Whitepaper
How we encrypt, sign, and let you self-host the whole control plane.
Synaptyx ships with cryptographic primitives auditable by anyone with your company's public key. Nothing here is unique magic; the value is in the integration and the operational guarantees.
Security posture
Three things you can actually verify.
Not "we promise". Cryptographic proof. Auditable cryptography. Self-hostable when your auditor demands it.
You hold the keys
- BYOK end-to-end encryption
- Argon2id passphrase → master key
- Optional WebAuthn auto-unlock
- Zero-knowledge: lose passphrase = lose data
- Per-team key wrap, no operator escrow
We sign everything
- Per-company Ed25519 audit chain
- Tamper-evident row hash chain
- Public per-company pubkey endpoint
- SIEM push with mTLS + JWT
- Cryptographically signed releases
Air-gap if you want
- Self-hosted signed mega-tarball
- Customer-supplied license JWS
- Caddy internal CA bootstrap
- Update server polled, never push
- Zero third-party telemetry - the control plane phones nothing home
SAMPLE
Verify it yourself
A real 5-row sample audit chain, embedded right in this page. Recompute every SHA-256 hash, check every Ed25519 signature - live, in your browser, right now.
| ts | event | prev_hash | hash | sig | status |
|---|---|---|---|---|---|
| 2026-06-30T09:12:04Z | session.spawn | 00000000…000000 | 1fc9478e…d23310 | OyglWI4l…HbCQ== | |
| 2026-06-30T09:14:51Z | permission.approved | 1fc9478e…d23310 | f51cd7d3…62b875 | DJELgYNW…mFBQ== | |
| 2026-06-30T09:21:37Z | secret.access | f51cd7d3…62b875 | 0951657e…440f92 | kkygR5aa…eyBA== | |
| 2026-06-30T09:44:02Z | policy.updated | 0951657e…440f92 | 5fd659a7…20aa98 | e4dkZY5U…lkCA== | |
| 2026-06-30T10:03:19Z | session.closed | 5fd659a7…20aa98 | 99022532…b4952f | MFUtvbrJ…6vCw== |
Not verified yet - press Verify chain.
Honest comparison
If you've evaluated alternatives, here's how we line up.
| Anthropic Console | Synaptyx | |
|---|---|---|
| Per-team budgets | ◐ org only | ✓ |
| Audit signing chain (Ed25519) | ✗ | ✓ |
| SIEM push | ✗ | ✓ |
| Self-host air-gapped | ✗ | ✓ |
| BYOK end-to-end encryption | N/A | ✓ |
| Session replay (xterm) | ✗ | ✓ |
| SCIM 2.0 provisioning | ◐ | ✓ |
| Source-available | ✗ | ✓ |
| Time to first agent | hours | < 5 min |
| LLM Gateways | Synaptyx | |
|---|---|---|
| Layer governed | model API request / response | agent execution on the host |
| Per-session capture + xterm replay | – | ✓ |
| Transcript BYOK end-to-end | – | ✓ |
| Signed audit chain (Ed25519) | access logs | ✓ |
| Host enrolment + per-team RBAC | – | ✓ |
| Cost attribution | per API key | per repo · team · session |
| Self-host air-gap | some | ✓ |
Complementary, not competitive: gateways route the API traffic; Synaptyx proves who ran which agent, on what, under whose key — and caps the spend. Run on top of any gateway.
| Build it yourself | Synaptyx | |
|---|---|---|
| Per-team budgets | ✗ | ✓ |
| Audit signing chain (Ed25519) | build it | ✓ |
| SIEM push | ✗ | ✓ |
| Self-host air-gapped | depends | ✓ |
| BYOK end-to-end encryption | depends | ✓ |
| Session replay (xterm) | ✗ | ✓ |
| SCIM 2.0 provisioning | ✗ | ✓ |
| Source-available | N/A | ✓ |
| Time to first agent | weeks | < 5 min |
