Appetizer: Taste OpenZiti

The appetizer is an interactive demo of application-embedded zero trust. Three commands get you connected to a live reflect server — authenticated, encrypted, and invisible to port scanners, with no exposed ports or firewall rules on either side.

What you get by adopting an OpenZiti SDK

• Strong identities: X.509 certificates guarantee entities are who they claim to be.
• Segmented access: Enforce least-privileged access — only explicitly authorized identities can reach a service.
• No exposed ports: The app is "dark" on the underlay network and invisible to port scanners.
• Continuous authentication: Authorization is checked throughout the session, not just at connect time.
• End-to-end encryption: Data is only accessible to the intended recipient.

Run the appetizer

GoC#

Prerequisites

Install Go and git.

Clone the repo and run the reflect client:

git clone https://github.com/openziti-test-kitchen/appetizer.git
cd appetizer
go run clients/reflect.go reflectService

Loading asciinema cast...

👆 live "Reflect" messages will display here

How it works

Step 1: Reflect server strong identity

When the appetizer process starts, it first creates a strong identity for itself. This identity (represented by the lock icon) is authorized to "bind" the reflect service, creating a listener on the overlay network so it can accept incoming connections from other authorized identities.