Carpathian Cloud Version 2026.4.0 is available to all users. This release focused heavily on security, AI capabilities, and giving you more control over your infrastructure. We added a firewall, expanded the AI platform with a bring-your-own-key proxy, rebuilt API key management, introduced automated deployments from GitHub, and tightened security across the board with enforced two-factor authentication.
Firewall
You now have a per-service firewall directly in your dashboard under Networking. It covers three services independently: SSH Gateway, API, and AI Proxy. Each service can run in "Allow All" mode (the default) or "Allowlist Only" mode, where only IPs you've explicitly approved can connect. You can add individual IPs or CIDR ranges, and rules can be toggled on and off without deleting them. When a firewall is active on a service, you'll see warnings on the relevant pages so nothing catches you off guard.
AI Proxy (Bring Your Own Key)
Most AI providers give you an API key and leave the rest up to you. There's no built-in way to track spending across teams, enforce rate limits, restrict which models get used, or filter what goes in and out. If you're integrating AI into production software, you're bolting all of that together yourself.
Carpathian's AI Proxy sits between your application and your provider (Anthropic, OpenAI, or any OpenAI-compatible API) and gives you a full control layer over your existing account. Think of it like CloudFlare, but for your AI traffic. You keep your own API keys and billing relationship with your provider. We don't host the model or touch your data. We just give you the infrastructure to manage it: usage tracking, token counting, per-key rate limits, content filtering, IP-based access control, daily and monthly token budgets, and model allowlists. If something goes wrong, the system auto-locks the key after repeated unauthorized access attempts.
Proxy keys use the cpx_ prefix and are fully compatible with the OpenAI SDK format, so integration is a one-line change in most applications. As far as we know, nothing like this exists as a standalone product today.
Automated Deployments
The GitHub Actions deployment pipeline has been stabilized and fully tested. Deployments now reliably pull your code, run your build steps, and restart your services without intervention. We also cleaned up the deployment history view. Logs, commit SHAs, branches, and timestamps all display correctly now. If you tried deployments before and ran into issues, it's worth another look.
API Key Management
API keys got a full rebuild. There's now a dedicated hub where you can manage all your keys in one place: server keys (cpk_), AI instance keys (cai_), and proxy keys (cpx_). Every key type supports IP allowlisting, rate limiting, usage tracking, expiration dates, and rotation. You can scope keys to specific permissions like deployment-only or read-only access. If a key gets compromised, the system tracks security events and can auto-lock it.
Two-Factor Authentication
Certain actions now require 2FA to be enabled on your account before you can use them. This includes modifying firewall rules, creating API keys, and other operations that directly affect the security of your infrastructure. The reasoning is straightforward: if you're opening ports or managing access controls, your own account needs to be secured first. You can set up 2FA using TOTP via an authenticator app or email-based verification codes. Recovery codes are generated during setup in case you lose access to your device.
Networking
The networking page was rebuilt to give you more granular control over your network flows. Bandwidth tracking is now available per server and per organization. You can see inbound and outbound usage, monitor against your plan's data cap, and configure what happens when you hit your limit. Network plan tiers are now available with defined speed and data allocations. Status Center was deprecated and its network monitoring features have been moved into the main dashboard and networking pages.
SSH
You can now SSH into your servers from outside the dashboard (still in beta). Create an API key, and you can connect directly from your local terminal using the Carpathian SSH gateway. This works alongside the existing browser-based console, so you can use whichever fits your workflow.
Additional Improvements
- Server cards now show bandwidth usage alongside CPU, memory, and disk metrics.
- Quasar servers (physical and bare-metal machines) are now supported with their own subscription plans.
- The in-app feedback system was expanded with support requests, bug reports, and automatic diagnostics collection.
Bug Fixes
- Fixed SSH console connections failing when VLAN gateway rules were out of sync.
- Fixed file uploads failing on larger files.
- Fixed deployment logs not displaying the full output.
- Fixed API key creation not properly scoping permissions.
- Fixed routing rules page not reflecting firewall status.
- Fixed mobile layout issues across the firewall, networking, and AI pages.
- Fixed region blocking not properly applying exceptions for approved users.
- Fixed bandwidth tracking not resetting at the start of each billing cycle.
