What's New in meshr — Q2 2026 Launches
Five new features shipped in Q2 2026: Access Map, Public Endpoints, Custom Domains, Audit Logs, and Setup Keys. What each one does, who it's for, and how to try it today.
Beta moves fast. Over the last few weeks five new capabilities landed in meshr — each one closing a gap that early users kept asking about. Here’s the quick tour, with a one-paragraph “why it matters” for each.
All five are live for every account on the free beta plan. No feature flag, no waitlist — sign up and they’re already in your dashboard.
1. Access Map — see your whole network at a glance
The biggest “show, don’t tell” win this quarter. Access Map is an interactive force-directed graph of every peer, group, ACL rule, and access path in your mesh. Click any node to highlight what it can reach. Drag a filter to isolate one team’s view. Hover an edge to see the exact policy rule that allowed or denied it.
Who it’s for: anyone onboarding a new engineer, debugging a “why can’t I reach prod-db?” ticket, or running a security review before granting contractor access.
2. Public Endpoints — production ingress, not a demo tunnel
Tunneling is great for a quick demo URL. Public Endpoints is what you put in front of users. Persistent URL, custom domain (api.acme.com), automatic TLS, and multi-target load balancing across any number of mesh peers. Drain a target for maintenance, weight a canary, or A/B-test versions — all without an ingress controller.
Who it’s for: teams shipping internal APIs, SaaS-style services, or anything where the URL needs to survive next week’s deploy.
3. Custom Domains — your domain, your trust, our TLS
Public Endpoints’ best companion. Register your root domain once (single TXT record + a wildcard CNAME). Every subdomain underneath — api.acme.com, app.acme.com, internal.acme — gets a TLS certificate issued and renewed automatically. Works with any DNS host: Route 53, Cloudflare, Namecheap, your own NSes.
Who it’s for: anyone who’s ever lost a weekend to certbot, or who needs internal-only TLS to kill the browser “not secure” warning on dashboards.
4. Audit Logs — live-tail with SIEM export
Every device added, every policy changed, every connection allowed or denied — captured with sub-second latency. Filter by actor, resource, severity, or time window. Stream to S3, Splunk, Datadog, Elastic, PagerDuty, or any webhook. Per-record diffs on config changes show the before/after with the actor who made the change.
365-day retention out of the box. Audit evidence templates pre-mapped to SOC 2 (CC6/CC7), HIPAA (§164.312(b)), and ISO 27001 (A.12.4) — exportable as JSON or PDF.
Who it’s for: anyone shipping toward a compliance framework, anyone running an on-call rotation, anyone who’s ever been asked “what changed?” at 3am.
5. Setup Keys — headless device provisioning
A token. Drop it into a curl one-liner, a Terraform user_data block, an Ansible playbook, a Raspberry Pi image. The device joins the mesh, picks up its default group, inherits the policies, and starts serving — no browser, no human, no manual click. Reusable for fleets, ephemeral for CI runners. Each key has a TTL and an optional usage cap, so a leaked key dies on its own.
Every device that joined via a key is tagged with the key ID, so you can bulk-revoke if a key gets compromised. And every enrollment shows up in Audit Logs.
Who it’s for: anyone provisioning more than 5 devices a week, anyone running ephemeral CI runners, anyone shipping edge hardware to the field.
Bonus: SSH Elevation, Custom DNS Zones, Visual Policy Editor
Three smaller capabilities also landed alongside the big five:
- SSH Elevation (/platform/certificates) — just-in-time sudo. Engineers request root for a window, a peer or policy approves, the cert is reissued with elevated claims, every keystroke gets recorded. No more shared root passwords.
- Custom DNS Zones (/platform/dns) — bring your own internal zone (
internal.acme,corp.local). Resolvable only from mesh peers, never leaks to public DNS. Complements MagicDNS for the names your runbooks already say. - Visual Policy Editor (/platform/zero-trust) — author the same policy as a graph, as cards, or as HCL. Click an edge to flip an allow/deny verdict, or commit the HCL form into Git and code-review it.
What’s next
The roadmap for Q3 is shaping up around three themes: deeper observability (real-time per-peer flow stats), mobile agents (iOS + Android), and an OpenAPI v2 with first-class Terraform provider support.
If any of the above moves you, the quickest path is to try it — every feature here is live on the free beta plan, no credit card required.