Skip to content
Synaptyx
Multi-tenant control plane for AI coding agents

Run AI coding agents at company scale, without trusting us with your keys.

Enrol your hosts, spawn agent sessions per team, and watch every transcript — end-to-end encrypted with keys we cannot decrypt.

Request access
Claude Code · Codex · OpenCode +4 SOC 2 Type II · in progress Self-hostable BYOK end-to-end Source-available
The status quo

AI coding agents at scale expose three things nobody planned for.

You shipped agents to engineering. Compliance, finance, and your CISO want answers now. Synaptyx has them - without a new stack.

"My team uses coding agents but I have no audit trail."

Audit signing chain. Every event Ed25519-signed, hash-chained, and verifiable by anyone with your public key.

"One API key per vendor, shared across the whole org."

Per-team key, per-team budget. Each team gets its own wrapped key, live burn-rate per team, user, and repo, plus a hard USD cap that stops spend on breach.

"Compliance asked for proof we don't leak prompts."

BYOK end-to-end encryption. Your prompts and transcripts are stored as ciphertext under your team key - lose the passphrase and everyone loses the data, including us.

Proven, not promised

Built and validated end-to-end.

199/199

Automated suites green: crypto, RLS, auth, secrets.

21/21

Live E2EE write/share ceremony.

< 5 min

Deploy-from-zero to a governed agent session.

5+

Agent backends on a real daemon.

Capabilities

Everything a platform team needs to ship AI coding agents safely.

Audit signing chain

Ed25519 signs every audit row. Tamper-evident hash chain. Verify any range cryptographically against your public per-company key.

Learn more

SIEM push

Stream signed audit events to Splunk, Datadog, Elastic, Microsoft Sentinel, or S3 WORM. mTLS + JWT, retry with backoff.

Learn more
SAMPLE
{
  "class_uid": 3002,
  "activity_name": "Create",
  "actor": { "user": "dev@example.com" },
  "signature": "ed25519:3f9a…c21b"
}

SSO + SCIM

OIDC login from Okta, Azure AD, Google. Optional SCIM 2.0 for full user lifecycle. JIT-provision groups on first login.

Learn more

Budgets & cost ledger

Per-team, per-user, per-repo cost visibility with real-time burn-rate. Token cost attributed to the exact prompt. Seat limits plus configurable USD caps that hard-stop, notify, or warn on breach.

Learn more
SAMPLE

Session replay

xterm-accurate playback with scrubber, bookmarks, lazy keyframes. Your full retention window at your fingertips.

Learn more
SAMPLE
$ fix csrf middleware in /api/auth
⚙ Read api/auth/csrf.go
⚙ Edit api/auth/csrf.go (+12 −4)
⚙ Bash $ go test ./api/auth/...
✓ Tests pass · 4 tests, 8 assertions

Air-gapped install

Signed mega-tarball. Customer-supplied license JWS. Caddy internal CA. Optional offline update server, polled - never push.

Learn more

Agent workflows

Wire agent and exec steps into a DAG, validate it, run it, and watch the run record live. Starter templates and a visual canvas. Tenant-scoped; node timeout sends SIGTERM.

Learn more

Sandbox / egress isolation

Opt-in per-company policy to run agent sessions in an isolated network namespace (netns). Egress is denied by default, so an agent can't exfiltrate over the network. Default off.

Learn more
How it works

Four moves from install to governed fleet.

  1. Enrol hosts

    Daemon over mTLS, one-time approval, TOFU pin.

  2. Spawn per team

    Any backend, RLS isolation, admins manage - don't snoop.

  3. Watch + replay

    Live xterm stream, frame-by-frame replay, permission events.

  4. Prove + bill

    Signed audit to SIEM, per-repo USD attribution, hard caps.

  1. Enrol hosts

    The daemon enrols over mTLS by default. One-time approval mints a per-host token, and TOFU cert pinning locks in the host's identity from the first handshake.

    curl -fsSL synaptyx.cloud/install | sh
    daemon enrolled · mTLS pinned
    session live · cost tracking on
  2. Spawn per team

    Team members spawn agent sessions on any backend, scoped to their team. Row-level security isolates every row, so admins manage access - they don't snoop on your prompts.

    SAMPLE
    teamsessionstatus
    payments-apicl-9832live
    payments-apicl-9840live
    ◐ other teams' rows — RLS-hidden from this admin
  3. Watch + replay

    Watch sessions live over an xterm stream, then scrub frame-by-frame in replay with bookmarks. Every permission event lands as a marker on the timeline.

    SAMPLE
    $ deploy hotfix to prod-backend-eu
    ⚙ permission requested: bash write
    ✓ approved by admin · 00:42
    ⚙ Bash $ kubectl rollout restart
  4. Prove + bill

    Every action is signed and pushed straight to your SIEM. Per-repo USD attribution and hard spend caps land before the invoice does.

    SAMPLE
    {
      "class_uid": 3002,
      "sink": "splunk-prod",
      "repo": "monorepo/api",
      "signature": "ed25519:9c2f…7ab1"
    }

Hosted SaaS, or self-host the signed mega-bundle air-gapped - same binary, your hardware.

Walkthrough

Five views from the operator console.

The portal is what your platform team lives in. An interactive preview of the operator console.

Active users
24
Active hosts
9
Live sessions
4
This month spend
$7,554
Hosts under your control plane
One pane of glass - every host, every session, every audit signature, every dollar.
Security posture

Three things you can actually verify.

Not "we promise". Cryptographic proof. Auditable cryptography. Self-hostable when your auditor demands it.

You hold the keys

  • BYOK end-to-end encryption
  • Argon2id passphrase → master key
  • Optional WebAuthn auto-unlock
  • Zero-knowledge: lose passphrase = lose data
  • Per-team key wrap, no operator escrow

We sign everything

  • Per-company Ed25519 audit chain
  • Tamper-evident row hash chain
  • Public per-company pubkey endpoint
  • SIEM push with mTLS + JWT
  • Cryptographically signed releases

Air-gap if you want

  • Self-hosted signed mega-tarball
  • Customer-supplied license JWS
  • Caddy internal CA bootstrap
  • Update server polled, never push
  • Zero third-party telemetry - the control plane phones nothing home
SAMPLE

Verify it yourself

A real 5-row sample audit chain, embedded right in this page. Recompute every SHA-256 hash, check every Ed25519 signature - live, in your browser, right now.

tseventprev_hashhashsigstatus
2026-06-30T09:12:04Zsession.spawn00000000…0000001fc9478e…d23310OyglWI4l…HbCQ==
2026-06-30T09:14:51Zpermission.approved1fc9478e…d23310f51cd7d3…62b875DJELgYNW…mFBQ==
2026-06-30T09:21:37Zsecret.accessf51cd7d3…62b8750951657e…440f92kkygR5aa…eyBA==
2026-06-30T09:44:02Zpolicy.updated0951657e…440f925fd659a7…20aa98e4dkZY5U…lkCA==
2026-06-30T10:03:19Zsession.closed5fd659a7…20aa9899022532…b4952fMFUtvbrJ…6vCw==

Not verified yet - press Verify chain.

Honest comparison

If you've evaluated alternatives, here's how we line up.

Anthropic ConsoleSynaptyx
Per-team budgets◐ org only
Audit signing chain (Ed25519)
SIEM push
Self-host air-gapped
BYOK end-to-end encryptionN/A
Session replay (xterm)
SCIM 2.0 provisioning
Source-available
Time to first agenthours< 5 min
Who this is for

Built for the three people who have to own AI tooling.

Platform teams

You support engineers, not write all the code yourself. You need governance without becoming the bottleneck.

Pricing

Per seat. Transparent. No surprise invoices.

Per-seat pricing for teams and organizations. Annual billing saves 17%.

Save 17%
Solo

For individuals - secure agent workflows and memory across your devices, no team needed.

$20/ month
  • End-to-end encrypted personal vault
  • Agent memory synced across your devices
  • Run agents on your own hosts
  • Secrets encrypted, never in plaintext
  • Personal session replay & audit
  • Teams, shared context & approvals
Join the waitlist
Most popular
Team

For engineering orgs that need governance without slowdown.

$24/ seat / month
  • Configurable seats
  • Up to 25 hosts
  • Audit signing chain
  • Session replay + scrubber
  • SIEM push (webhook)
  • 90-day audit retention
  • Email support · 48h SLA
  • Air-gap install
Start team trial
Enterprise

Whatever your CISO signs off on.

Contactcustom
  • Unlimited seats & hosts
  • OIDC + SCIM 2.0
  • Splunk / Datadog / Elastic / Sentinel / S3 WORM
  • Self-host air-gapped install
  • Customer-supplied license JWS
  • Custom audit retention
  • 24/7 SLA + named CSM
  • SOC 2 + DPA on request

Stop trusting cloud vendors with your prompts. Start governing your AI infrastructure.

Request access