Sign in with the identity you already have
FlakeHub brings federated, JWT-based authentication to Nix, integrating with the identity infrastructure your teams already run, from GitHub and GitLab to Okta, Microsoft Entra ID, AWS, and Google Cloud. Machines and CI sign in with short-lived tokens instead of long-lived static credentials, so there are no secrets to rotate and no shared keys to leak.
No static credentials
FlakeHub authenticates machines and CI with short-lived JSON Web Tokens instead of long-lived static credentials, eliminating an entire class of leaked-secret risk.Works with your identity providers
Integrate with GitHub Actions and GitHub Enterprise OIDC, GitLab CI/CD for cloud and self-hosted, Okta, Microsoft Entra ID SSO, Amazon IAM roles, and Google Cloud Workload Identity Federation, the identity infrastructure you already run.Zero-trust, organization-aware access
When a machine authenticates, FlakeHub already knows which organization it belongs to and exactly which flakes and cache slices it can reach.Fine-grained policy engine
A policy engine backs every request, with fine-grained access control, IP restrictions, and deploy-only access to specific flake outputs.Built into Determinate Nix
A singledeterminate-nixd login authenticates team members and CI using each machine's existing identity, with nothing to configure by hand.SOC 2 Type II certified
Built and operated on audited, certified infrastructure. Satisfies the compliance questions your security team will ask before you ship.Bring your own identity provider
FlakeHub authenticates against the identity infrastructure you already run, issuing short-lived tokens instead of static credentials.
- GitHubGitHub
- GitLabGitLab
- OktaOkta
- Microsoft Entra IDMicrosoft Entra ID
- AWSAWS
- Google CloudGoogle Cloud
- Nix at work: FlakeHub Cache and private flakes
Nix at work: FlakeHub Cache and private flakes
A deep dive on FlakeHub's federated authentication and the policy engine behind private flakes and cache access.
- Determinate Nix 3.0
Determinate Nix 3.0
The release that brought a zero-trust security model, federated authentication, and fine-grained access controls to Nix.
- Authentication in FlakeHub
Authentication in FlakeHub (opens in a new tab)
The reference guide to how FlakeHub authenticates users, machines, and CI with short-lived JSON Web Tokens.
- FlakeHub
FlakeHub
The all-in-one platform for Nix and flakes, with binary caching, private flakes, and org-wide access control.
Explore more solutions
- Learn more about Software supply chain security
Software supply chain security
Provenance, SBOMs, and CVE remediation, built into every build.
- Learn more about Binary caching
Binary caching
Never build the same thing twice.
- Learn more about FedRAMP
FedRAMP
FlakeHub has FedRAMP High Authorization, bringing Nix to federal agencies and their partners.
- Learn more about Nix for enterprise
Nix for enterprise
The power of Nix scaled to organizations of any size and complexity.
- Learn more about Nix at scale
Nix at scale
Keep Nix fast as your monorepo, CI, and fleet grow.
- Learn more about Nix for macOS
Nix for macOS
The easy button for Nix on macOS.
- Learn more about Nix for Linux
Nix for Linux
Business-class Nix for every Linux distribution.
- Learn more about Nix-based deployments
Nix-based deployments
Deploy Nix configs without building or evaluating on the target.
- Learn more about Nix for CI/CD
Nix for CI/CD
Faster, more reproducible pipelines with Nix.
- Learn more about Nix with MDM
Nix with MDM
Zero-touch Nix deployment through your MDM.