SSH gateway
Every plan includes full shell access through the SSH gateway at ssh.managed.dev.
There’s no separate add-on and no “developer tier” gate — if you can see an
environment in the dashboard, you can get a shell on it. The gateway authenticates
you with your own SSH key, drops you into the right container, and scopes the
session to your team and the specific environment you targeted.
This is the same access you’d expect from a VPS, without the VPS: you run WP-CLI, inspect the filesystem, tail logs, and script routine work — but you can’t escape the boundary of the environment you connected to.
what you can do from a shell
Section titled “what you can do from a shell”- Run WP-CLI against the environment —
wp plugin list,wp search-replace,wp db export,wp cron event run, and the rest. - Inspect the application: read the codebase as it was built and rolled, check
wp-content/uploads, confirm a config value. - Script maintenance and one-off tasks, and pipe output into your own tooling.
The filesystem is the built, content-addressed artifact the platform rolled onto
this environment — the code is immutable, but the writable paths WordPress expects
(uploads, cache) behave normally. To change code, you
git push managed and let the
build pipeline rebuild and roll a new release.
add your SSH key
Section titled “add your SSH key”The gateway authenticates with public-key auth only — there are no passwords to share or rotate.
-
Generate a key if you don’t already have one:
Generate an ed25519 key ssh-keygen -t ed25519 -C "you@example.com" -
Add the public key (
~/.ssh/id_ed25519.pub) to your account in the dashboard under Account → SSH keys, or with the API. -
Confirm it’s registered, then connect.
Keys are tied to your user, so revoking a key in the dashboard cuts off access from everywhere it was used. Team membership and your role still gate which environments that key can reach.
connect
Section titled “connect”The username is the site, and the host is always ssh.managed.dev:
ssh acme-store@ssh.managed.devThat lands you in the site’s production environment by default. You can run a single command without holding a session open — handy for scripts:
ssh acme-store@ssh.managed.dev "wp option get siteurl"target a specific environment
Section titled “target a specific environment”A site has a production environment plus any branch environments you’ve pushed. Address a non-production environment by qualifying the username with the environment name:
ssh acme-store@ssh.managed.devssh acme-store+feature-checkout@ssh.managed.devssh acme-store+staging@ssh.managed.devThe environment name is the branch as it appears in your
branch routes — slashes are normalised to dashes,
so feature/checkout is addressed as feature-checkout. Each environment has its
own isolated database and files, so a shell on a preview can never touch production
data.
security model
Section titled “security model”The gateway is a controlled entry point, not a flat network you SSH into:
- Public-key only. No passwords. Your key is registered against your user and revocable from the dashboard.
- Scoped to your team and environment. A session is confined to the one environment you connected to. You can’t pivot to another team’s site or another environment from inside the shell.
- Role-aware. Your team role governs what you can
reach — an
observerdoesn’t get the same access surface as anadmin. - Audited. Connections and notable actions land in the audit log alongside dashboard and API activity.