Universal enrollment
One-time encrypted ceremonies connect a fresh browser or thin client to an approval made by a device that already holds your authority.
Private-alpha managed infrastructure
Daemonet Cloud is where customers use 1Man’s managed coordination, verified access, names, entitlements, and operations. Your Daemonet remains the identity provider and your hosts remain the application endpoints.
Invitation-gated private alpha. Payments remain disabled until public beta and explicit operator activation.
The managed product
Use 1Man to attach infrastructure, enroll devices, prove names, obtain certificates, coordinate reachability, integrate entitlements, observe availability, and support migrations. It has no right to approve your device, rewrite your profile, recover your identity, or receive ordinary application bytes.
One-time encrypted ceremonies connect a fresh browser or thin client to an approval made by a device that already holds your authority.
Portable Domain Deeds and owner-signed service manifests bind names, TLS keys, modes, policy, and replaceable endpoints.
Short host leases, health evidence, drain, canary, failover, rollback, and migration change machines without changing service identity.
Native service authorization
The access policy is embedded in the service owner’s signed manifest. 1Man can display and integrate it, but only a key explicitly named by the owner can issue the destination-verifiable pass.
First decides whether these members may communicate at all.
Then requires an allowlisted principal, a portable entitlement, or a timed trial.
Opens only the exact service port and DNS answer until the signed expiry.
WireGuard and origin HTTPS carry the application data without 1Man.
Authorize an exact profile member or Daemonet user from a start time through a hard expiry.
Accept an owner-selected issuer, resource, audience, and right. Finite uses are allocated atomically at the destination.
Offer X starts of Y minutes, or unlimited starts. Each accepted start receives a new bounded pass; counters survive retries.
Stable names, explicit surfaces
Public marketing, managed control, developer infrastructure, explicit Hub publication, and private profile DNS are different products and trust paths. A wildcard does not make them interchangeable.
daemonet.comcompany and open-source productdaemonet.cloudmanaged customer access and 1Man operationsadmin.daemonet.cloudcustomer browser portal; device-key enrollment is still requireddaemonet.iodeveloper docs, protocols, SDKs, and releaseshub.daemonet.ioexplicitly published Daemon Hub ingress onlyprivate.profile.daemonetprofile-owned private DNS; not a public Cloud account nameSchema-owner and invitation-administration tools are never served by the public portal. Verified public service publication still requires a portable Domain Deed backed by three independent Daemongate witnesses. A one-gate pre-alpha may test coordination, but it cannot mint that proof.
Cloud without custody
Daemon Hub is the only 1Man feature allowed to carry application traffic, and only for a service whose owner explicitly selects publication. It is never an emergency fallback for private access.
A portal session or conventional administrative record never becomes the user’s Daemonet identity.
Temporary coordination records expire; devices remain authoritative for profiles and relationships.
1Man does not receive, cache, inspect, store, or relay direct service content.
A receive-only watcher observes settlement to the operator wallet and cannot sign, sweep, spend, or refund.
Paid capabilities buy managed operations and capacity—not a less exploitative privacy tier.
If the requested identity, entitlement, route, certificate, or transport proof fails, access stops visibly.