Selkie GitHub
Selkie
Self-hosted · Apache 2.0 · Built on WireGuard

Your private network, on your infrastructure.

Selkie is a zero-trust access layer you run yourself. Enroll devices, broker peer-to-peer sessions over WireGuard, and manage everything from a clean admin UI — without handing your identity graph to a vendor.

Get started View on GitHub
Go 1.23 control plane Postgres + Redis STUN/TURN (coturn) macOS · Linux · iOS · Android
Features

Everything needed to run a private overlay.

Identity, device enrollment, session brokering, policy, and audit — in one self-hosted binary you can run anywhere.

Zero-trust enrollment

Short pair codes, device-bound credentials, SSO-backed admin. The first login becomes the super-user account.

WireGuard overlay

Every enrolled device gets a static overlay IP on a network you control. Keys never leave the device.

Session brokering

Short-lived session tokens, ICE candidate exchange, and STUN/TURN fallback via bundled coturn.

Admin UI

Single-page UI for device management, session history, relay health, and system status. No build step.

Native mobile apps

First-party iOS and Android clients that enroll and connect to your server with a QR code.

Audit & policy

Every session logged; revocation is immediate and uniform across device, admin, and policy paths.

Architecture

Control plane only. Never in the data path.

The control server coordinates identity and session establishment. Once a connection is established, peers communicate directly over the WireGuard overlay — or via TURN relay when direct paths are blocked by NAT.

  • Go 1.23 control server (chi · pgx · go-redis · zap)
  • Postgres for durable state, Redis for ephemeral fan-out
  • coturn for STUN/TURN, Caddy for automatic TLS
  • Single docker compose up to run the whole stack
selkie topology 
┌─────────────────────────────────────────────┐
  Admin UI · Mobile apps · CLI daemon     
└─────────────────────┬───────────────────────┘
						 HTTPS (session JWT)
┌─────────────────────▼───────────────────────┐
  Control server                             
  Auth · Devices · Sessions · Audit      
  Postgres · Redis · coturn                 
└─────────────────────┬───────────────────────┘
						 WireGuard overlay
┌─────────────────────▼───────────────────────┐
  Peers connect directly (or via TURN)      
└─────────────────────────────────────────────┘
Quick start

Running in under five minutes.

Clone the repo, fill in your environment, and bring up the full stack with Docker Compose. The first admin login becomes the super-user account automatically.

1
Clone the repository and copy .env.example to .env.
2
Point UOA_DOMAIN at your admin hostname and set your TURN host.
3
Bring everything up — Caddy provisions TLS, Postgres initializes itself.
4
Open the admin UI, complete SSO, and enroll your first device.
~/selkie 
# clone and configure
git clone https://github.com/unlikeotherai/selkie.git
cd selkie
cp .env.example .env

# bring up the whole stack
docker compose up -d

# enroll your first device
npm install -g selkie
selkie enroll
Documentation

Read the design, not just the README.

System brief

Data models, API surface, and full system design.
Component architecture

SDK design, auth flows, and framework choices.
CLI daemon

How the on-device agent runs and stays connected.
Mobile apps

Native iOS and Android app specification.
SSO

Authentication with UnlikeOtherAuthenticator.
Tech stack

Libraries and dependency choices.