Frequently asked questions

Find answers to common questions about Alpacon.

General

What is Alpacon?

Alpacon is a zero-trust server access platform that replaces traditional SSH key management with secure, browser-based access. It enforces command-level permissions, validates execution in real time, and produces an immutable audit trail when AI agents, engineers, and CI/CD pipelines work on production infrastructure.

How is Alpacon different from SSH?

SSH requires key management across servers and provides no audit of what runs after login. Alpacon adds centralized access via a web dashboard, time-limited tokens instead of persistent keys, full command auditing, no exposed SSH ports, and individual user accountability tracking.

Can Alpacon replace my VPN?

Yes, Alpacon can replace VPNs for server access. Unlike VPNs which provide network-level access, Alpacon provides application-level access with command-level identity, policy enforcement, and auditing.

What platforms does Alpacon support?

Alpacon supports Linux (Ubuntu, Debian, CentOS, RHEL, Rocky, Fedora, Oracle, Amazon, SUSE, Alpine, Raspberry Pi OS), Windows Server (2016/2019/2022), and macOS. The web interface works on Chrome 90+, Firefox 88+, Safari 14+, and Edge 90+.

Security

Is Alpacon secure?

Yes. Alpacon uses an outbound-only tunnel architecture—no inbound ports need to be opened, no firewall rules required. It implements zero-trust continuous verification, end-to-end encryption, multi-factor authentication, command ACLs, and comprehensive audit logging.

What security standards does Alpacon comply with?

Alpacon follows zero-trust architecture design, end-to-end encryption, and comprehensive audit logging aligned with industry standards. It is in the process of obtaining SOC 2 Type II certification and has completed penetration testing by Theori. US data residency is supported.

How does Alpacon handle authentication?

Alpacon uses a layered approach: users authenticate with a password and MFA, the platform issues time-limited JWT tokens, agents validate the token before allowing access, and all sessions are continuously monitored. SAML SSO, Okta, LDAP/AD, biometrics, and hardware security keys are supported.

Can I integrate with my SSO provider?

Yes. Alpacon supports SAML 2.0 SSO and integrates with Okta, Azure AD, Google Workspace, OneLogin, and any SAML 2.0 provider. LDAP/AD integration is also supported for on-premises directories.

Technical

How does reverse connection work?

Instead of exposing an SSH port, the Alpacon agent installed on a server initiates an outbound HTTPS connection to the Alpacon platform. This means no inbound firewall rules, works behind NAT, and servers are never directly exposed to the internet. All user sessions travel through this encrypted outbound tunnel.

What ports does Alpacon use?

Alpacon only requires outbound HTTPS (port 443). No inbound ports need to be opened, which significantly reduces the attack surface.

Does Alpacon require root/admin access?

The Alpacon agent (alpamon) requires root/admin privileges to manage user sessions, enforce access controls, collect audit logs, and execute commands as other users. End users do not need root access unless explicitly granted by policy.

How do I install the Alpacon agent?

Go to Servers → Register Server, enter your server information, copy the generated installation script, and run it on your server. The script auto-detects the OS and installs the appropriate agent.

See the Installation guide for detailed instructions and manual installation options.

Can I use Alpacon for file transfer?

Yes. Alpacon includes WebFTP, a browser-based file manager that supports upload/download, drag-and-drop, server-to-server transfers, and CLI usage for automation.

Can I register a server in multiple workspaces simultaneously?

No. A server can only be registered to one workspace at a time. To move it to a different workspace, first disconnect it from the current workspace, then re-register it in the new one.

Operations

How do I handle emergency access?

Alpacon provides several emergency access methods: break-glass accounts with enhanced logging, API tokens for programmatic access, and offline time-limited tokens that work without platform access.

See emergency access procedures for details.

What happens if Alpacon goes down?

Alpacon provides a 99.99% uptime SLA. If the platform is unavailable: existing sessions remain active for up to 4 hours, emergency offline tokens continue to work, cloud console access remains available, and status updates are available at status.alpacon.io.

How are software updates handled?

The Alpacon platform updates automatically via rolling deployments with no downtime. Agents support automatic updates (recommended) or manual updates via a package manager; neither method interrupts active sessions.

Can I self-host Alpacon?

Yes. Alpacon Enterprise supports self-hosted deployment for organizations with air-gapped environments, data sovereignty requirements, or custom integration needs. Contact sales@alpacax.com for details.

Integration

Does Alpacon work with CI/CD pipelines?

Yes. Alpacon provides a REST API with granular token-based authentication. Official integrations are available for GitHub Actions, GitLab CI, Jenkins, CircleCI, Bitbucket Pipelines, and Azure DevOps.

See integration guides for examples.

Can I use Alpacon with configuration management tools?

Yes. Integrate configuration management tools with Alpacon via the REST API to run commands within automated workflows.

How do I monitor servers through Alpacon?

Alpacon includes a built-in monitoring dashboard and supports Prometheus metrics export, CloudWatch integration, Datadog integration, and custom webhook notifications.

Troubleshooting

Agent not connecting to workspace

Confirm that outbound HTTPS (port 443) is allowed, system time is synchronized, the registration token is valid and not expired, and DNS resolution is working. See the connection troubleshooting guide at docs.alpacax.com for detailed steps.

See connection troubleshooting for detailed steps.

Permission denied errors

Verify that the user has the appropriate role (User / Staff / Superuser), that the command ACL permits the operation, that the target server is within the allowed group, and that the session has not expired.

Slow connection or latency

Common causes include network latency between your location and the Alpacon relay, server resource constraints, browser performance issues, and proxy/firewall deep packet inspection. Ping alpacon.io to check baseline latency.

How do I get support?

Documentation is at docs.alpacax.com. Community support is available on Discord (discord.gg/wadWh8VsYB). For direct support, email support@alpacax.com.

Migration

How long does migration take?

Typical timelines: small teams (under 10 servers) 1–2 days; mid-size teams (10–100 servers) 1–2 weeks; large teams (100+ servers) 2–4 weeks.

See our migration guide for detailed planning.

Can I run SSH and Alpacon in parallel?

Yes, and it’s the recommended approach. Install the Alpacon agent alongside SSH, test all workflows through Alpacon, migrate users in stages, and disable SSH once Alpacon access is confirmed working.

Will migration cause downtime?

No. Agent installation and registration require no service restarts, no configuration changes, and no downtime. Running services are unaffected during migration.

More questions?

Can’t find what you’re looking for?

Last updated: