All systems operational
v0.1.0-alpha
System Telemetry · Tenant Isolation · Audit Trail

Total observability. Absolute control.

A command center built for infrastructure operators. Manage API keys, rotate secrets, inspect the relay queue, and monitor rate limits across all tenants; with tenant isolation enforced at every layer and a full per-user audit trail on every action.

5 rate limit tiers ROLLING WINDOW COUNTERS
100% Isolation coverage ALL TABLES ENFORCED
0ms key rotation delay INSTANT INVALIDATION
24/7 threat monitoring MTA-STS + DMARC + DANE
7 day audit trail retention PER-USER EVENTS
// RESOURCE.GOVERNANCE ENFORCED

Metered limits. Instant enterprise overrides.

Rate limits are enforced using rolling window counters across minute, hour, day, and month windows — tracked in Redis and enforced at the gateway layer before any request reaches the application. Enterprise quota overrides are applied instantly without a redeployment.

Feature Free Starter$4 / mo Pro$29 / mo Business$249 / mo EnterpriseCustom
Email Accounts (Mailboxes) 1 5 25 150 Unlimited
API Requests / min 60 300 1,000 5,000 Unlimited
Sends / day 0 1,000 10,000 100,000 Custom
Storage 1 GB 10 GB 50 GB 500 GB Custom
Access Modes REST + Native REST + gRPC + Native All modes All modes All modes
Webhooks 5 endpoints 20 endpoints Unlimited Unlimited
MCP Access
SLA Best effort 99.9% 99.95% 99.99% Custom

Rate limit counters are rolling windows; not fixed-interval buckets. A burst at 11:59 does not carry penalty into 12:00. Enterprise overrides are written to the gateway configuration layer and take effect in under one second.

// SECURITY.POLICIES ENFORCED

Email security telemetry. All inbound, all verified.

Hermers ingests DMARC aggregate and forensic reports, enforces MTA-STS policies on every outbound relay, validates DANE TLSA records on delivery, and surfaces everything in the console ; with instant webhook secret rotation when you need it.

AUTHENTICATION

DKIM, DMARC & SPF

Per-domain signing keypairs provisioned at tenant creation. DMARC aggregate and forensic reports ingested continuously and surfaced in the console dashboard.

  • DKIM keypairs auto-generated and published in DNS automatically
  • DMARC aggregate reports (rua) parsed and visualized per domain
  • DMARC forensic reports (ruf) stored and queryable for incident review
  • SPF record validation on every inbound message
  • Alignment failures logged in the audit trail with source IP and domain
TRANSIT SECURITY

MTA-STS, DANE & BIMI

Every outbound delivery enforces the destination domain's MTA-STS policy. DANE TLSA records are validated per RFC 7671. BIMI logos are resolved, cached, and delivered in the pipeline.

  • MTA-STS policies fetched and cached; enforced on every outbound relay
  • TLS-RPT reports generated and sent to destination postmasters
  • DANE TLSA records validated against the SMTP TLS certificate presented
  • BIMI VMC URLs resolved, verified, and logo cached for delivery
  • Policy cache TTL respected; cache invalidated on policy update
// KEY.MANAGEMENT INSTANT

Provision, scope, inspect, rotate. In seconds.

API keys are the boundary of every integration's access. Create keys with explicit scope arrays, inspect what each key has touched, and rotate or revoke any key instantly ; with zero milliseconds of service downtime for compliant integrations.

KEY LIFECYCLE

Create. Scope. Inspect. Rotate.

Keys are provisioned with an explicit scope array. The scope is the key's complete permission boundary ; it cannot be escalated at runtime, regardless of the calling user's privileges.

  • Scope array set at creation and immutable ; rotate to change scope
  • Keys are shown exactly once at creation; thereafter only the prefix and metadata are visible
  • Rotation generates a new key and invalidates the old one atomically ; 0ms gap
  • Per-key last-used timestamp and request count surfaced in the console
  • Revoke any key instantly ; takes effect on the next request with no cache window
  • Keys inherit strict tenant isolation ; a compromised key cannot cross tenant boundaries
// CLI ; KEY LIFECYCLE MANAGEMENT BASH
# Create a scoped key for a production agent
$ hermes keys create
  --name "prod-agent"
  --scope mail.read cal.write sched.write
Key K0X9a1b2c3d4... created (store now)

# Inspect a key's usage
$ hermes keys inspect K0X9a1b
Name: prod-agent
Scope: mail.read cal.write sched.write
Requests: 24,801 total
Last used: 47 seconds ago

# Rotate ; new key, zero downtime
$ hermes keys rotate K0X9a1b
K0X9a1b invalidated. K0Xd4e5f6... active.
0ms service downtime. Update your env vars.
// RELAY.QUEUE LIVE

Full relay visibility. Audit trail on every action.

Inspect outbound relay queues in real time. View pending messages, delivery attempts, and failure reasons. Every admin action ; key creation, tenant change, quota override, relay retry ; is logged in the immutable audit trail.

RELAY QUEUE

Outbound Message Control

Monitor the relay queue from the console or via the CLI. Inspect delivery attempts, view bounce reasons, and trigger manual retries or cancellations without touching infrastructure.

  • Live queue view: pending, in-flight, delivered, bounced, deferred
  • Per-message delivery log: attempt count, response code, MX target, latency
  • Manual retry: re-queue a message immediately from the console or CLI
  • Cancel: remove a pending message before relay attempts begin
  • Soft bounce vs hard bounce classification with automatic retry policy
  • MTA-STS enforcement status visible per outbound delivery attempt
AUDIT TRAIL

Immutable. Per-User. Per-Tenant.

Every consequential action in the system emits an audit event. Events are written in the same transaction as the change they describe ; if the change rolls back, the audit event does too.

  • Key created, rotated, and revoked ; with actor, timestamp, and IP
  • Tenant plan changed ; with previous and new plan values
  • Team member invited, accepted, or removed ; with role and privilege snapshot
  • Quota override applied ; with operator identity and override value
  • DMARC forensic reports linked to the originating delivery event
  • Exportable via REST API or CLI for SIEM integration
// RELAY QUEUE CLI LIVE
hermes relay list
List all messages in the relay queue with status, attempt count, and next retry time. Filter by status, recipient domain, or date range.
hermes relay retry {id}
Immediately re-queue a deferred or failed message. Bypasses the scheduled retry window. Delivery attempt begins within one second.
hermes relay cancel {id}
Cancel a pending message before any delivery attempt is made. Irreversible. Logged in the audit trail with operator identity.
hermes audit tail
Stream audit events in real time ; key actions, tenant changes, relay outcomes, and security policy triggers ; as they are committed.
// IDENTITY.SECURITY ISOLATION ENFORCED

Isolation that cannot be misconfigured.

Tenant isolation is enforced by strict data isolation policies at the infrastructure layer ; not middleware, not application logic. A misconfigured application returns zero rows. A compromised API key cannot reach another tenant's data. There is no code path that bypasses this.

AUTHENTICATION

Argon2id & TOTP 2FA

User passwords are hashed with Argon2id ; the winner of the Password Hashing Competition and the modern standard for credential storage. TOTP 2FA is available to all users on all plans.

  • Argon2id hashing with tuned memory and iteration parameters
  • TOTP 2FA: RFC 6238 compliant, compatible with any authenticator app
  • Per-user last-login timestamp tracked and surfaced in the console
  • Inactive user accounts automatically suspended after configurable inactivity
  • Email unique among non-deleted users ; soft-delete preserves address uniqueness
TEAM MANAGEMENT

Roles, Invitations & Privileges

Team tenants manage members with preset roles and custom per-user privilege JSONB merged at invitation acceptance. Role and privilege changes are audited and immediately effective.

  • Preset roles: admin, member, readonly ; sensible defaults for most teams
  • Custom privilege JSONB: extend or restrict any permission at the user level
  • Invitations include role and privilege snapshot, locked at send time
  • Invitation expiry enforced ; expired tokens are never accepted
  • Team owner is the only identity that can delete the tenant or transfer ownership
// OPERATORS

Full control from day one.

Provision keys, inspect relay queues, review audit logs, and monitor security policy enforcement ; from the console or the CLI. No separate observability tooling required.

Open Console →
// ENTERPRISE

Custom quotas. Dedicated support.

Unlimited API limits, custom storage, quota overrides applied in under a second, and a direct engineering line for production incidents. No shared infrastructure.

Contact Sales →