Tested before publish
Cloud Resource Plans run end-to-end in your own cloud account against your own policies. If a plan would fail a policy, it never reaches the catalogue.
Security and governance
Govern the cloud without slowing the developers.
Per-workload identities. Plans tested against your policies before they publish. Every action audited. AWS, Azure and GCP.
Free forever · No commitment · Upgrade anytime
Workload identity federation
No static cloud keys. Ever.
Wayfinder issues per-workload identities to AWS, Azure and GCP via OIDC trust. Developers never write IAM. Your platform team never hands out a long-lived key.
- AWS - per-workload IAM roles assumed via OIDC, scoped by the plan
- Azure - per-workload managed identities federated through Wayfinder's OIDC issuer
- GCP - per-workload service accounts via Workload Identity Federation
- No static cloud keys held in the cluster, on a laptop, or in CI
See it end-to-end in From laptop to live.
The wrong thing can't ship.
Policy lives in the plans the platform team curates. The Cloud Resource Plan Tester runs every plan against your real cloud before it publishes. By the time a developer picks one, the policy work is done.
Plans carry the standards
Encryption defaults, tagging conventions, network defaults, deletion guardrails - baked into the plan, applied every time a developer uses it. Standards become code.
CloudAccessCheck pre-flight
Before Wayfinder touches a cloud account it validates it has the permissions to do the work. No half-built resources, no mysterious mid-deploy failures.
Tenant. Workspace. Environment.
RBAC scopes match how teams already organise: platform owns the tenant, product owns the workspace, developers own their environments. Every action carries the calling user's identity end-to-end.
- SSO out of the box
- Access tokens scoped per workspace
- Active session tracking
- Permissions reviewed in the UI, the CLI, or the API
For the agent-side of the same story (per-agent identity, MCP tool scoping), see Secure Agents.
Every action, every agent run, captured.
Wayfinder captures every meaningful event - who ran wf up, which AI agent answered which prompt, which plan was published. Filterable in the admin UI, exportable for your SIEM.
- Tenant-wide event stream
- Per-agent, per-tool-call captures for AI actions
- Admin Events & Logs views in the UI
- Exportable for downstream tooling
Bring your own keys.
Secrets travel through Wayfinder as encrypted envelopes the platform itself can't read in cleartext. Pick the backend that fits your governance.
AWS KMS
Envelope encryption with a CMK in your AWS account. Wayfinder never holds the data key in cleartext.
Azure Key Vault
Envelope encryption against a key in your Key Vault. Audit lives in Azure where your team already watches it.
Local encryption
For self-hosted Wayfinder, a local-encryption envelope keyed to your own master key. Same envelope pattern, no cloud KMS dependency.
Connect a cloud in one command
No copy-pasted IAM. No
No copy-pasted IAM. No jq chains.
wf setup cloudaccess walks the platform team through the OIDC trust setup for AWS, Azure or GCP. Dry-run first, then apply - or hand it a flag and let it apply directly.
Repeat per environment. Wayfinder keeps the trust documents and the cloud-side resources in sync with the CloudAccess records it manages.
Ready to give your developers self-service without giving away the keys?
Free tier. Full platform. Workload identity from day one.
Free forever · No commitment · Upgrade anytime