HomeBastion
Works
Contact

Bastion

Self-hosted access control — auth, MFA, sessions, and audit logs, with zero third-party access to your data.

Bastion

Overview

Dashboard

Access

Users
Policies
MFA

Monitoring

Sessions
Audit Log

System

Providers
Settings

Dashboard

Overview of your identity infrastructure

All systems operational

Total Users

2,847

+12

Active Sessions

143

-8

Policies Enforced

24

+2

Events (24h)

8,392

+18%

Auth Methods

Details
2,847
total
Password
1,28145%
SSO / OAuth
79728%
MFA (TOTP)
51218%
API Keys
2579%

Active Sessions

Manage

alice@corp.com

Chrome / macOS · 10.0.1.42

1h 12m

bob@corp.com

Firefox / Linux · 10.0.1.87

2h 04m

carol@corp.com

Safari / iOS · 203.0.113.42

3h 30m

dave@corp.com

Edge / Windows · 10.0.2.15

4h 55m

Access Decisions (24h)

Details
Allowed
Denied

MFA Enrollment

Configure
78%

2,220 enrolled

627 not enrolled

+5.2% this week

WhatItdoes.

Identity & Access

JWT access and refresh tokens with secure cookie handling. Google and GitHub OAuth with org-lvl policy enforcement — admins can mandate a single identity provider org-wide.

Access Rules

Dynamic RBAC across users, roles, groups, and policies — explicit DENY always wins. Simulate a policy or check per-user effective permissions before it ships.

Stay Verified

TOTP with backup codes and step-up reauth on sensitive actions. Live session viewer with per-session or bulk revocation.

Every Action, Logged

Centralized audit logs — filterable, exportable, streamed, with security alerts. Runs on your infrastructure, no third-party dependency.

Thenewwaytocontrolaccess.

Continuous Integration

Every change proves itself before it ships — linting, unit tests, security scans, and reproducible builds, producing a signed, hardened image only if all of it passes.

Learn more →
Security architecture diagram

Continuous Deployment / GitOps

Merging to main resolves the new image SHA, patches it into the Kustomize overlays, and auto-merges via bot PR. ArgoCD reconciles the cluster to match — no manual apply.

Learn more →
GitOps deployment diagram

Boot sequence

Init containers enforce order: DB check, then prisma-migrate, then backend, frontend, and security-engine pods — so nothing boots against a database that isn't ready.

Learn more →
Boot sequence order diagramBoot sequence order diagram

Modelthatwatchesitself.

Model Retraining

The model retrains daily using recent activity through a Kubernetes CronJob and hot-swaps updates without restarting the service.

Learn more →
Model Retraining diagram

Risk Evaluation

An Isolation Forest model scores every request on login history, action, and timing. High risk or rate-limit triggers step-up — password or MFA — before access is granted.

Learn more →
Risk Evaluation diagram

Resilient Fallback

Authentication defaults to neutral/low and keeps running. Account lock, rate limits, session checks, and IP blocking stay active independently.

Learn more →
Resilient Fallback diagram

Zerotrust,enforcedautomatically.

Nothing connects without permission.

Every request is checked against policy first — deny by default.

Nothing connects without permission.

Only the access it needs.

Workloads get scoped to what their job requires — nothing assumed.

Only the access it needs.

Trust is never permanent.

Sessions are re-verified continuously across every device.

Trust is never permanent.

TryBastionnow.

View on GitHub

© 2026 Nirjar Goswami. All rights reserved.

|
Resume