Providers overview
Every provider Nomos can broker today, with links to its step-by-step setup guide.
Nomos brokers two kinds of providers:
- OAuth providers — you do a one-time consent flow in the dashboard; the broker encrypts and stores the token; agents get short-lived UCANs scoped to one command at a time.
- Non-OAuth providers (filesystem, SSH, cloud) — the PDP holds keys / credentials via environment or federated identity; scoping happens through Cedar policy + UCAN constraint.
OAuth providers
| Provider | Status | Refreshable | Setup | |---|---|---|---| | GitHub | GA | yes | GitHub setup | | Slack | GA | yes | Slack setup | | Google Workspace | GA | yes | Google setup | | Notion | GA | no | Notion setup | | Linear | GA | yes | Linear setup | | Stripe Connect | GA | no | Stripe setup | | Discord | beta | yes | Discord setup |
Non-OAuth providers
| Provider | Status | How it auths | Setup | |---|---|---|---| | Filesystem | GA | PDP host (no token) | Filesystem setup | | SSH / SFTP | GA | SSH private key (env) | SSH setup | | Azure | beta | OIDC federation (WIF) | Azure setup | | AWS | beta | OIDC federation (STS) | AWS setup | | GCP | beta | OIDC federation (WIF) | GCP setup |
The Cloud accounts page
OAuth providers live under Connections; the three clouds get their own surface at Cloud accounts. Because they federate over OIDC, Nomos never holds a static key — each account binds a role / identity that Nomos exchanges for short-lived credentials per call.
- Active lists each bound account with its cloud, subscription / account id, and a last-verified time. Verify now re-runs the trust check; Disconnect removes it.
- Connect a new cloud shows Azure / AWS / GCP cards, each with the exact bind CLI snippet to run. Follow the per-cloud guide above for the full bootstrap.

Provider you need isn't on the list?
Open an issue on GitHub Issues. New OAuth providers usually ship in 1–2 weeks once we have the spec.