Skip to main content
Hexr runs the same agent runtime across every deployment model. Whether you use Hexr Cloud or run the platform entirely in your own data center, your @hexr_agent code is identical — only the infrastructure ownership changes. This page explains each model so you can choose the right fit for your team.

Deployment comparison

Hexr CloudHybridSelf-hostedAir-gapped
InfrastructureHexr-managed GKEYour runtime + Hexr control planeYour clusterYour cluster, zero internet
Trust domainhexr.cloudFederatedCustomer-ownedCustomer-owned
IdentityHexr root CASPIFFE federationCustomer SPIRECustomer SPIRE
BillingHCU creditsHCU + infrastructureLicenseLicense
Setup time5 minutes1 hour2–4 hours2–4 hours
AuthSSO / API keysSSO + SPIFFE federationLDAP/AD/SAML/OIDCLDAP/AD/SAML
StatusAvailableComing soonAvailableAvailable

Hexr Cloud (managed SaaS)

Everything managed by Hexr. You write agents; Hexr handles the rest.

Sign up

Create an account at hexr.dev and get an API key.

Authenticate

hexr login

Build, push, and deploy

hexr build && hexr push --cloud && hexr deploy --cloud

Monitor

Open the dashboard at app.hexr.cloud to view agents, traces, the identity graph, and compliance status.
What Hexr Cloud manages for you:

Agent runtime

GKE Autopilot — auto-scaling, auto-healing, zero ops.

SPIRE identity

Hexr root CA. Per-process SVIDs issued automatically.

Observability

OTel, Prometheus, Grafana, and Jaeger — pre-configured.

Cloud API

REST API for tenant management, HCU metering, and API keys.

HCU billing

Pay-as-you-go with Hexr Compute Units. Metered per operation.

Dashboard

Agent inventory, traces, identity graph, and compliance views.

Get started with Hexr Cloud

Self-hosted (on-premises / private cloud)

Your infrastructure, your data, your control. Hexr ships as Terraform modules and Helm charts that work on AWS EKS, GCP GKE, Azure AKS, bare-metal Kubernetes, and DigitalOcean.

Provision infrastructure

terraform init && terraform apply  # VPC, K8s cluster, databases, DNS

Deploy the Hexr runtime

helm install hexr-runtime hexr/hexr-runtime -n hexr-system -f values.yaml
This deploys SPIRE, Vault, Gateway, the Credential Injector, and the full observability stack into your cluster.

Deploy your agents

hexr build && hexr push && hexr deploy
Same CLI, same workflow — agents run in your cluster.
What deploys into your hexr-system namespace:

SPIRE server

Your own certificate authority. Customer-owned trust domain.

Hexr Vault

SPIFFE-native secrets. AES-256-GCM. Data never leaves your network.

Hexr Gateway

OpenAPI-to-MCP tool adapter. Credential injection from Vault.

Credential Injector

JWT-SVID to STS exchange for AWS, GCP, and Azure.

OTel stack

Collector, Prometheus, Jaeger, and Grafana — all self-hosted.

Air-gapped mode

Zero outbound connectivity mode. All images pre-loaded.

Self-hosted quickstart

Hybrid Cloud (coming soon)

Your agents run in your infrastructure. Hexr manages identity, observability, and tooling from the cloud. SPIFFE federation bridges trust domains without exposing credentials or data.

Hexr control plane (cloud)

  • Cloud API — tenant management, config, compliance
  • Root CA — Hexr-operated SPIRE server
  • Dashboard — monitoring, identity graph, audit

Your data plane (on-premises)

  • Customer Kubernetes — your cluster, your network
  • Nested SPIRE — federates with Hexr’s root CA
  • Agent pods — compute never leaves your network
SPIFFE federation bridges the two trust domains. Your SPIRE server and Hexr’s root CA exchange trust bundles — agents in your cluster get Hexr-federated identities without exposing credentials or data. This is an additive configuration change, not a redesign.

Moving between models

Hexr is designed so that switching deployment models requires a configuration change, not a code change. The same Helm charts and agent code work across all models. As your compliance or infrastructure requirements evolve, you can migrate without rewriting your agents. 
Today:
  hexr.cloud trust domain  →  Hexr Cloud SaaS
  acme.example.com         →  Self-hosted (Terraform + Helm)

With Hybrid (additive config change only):
  hexr.cloud ⟷ acme.example.com  →  SPIFFE federation