Security

Security starts with where your credentials live.

Stategraph stores your state and coordinates changes — but it never runs Terraform and never sees your cloud credentials. They stay on the machine running the CLI. Everything else builds on that split.

Zero-trust execution SSO Least-privilege tokens Full audit trail Self-host
Book a security review Contact Sales

Your cloud credentials never leave your machine

Stategraph runs as two parts. The CLI runs on your machine or CI runner and executes Terraform/OpenTofu locally against your cloud, with your credentials. The Server stores authoritative state and coordinates concurrent changes — and that's all. It never runs Terraform, and it never sees your cloud.

CLI (local) runs Terraform / OpenTofu against your cloud holds cloud credentials
Server stores state, coordinates changes no cloud credentials
Your Cloud reached only by the local CLI your account, your keys

A compromised server still can't touch your cloud — it has no credentials to touch it with. Read the architecture →

Controls your security team will ask about

Identity, least privilege, and a complete record of who changed what.

Single sign-on

user@co IdP Stategraph
saml · oidc

SAML 2.0 and OIDC against any identity provider — Okta, Microsoft Entra ID, Google Workspace, Auth0. Restrict sign-in to your email domain.

Least-privilege access tokens

commit one state
never exceeds its creator

Mint capability-scoped tokens from the CLI — for example commit-only on a single state. A token can never hold more than the session that created it.

Service accounts for CI/CD

ci-runner scoped token
durable · attributed

Give pipelines their own durable identities and per-run session tokens, so a change reads as "the deploy pipeline made this," not a departed employee's key.

Audit and transaction history

tx_a3f9 · aws_instance · changed
tx_b421 · iam_role · added
every change · attributed

Every state change is a transaction with an author, a timestamp, and a full record on an immutable timeline. Query it directly — it's the same data the API exposes.

Encryption and residency

at rest in transit
your region · your boundary

Postgres encryption at rest and TLS in transit. Self-host to pin data to a region or keep it entirely inside your perimeter.

Your data, your perimeter

Your infrastructure
self-host · air-gapped

Run the whole platform inside your own environment — air-gapped if you need it — with no change to the CLI, API, or features. Self-hosting →

Least privilege, by construction

Issue a credential that can do exactly one thing. A CI token that commits to one state can't manage users, can't mint more tokens, and can't touch any other state.

stategraph — access tokens
# a commit-only token, scoped to one state
$ stategraph user access-tokens create \
--name ci-prod-apply \
--commit \
--commit-state 'a1b2c3d4-...=*'
# this token cannot manage users, mint tokens, or reach any other state

Capabilities are admin, commit, and preview — each scopable to a tenant or a single state — plus user management and token issuance. Access-token docs →

Bring your checklist

Security reviews are run by engineers, not sales. Walk through the architecture, the controls, and your requirements with the people who built them.

Book a security review Enterprise options