Account Types

Stowix supports three account types, each designed for a different identity: human users, physical machines, and automated services.

Member Accounts

Member accounts represent human users. They authenticate via OAuth (Google or GitHub) or email/password. A member account is identified by the user's email address and can belong to multiple groups to inherit different scopes.

Suitable for: developers, administrators, and any team member who interacts with Stowix through the dashboard or CLI.

Device Accounts

Device accounts represent machine identities tied to a specific physical or virtual device — for example, a build server, a NixOS machine, or a workstation. Device accounts authenticate exclusively via API tokens; they have no OAuth login.

Device accounts are named after the device they represent (e.g., build-server-01, nixos-workstation).

Suitable for: NixOS machines pulling from a binary cache, dedicated build hosts, or any scenario where the identity is anchored to a specific piece of hardware or VM.

Service Accounts

Service accounts are non-human identities for automation — CI/CD pipelines, deploy scripts, and scheduled jobs. Like device accounts, they authenticate exclusively via API tokens.

Service accounts are named after the service or pipeline they represent (e.g., github-actions, deploy-pipeline, release-bot).

Suitable for: CI pipelines, release automation, and any role-based automation that is not tied to a specific machine.

Device vs. Service Accounts

The key distinction is where versus what:

Example: A NixOS workstation that pulls from the binary cache → device account. A GitHub Actions workflow that pushes build results → service account.

Comparison

MemberDeviceService
RepresentsA human userA specific machineAn automated pipeline or service
AuthenticationOAuth (Google/GitHub) or email/passwordAPI token onlyAPI token only
Primary use caseDeveloper or admin interacting with the dashboardMachine-bound identity (e.g., NixOS host)Role-based automation (e.g., CI/CD)
Scope inheritanceVia group membershipsVia group membershipsVia group memberships
Identified byEmail addressDevice nameService/pipeline name