One Docker Compose command. All services + dashboard + infrastructure. Self-hosted. Your data never leaves your network.
Sign up, install the SDK, guard your agent's tool calls.
Create a free account on the dashboard and grab your org API key. Agents self-enroll on first run — there's no per-agent secret to copy or rotate.
Sign Up FreeNo credit card. No sales call. Free tier available.
On first run the agent generates an Ed25519 keypair and self-enrolls — no secret to manage. Configure scopes, policies, and boundaries in the Dashboard. Lost an agent's local key? clampd fleet rekey rebinds it to the same UUID.
Available now: Hosted platform at app.clampd.dev - sign up, register agents, install the SDK, and start guarding tool calls immediately. No infrastructure to manage.
| Option | Status | Description |
|---|---|---|
| Hosted Platform | Available now | Dashboard + gateway hosted by Clampd. Sign up and start in minutes. Design Partner: 25 agents, 500K req/mo. |
| Docker Compose | Available now | Self-hosted deployment with hardened Docker images. Full stack: 9 Rust services + Postgres + Redis + NATS. Compose files |
| Helm / Kubernetes | Coming soon | Production-grade Kubernetes deployment with Ingress, TLS, external database support, and cert-manager integration. |
Run the full stack on your own infrastructure. Zero data egress, fully air-gapped capable after one-time activation.
Compose files: github.com/clampd/clampd/docker · Env template: .env.example
Every Clampd service validates your license key on startup. No phone-home required - your key never leaves your network.
Design Partner access available. Sign up at license.clampd.dev to get your license key. SaaS dashboard at app.clampd.dev.
| Limit | Value |
|---|---|
| Duration | No time limit |
| Agents | Up to 25 |
| Requests | 500,000 / month |
| API keys | Up to 5 |
| Includes | All features: 9-stage pipeline, 287 rules, anomaly detection, kill switch, PII masking, compliance reports, CLI, SDKs, dashboard, A2A, scope tokens, SSO |
| Support | Email (support@clampd.dev) |
| Limit | Value |
|---|---|
| Duration | Annual (renewable), 30-day grace period |
| Agents | License-configured |
| Requests | License-configured |
| Retention | 90+ days |
| Includes | Everything in Design Partner + RBAC + SSO + multi-tenant isolation |
| Support | Email (support@clampd.dev) |
License validation is fully offline - your key never leaves your network. No SaaS dependency, no phone-home. If a license check fails, the service refuses to start. No dev mode. No bypass flags.
All services read configuration from environment variables. Set them in your .env file or pass directly.
Full configuration reference is included in the deployment package.
One-time activation required. Clampd binds your license to your installation on first startup. After activation, all services run fully offline - no network calls to clampd.dev.
Outbound connection: https://license.clampd.dev/v1/activate (HTTPS, port 443, one-time only)
For environments that cannot make outbound connections:
clampd license fingerprint on the target machineclampd license activate-offline --activation-token "$(cat activation_token.json)" --license "$CLAMPD_LICENSE_KEY"To move your license to a new machine:
The clampd CLI connects to your cluster for agent management, policy control, kill switch, compliance reports, and real-time monitoring. Multi-context support - switch between local, staging, and production like kubectl.
| Platform | Architecture | CLI | Guard |
|---|---|---|---|
| Linux | x86_64 | clampd-linux-amd64.tar.gz | clampd-guard-linux-amd64.tar.gz |
| Linux | ARM64 | clampd-linux-arm64.tar.gz | clampd-guard-linux-arm64.tar.gz |
| Windows | x86_64 | clampd-windows-amd64.zip | clampd-guard-windows-amd64.zip |
| macOS | Apple Silicon | Build from source: cargo install --git https://github.com/clampd/clampd --path src/clampd-guard | |
| Command | Description |
|---|---|
agent list|get|register|suspend|kill | Agent lifecycle management |
agent link|graph|lock-graph | A2A delegation control |
fleet rekey --name|--all | Recover lost-key agents — mint per-agent re-key tokens (same UUID) |
policy list|create|rules | Policy and rule management (Cedar + Sigma import) |
keyword list|add|import-csv | Custom keyword dictionary |
kill agent|all|list | Emergency kill switch |
compliance run --framework soc2 | SOC2/HIPAA/GDPR compliance reports |
audit list|export | Audit trail queries and export |
test --verbose | Red team test suite (24 attack vectors) |
context add|use|list | Multi-cluster context switching |
apikey create|revoke | API key management |
license fingerprint | Machine fingerprint for air-gapped activation |
license activate-machine|activate-offline | License activation (online or air-gapped) |
license status|deactivate | License status and migration |
Agents enroll by generating an Ed25519 keypair locally — there are no shared secrets to leak. If an agent loses its local identity (a host is wiped or re-imaged), re-key it in place so it keeps the same UUID and history:
Every agent gets its own scoped token — never a single fleet-wide credential. On Kubernetes/OIDC, identity recovers automatically via workload attestation, no token needed.