Stop trusting passwords.
Start trusting identity.
zGate is the zero-trust gateway that sits between your team and your databases — short-lived credentials, every query governed and audited, PII masked at the wire. Here's how to get value in minutes.
Intro video coming soon — the Pain → Solution → Action story, in 90 seconds.
The Pain Point
Teams still share one database password. It never rotates, every query runs unchecked, and when an auditor asks who saw the customer PII — nobody can say.
The zGate Solution
Log in with SSO and get a short-lived per-session credential from Vault. Every query is intercepted — the Parser reads its structure, the AI flags PII and anomalies, the Server enforces policy and masks sensitive columns at the wire, and writes a full audit record.
The Call to Action
Stop trusting passwords. Start trusting identity. Start your free trial at z-gate.dev — hosted in minutes, or self-host with Docker.
5-Minute Quick Win
~5 minRun your first governed query and see zero-trust access live. No infrastructure changes to your apps — just three steps.
Install & log in
Grab the CLI and authenticate with your identity provider — no password is ever stored locally.
zgate loginOpen a database
Launch the TUI, list what you can reach, and open a secured local tunnel to a demo database.
/connect demo-dbRun your first analysis
Point any client at the local port and query. PII columns come back masked, and the query lands in the audit log within seconds.
SELECT * FROM customers;Built for your whole team
Whatever your role, zGate meets you where you work. Pick your path below.
The Developer
Stay in your workflow
- Native CLI + interactive TUI — connect in seconds
- Works with DBeaver, DataGrip, mysql, psql & sqlcmd over a local 127.0.0.1 tunnel
- Headless zgate tunnel for CI/CD pipelines
- mTLS + SSO handled for you — no VPN, no shared secrets
The DevOps / Admin
Control without friction
- Deploy hosted SaaS or on-prem Docker Compose (Vault + Keycloak)
- RBAC roles: super, db_admin, policy_admin, auditor
- Query allow/deny policies, rate limits & a JIT approval queue
- Short-lived, Vault-issued credentials across MySQL, PostgreSQL & MSSQL
The Decision Maker
Provable governance
- Every connection & query audited — NDJSON exports straight to your SIEM
- AI-driven PII masking and anomaly detection
- Data sovereignty: self-host with secrets in your own Vault, optional local-only LLM
- Eliminate shared credentials to shrink breach and audit risk
How zGate works
zGate is one system made of focused parts. A query never reaches your database unvetted: the Server is the central interception point, calling the Parser and AI as it goes, then storing an audit record the WebUI renders. Here's the journey, end to end.
Choose your path
Hosted (SaaS)
Spin up zGate at z-gate.dev in minutes. We run Vault, Keycloak, and the observability stack — you bring your databases.
- No infrastructure to manage
- Automatic updates & monitoring
- Ideal for fast evaluation & pilots
On-Premise
Run the full stack in your own environment on any Azure Virtual Machine or Linux server. Use our Linux system administration installer to bring up Vault, Keycloak, and every service in minutes.
- Secrets never leave your infrastructure
- Optional local-only LLM (Ollama) — no external API calls
- Complete data sovereignty & audit control
Need help?
Technical Support
Setup help, deployment questions, or something not working? We respond fast.
