Skip to main content
Federated authentication for Nix

Sign in with the identity you already have

FlakeHub brings federated, JWT-based authentication to Nix, integrating with the identity infrastructure your teams already run, from GitHub and GitLab to Okta, Microsoft Entra ID, AWS, and Google Cloud. Machines and CI sign in with short-lived tokens instead of long-lived static credentials, so there are no secrets to rotate and no shared keys to leak.

Docs: No static credentials

No static credentials

FlakeHub authenticates machines and CI with short-lived JSON Web Tokens instead of long-lived static credentials, eliminating an entire class of leaked-secret risk.
Docs (opens in a new tab)
How it works: Works with your identity providers

Works with your identity providers

Integrate with GitHub Actions and GitHub Enterprise OIDC, GitLab CI/CD for cloud and self-hosted, Okta, Microsoft Entra ID SSO, Amazon IAM roles, and Google Cloud Workload Identity Federation, the identity infrastructure you already run.
How it works
Announcement: Zero-trust, organization-aware access

Zero-trust, organization-aware access

When a machine authenticates, FlakeHub already knows which organization it belongs to and exactly which flakes and cache slices it can reach.
Announcement
Read more: Fine-grained policy engine

Fine-grained policy engine

A policy engine backs every request, with fine-grained access control, IP restrictions, and deploy-only access to specific flake outputs.
Read more
Docs: Built into Determinate Nix

Built into Determinate Nix

A single determinate-nixd login authenticates team members and CI using each machine's existing identity, with nothing to configure by hand.
Docs (opens in a new tab)
Trust Center: SOC 2 Type II certified

SOC 2 Type II certified

Built and operated on audited, certified infrastructure. Satisfies the compliance questions your security team will ask before you ship.
Trust Center (opens in a new tab)

Bring your own identity provider

FlakeHub authenticates against the identity infrastructure you already run, issuing short-lived tokens instead of static credentials.

  • Nix at work: FlakeHub Cache and private flakes

    Nix at work: FlakeHub Cache and private flakes

    A deep dive on FlakeHub's federated authentication and the policy engine behind private flakes and cache access.

  • Determinate Nix 3.0

    Determinate Nix 3.0

    The release that brought a zero-trust security model, federated authentication, and fine-grained access controls to Nix.

  • Authentication in FlakeHub

    Authentication in FlakeHub (opens in a new tab)

    The reference guide to how FlakeHub authenticates users, machines, and CI with short-lived JSON Web Tokens.

  • FlakeHub

    FlakeHub

    The all-in-one platform for Nix and flakes, with binary caching, private flakes, and org-wide access control.

Explore more solutions