ITithub.directory
Directory
OpenZiti

OpenZiti

Open SourceAPI

OpenZiti is an open source zero-trust overlay network for embedding zero-trust security directly into applications with

openziti.io

Last updated: April 2026

OpenZiti is an open source zero-trust overlay network for embedding zero-trust security directly into applications with SDK-based connectivity.

Visit Website
3views
CybersecurityNetwork SecurityOpen SourceEnterprise

About

OpenZiti is an open source zero-trust networking project developed by NetFoundry that enables organizations to embed zero-trust connectivity directly into their applications using SDKs, eliminating the need for IP-based network access controls entirely. Rather than treating the network as a trusted boundary, OpenZiti brings the security perimeter inside the application, ensuring that only authenticated, authorized identities can communicate regardless of network location.

The SDKs-first approach distinguishes OpenZiti from other zero-trust networking solutions. Instead of placing security enforcement at the network edge through proxies or gateway appliances, OpenZiti SDKs are embedded directly in application code. When an application makes a connection using the OpenZiti SDK, the connection is authenticated and authorized by the OpenZiti controller before it is established, regardless of which network the connecting device is on. This approach eliminates the attack surface of exposed network ports entirely.

OpenZiti's dark networking capability means that services running in an OpenZiti environment do not need to listen on publicly accessible ports. Applications that have the OpenZiti SDK embedded can receive connections without any open ports, making them completely invisible to port scanners and network reconnaissance tools. This "darkening" of services is the most radical form of attack surface reduction available.

The identity model in OpenZiti is based on X.509 certificates issued by the OpenZiti PKI. Each entity in an OpenZiti network, whether a human user, a service, or a device, has a cryptographic identity that is used to authenticate all connections. Identities are managed through the OpenZiti controller and can be enrolled, revoked, and scoped to specific services.

Services in OpenZiti define what can be accessed, and service policies define who can access what. Access policies bind identities to services, and bind services to the hosting identities (terminators) that provide them. This fine-grained policy model enables zero-trust access control at the service level rather than the network level.

OpenZiti can be self-hosted using the open source controller and router components, or used through the Ziti Edge managed service. SDKs are available for Go, Python, Java, iOS, Android, and other languages.

Positioning

OpenZiti is a free, open source zero-trust networking platform that enables developers to embed secure connectivity directly into applications. Created and maintained by NetFoundry, OpenZiti provides a complete programmable network overlay with SDKs that let applications create dark, invisible network connections—no exposed ports, no VPNs, and no traditional network infrastructure required.

OpenZiti’s application-embedded approach represents a paradigm shift from network-level to application-level security. Instead of bolting security onto existing networks, developers integrate OpenZiti SDKs to create connections that are authenticated and encrypted by default. This means applications never listen on public ports and are completely invisible to network scanners, eliminating entire categories of attacks including port scanning, DDoS, and man-in-the-middle.

What You Get

  • Application-Embedded Zero Trust
    Native SDKs for Go, C, Python, Swift, Kotlin, and more that embed zero-trust networking directly into application code
  • Ziti Edge Tunnelers
    Lightweight tunneling applications for platforms where SDK integration isn’t feasible, providing zero-trust access without code changes
  • Ziti Controller
    Central control plane that manages network identities, policies, and service configurations with a comprehensive REST API
  • Smart Routing Fabric
    Overlay network fabric that automatically routes traffic through the optimal path across distributed router nodes
  • Identity and Policy Engine
    x.509 certificate-based identity with attribute-based access policies that control which identities can access which services

Core Areas

Application-Embedded Networking

SDKs that let developers build zero-trust connectivity directly into applications, eliminating the need for VPNs, firewalls, or exposed ports

Zero-Trust Overlay Network

Complete network overlay with controller, routers, and edge components that creates dark, invisible connections between authenticated endpoints

Identity-Based Security

Strong x.509 certificate-based identity with fine-grained, attribute-based access policies enforced at every connection point

Programmable Networking

Full REST API and SDKs for automating network provisioning, identity management, and policy configuration programmatically

Why It Matters

Traditional network security operates on the assumption that you can protect a perimeter, but cloud-native, distributed applications have no perimeter to protect. OpenZiti provides a fundamentally different approach: instead of trying to secure the network, it makes applications inherently secure by never exposing them to the network in the first place. This “dark” networking model eliminates the attack surface rather than trying to defend it.

As the open source foundation behind NetFoundry’s commercial platform, OpenZiti gives developers and organizations full access to enterprise-grade zero-trust networking without licensing costs or vendor lock-in. Its SDK-first approach makes it uniquely suited for IoT, edge computing, and SaaS applications where embedding security into the application itself is more practical than deploying network infrastructure.

Reviews

No reviews yet.

Log in to write a review

Related

Acronis

Acronis

Acronis provides integrated cyber protection solutions combining backup, disaster recovery, and cybersecurity for businesses of all sizes.

Firezone

Firezone

Firezone is an open source WireGuard-based VPN and zero-trust access platform for self-hosted remote access with identity provider integration.

CybersecurityNetworking
NetBird

NetBird

NetBird is an open source zero-trust network access platform using WireGuard to create secure private networks without VPN concentrators or firewall rules.

CybersecurityNetwork Security