Aegis Overview

Aegis enforces cryptographic policy on workloads while Axis provides policy control, telemetry, and signed change receipts.

Last updated: February 22, 2026
Source: VeliKey Docs Team
Owner: Aegis Product Engineering

Overview

Aegis agents run close to your services and apply policy decisions delivered by Axis. Each policy or rollout change is traceable through audit artifacts in Axis.

Use this page to confirm architecture fit, then choose an install path:

Install on EC2 or Install on Kubernetes.

Endpoint Assumptions

Production auth and API host: https://axis.velikey.com (signin: https://axis.velikey.com/auth/signin).
Non-production override: set AXIS_BASE_URL explicitly before running docs commands.
Manual operator substitutions: provide tenant-scoped values for cookies, bearer tokens, agent IDs, and tenant slugs.

Actionable Steps

Confirm your Axis control plane URL and tenant ownership model.
Pick deployment target (EC2 or Kubernetes).
Define first policy scope and canary strategy before production apply.

# manual-only example
# production default; set AXIS_BASE_URL explicitly for staging/test.
export AXIS_BASE_URL="${AXIS_BASE_URL:-https://axis.velikey.com}"
export TENANT_SLUG="customer-prod"

curl -fsS "$AXIS_BASE_URL/auth/signin" -o /dev/null

Validation Checks (Last Step)

# executable example
curl --version
openssl version
jq --version
go version

These checks validate core tooling used throughout the install and policy guides.

Common Failure Modes

Axis URL mismatch across environments causes enrollment or policy fetch failures.
Policy scope planned before tenant boundaries are finalized leads to cross-environment blast radius.
Operators skip dry-run evaluations and discover incompatibilities only at apply time.

Claims and Evidence References

Claims registry • Claim-to-evidence matrix

Evidence index • How VeliKey works

TLS termination vs transparent enforcement

Navigate Docs

Docs Index • Next: Aegis Install on EC2 • Axis Overview • How VeliKey works • Troubleshooting