Workload Identity for Private Cloud
Bring cloud-grade security to your private infrastructure. Workload Identity provides metadata attestations to workloads in Proxmox, Docker, and Kubernetes giving you the same seamless workload authentication usually reserved for hyperscale providers – but under your control, in your environment.
For Software that scales
Workload Identity provides an integrated security platform that gives real time cryptographic assurance over your environment, backed by your own infrastructure.
A complete identity fabric for your workloads
Workload Identity is built on three core components that work together to provide cloud-grade assurance in private environments.
Together, these components deliver seamless identity without the hyperscaler lock-in. Enterprises can finally achieve the same level of automation and assurance in their own data centers that leading cloud providers have long relied on:
Metadata Service
Every workload gets its own isolated, always-on identity service. Applications request credentials through a simple local API, and receive short-lived cryptographic identities they can use to connect to your systems securely.
Endpoint Agent – Runs alongside your existing platforms, automatically wiring workloads into the identity fabric. It applies policy locally, enforces isolation, and continuously reports state back to the control plane.
Control Plane – A highly available cluster that defines which workloads are allowed to access which secrets or services. It centralizes trust while distributing enforcement, giving you both resilience and fine-grained control.
Native integration
with private virtualisation and container platforms:
- Kubernetes
- Docker
- Proxmox
Automatic workload identity
Manual secrets management by allowing applications to self-request access to secrets.
Managing your entire infrastructure with IaC platforms like Terraform can now be done without worrying how to pass initial credentials.
Ephemeral credentials
mean secrets never touch disk for stronger security and reduced attack surface.
Open standards
SPIFFE / SPIRE, TLS & X.509, JWT backed attestation ensure compatibility between Workload Identity and industry standards.
Allow your application to connect to Vault without having to provision application specific credentials
Lightweight by design, secure by default
Workload Identity is engineered to deliver defense in depth without complexity. Written in Rust for safety and performance, it adds identity and attestation to your infrastructure without interfering with the native behavior of your hypervisor or container runtime. That means fast deployment, minimal footprint, and zero disruption to the platforms you already trust.
Modern security, simplified
Because identity is issued automatically and scoped precisely to each workload, security policies can be enforced at the finest possible level. For example, you can allow only a single web-service container to request a TLS certificate — without needing to distribute long-lived secrets or bend application logic around authentication.
The result:
Simplified visibility – every workload is cryptographically identifiable in real time.
Effortless compliance – attest workloads and prove policy enforcement on demand.
Lower operational overhead – no more manual credential management or brittle application workarounds.