Skip to content

SSH gateway

Every plan includes full shell access through the SSH gateway at ssh.managed.dev. There’s no separate add-on and no “developer tier” gate — if you can see an environment in the dashboard, you can get a shell on it. The gateway authenticates you with your own SSH key, drops you into the right container, and scopes the session to your team and the specific environment you targeted.

This is the same access you’d expect from a VPS, without the VPS: you run WP-CLI, inspect the filesystem, tail logs, and script routine work — but you can’t escape the boundary of the environment you connected to.

  • Run WP-CLI against the environment — wp plugin list, wp search-replace, wp db export, wp cron event run, and the rest.
  • Inspect the application: read the codebase as it was built and rolled, check wp-content/uploads, confirm a config value.
  • Script maintenance and one-off tasks, and pipe output into your own tooling.

The filesystem is the built, content-addressed artifact the platform rolled onto this environment — the code is immutable, but the writable paths WordPress expects (uploads, cache) behave normally. To change code, you git push managed and let the build pipeline rebuild and roll a new release.

The gateway authenticates with public-key auth only — there are no passwords to share or rotate.

  1. Generate a key if you don’t already have one:

    Generate an ed25519 key
    ssh-keygen -t ed25519 -C "you@example.com"
  2. Add the public key (~/.ssh/id_ed25519.pub) to your account in the dashboard under Account → SSH keys, or with the API.

  3. Confirm it’s registered, then connect.

The SSH keys panel under Account in the app.managed.dev dashboard, showing an “Add key” field and a list of registered keys with their fingerprints and last-used timestamps.

Keys are tied to your user, so revoking a key in the dashboard cuts off access from everywhere it was used. Team membership and your role still gate which environments that key can reach.

The username is the site, and the host is always ssh.managed.dev:

Open a shell on a site
ssh acme-store@ssh.managed.dev

That lands you in the site’s production environment by default. You can run a single command without holding a session open — handy for scripts:

Run one command and exit
ssh acme-store@ssh.managed.dev "wp option get siteurl"

A site has a production environment plus any branch environments you’ve pushed. Address a non-production environment by qualifying the username with the environment name:

Production (default)
ssh acme-store@ssh.managed.dev

The environment name is the branch as it appears in your branch routes — slashes are normalised to dashes, so feature/checkout is addressed as feature-checkout. Each environment has its own isolated database and files, so a shell on a preview can never touch production data.

The gateway is a controlled entry point, not a flat network you SSH into:

  • Public-key only. No passwords. Your key is registered against your user and revocable from the dashboard.
  • Scoped to your team and environment. A session is confined to the one environment you connected to. You can’t pivot to another team’s site or another environment from inside the shell.
  • Role-aware. Your team role governs what you can reach — an observer doesn’t get the same access surface as an admin.
  • Audited. Connections and notable actions land in the audit log alongside dashboard and API activity.