▶  Thand Server        ──HTTPS──▶  Thand Cloud
├─ CLI                   ├─ REST API                     ├─ Agent Management
├─ Sessions              ├─ Session Management           ├─ Role Management
├─ Local elevations      ├─ Workflow Worker              ├─ Workflow Management
├─ REST API              ├─ Audit Forwarder              ├─ Audit Dashboard
└─ Attestations          ├─ Basic Approvals              └─ etc
                         ├─ Event collection
  • Agent: Runs on the user’s local machine, provides session management and local callback endpoints
  • Server: Forms a “login server” to allow CLIs and other clients to request and be granted elevations
  • Cloud: Thand’s proprietary cloud service that orchestrates all your servers and agents (optional)

License

Thand is licensed under the BSL 1.1 license. See LICENSE.md for more details.