Account Types

Stowix supports three account types, each designed for a different identity: human users, physical machines, and automated services.

Member Accounts

Member accounts represent human users. They authenticate via OAuth (Google or GitHub) or email/password. A member account is identified by the user's email address and can belong to multiple groups to inherit different scopes.

Suitable for: developers, administrators, and any team member who interacts with Stowix through the dashboard or CLI.

Device Accounts

Device accounts represent machine identities tied to a specific physical or virtual device — for example, a build server, a NixOS machine, or a workstation. Device accounts authenticate exclusively via API tokens; they have no OAuth login.

Device accounts are named after the device they represent (e.g., build-server-01, nixos-workstation).

Suitable for: NixOS machines pulling from a binary cache, dedicated build hosts, or any scenario where the identity is anchored to a specific piece of hardware or VM.

Service Accounts

Service accounts are non-human identities for automation — CI/CD pipelines, deploy scripts, and scheduled jobs. Like device accounts, they authenticate exclusively via API tokens.

Service accounts are named after the service or pipeline they represent (e.g., github-actions, deploy-pipeline, release-bot).

Suitable for: CI pipelines, release automation, and any role-based automation that is not tied to a specific machine.

Device vs. Service Accounts

The key distinction is where versus what:

• A device account represents where the code runs — the specific machine. Use it when the token should be bound to a physical or virtual device.
• A service account represents what is running — the pipeline or service itself. Use it for role-based automation that may run on any machine.

Example: A NixOS workstation that pulls from the binary cache → device account. A GitHub Actions workflow that pushes build results → service account.

Comparison