Connect providers

Providers overview

Every provider Nomos can broker today, with links to its step-by-step setup guide.

Nomos brokers two kinds of providers:

  • OAuth providers — you do a one-time consent flow in the dashboard; the broker encrypts and stores the token; agents get short-lived UCANs scoped to one command at a time.
  • Non-OAuth providers (filesystem, SSH, cloud) — the PDP holds keys / credentials via environment or federated identity; scoping happens through Cedar policy + UCAN constraint.

OAuth providers

| Provider | Status | Refreshable | Setup | |---|---|---|---| | GitHub | GA | yes | GitHub setup | | Slack | GA | yes | Slack setup | | Google Workspace | GA | yes | Google setup | | Notion | GA | no | Notion setup | | Linear | GA | yes | Linear setup | | Stripe Connect | GA | no | Stripe setup | | Discord | beta | yes | Discord setup |

Non-OAuth providers

| Provider | Status | How it auths | Setup | |---|---|---|---| | Filesystem | GA | PDP host (no token) | Filesystem setup | | SSH / SFTP | GA | SSH private key (env) | SSH setup | | Azure | beta | OIDC federation (WIF) | Azure setup | | AWS | beta | OIDC federation (STS) | AWS setup | | GCP | beta | OIDC federation (WIF) | GCP setup |

The Cloud accounts page

OAuth providers live under Connections; the three clouds get their own surface at Cloud accounts. Because they federate over OIDC, Nomos never holds a static key — each account binds a role / identity that Nomos exchanges for short-lived credentials per call.

  • Active lists each bound account with its cloud, subscription / account id, and a last-verified time. Verify now re-runs the trust check; Disconnect removes it.
  • Connect a new cloud shows Azure / AWS / GCP cards, each with the exact bind CLI snippet to run. Follow the per-cloud guide above for the full bootstrap.
Cloud accounts page with Active federated accounts (verify-now / disconnect) and Connect-a-new-cloud Azure/AWS/GCP cards
Federated, not key-based. Each row is one role Nomos can assume — no long-lived secret stored.

Provider you need isn't on the list?

Open an issue on GitHub Issues. New OAuth providers usually ship in 1–2 weeks once we have the spec.