Private alpha for small teams

PubKeySpace

Developer key and identity inventory for the machines where SSH keys, signing keys, passkeys, MCP configs, and stale credentials quietly spread out.

Request alpha access View product brief
Local scanner SSH, Git, GPG, MCP, and passkey review surfaces.
Team collection Signed export bundles, enrollment profiles, and collector health.
Private by default No private keys, tokens, or secret values copied into reports.

Why now

Credential sprawl is becoming identity sprawl.

AI coding accelerates leakage risk

Teams are adding agents, MCP servers, temporary tokens, and assisted commits faster than traditional access reviews can track.

Passkeys are moving mainstream

Account security is improving, but teams still need an operational inventory of who owns which auth surfaces and recovery paths.

Local machines remain the blind spot

SSH keys, Git signing settings, local repos, and tool configs often live outside central IAM dashboards.

Workflow

Inventory first, then collect team posture.

01

Scan locally

Run PubKeySpace on a developer machine to inventory key material, public fingerprints, Git posture, MCP configs, and passkey review notes.

02

Review findings

Open the dashboard to sort stale keys, weak permissions, unsigned repositories, unapproved MCP servers, and accepted risk.

03

Enroll collectors

Create team enrollment profiles so developers can submit signed reports without exposing private key contents or token values.

04

Track drift

Use team summaries, audit events, collector health, and baseline checks to spot machines that stop reporting or accumulate risky auth surfaces.

Trust model

Designed to avoid becoming a new credential sink.

Reports include metadata, public fingerprints, file paths, ages, permissions, and finding details.

Reports do not include private key contents, token values, MCP environment values, or secret values.

Cloud and team sync flows are opt-in, and the CLI remains the auditable source of truth for alpha users.

Current alpha

Buildable today, useful before the platform is hosted.

Local dashboard

Generate HTML reports or run the local API at 127.0.0.1 for rescans and summaries.

Policy and workflow state

Track approved MCP servers, passkey attestation notes, suppressions, owners, tags, and expirations in policy.

Signed team exports

Upload signed bundles into a hosted-style team service with organization tokens and audit events.

Collector health

Run repeat collection and identify enrolled clients that stop reporting.

Private alpha

Onboarding small teams manually.

What early users get

Accepted alpha teams get CLI access, setup help, and a direct line into the team dashboard roadmap. The goal is to learn with serious operators before opening the repo or publishing installers.

Request alpha access

Roadmap

The next release turns alpha workflows into a polished product surface.

Now

Private alpha, local dashboard, team ingestion, enrollment, collector daemon, and direct design-partner onboarding.

Next

Packaged desktop sidecar, guided remediation, better onboarding, and hosted team access controls.

Later

Signed and notarized macOS release, Windows installer, organization accounts, SSO, and production RBAC.