An Open Source modern system for securing distributed applications

Securely connect services and people across any platform, anywhere in the world

Securely connect services and people across any platform, anywhere in the world


Automated integrations for popular modern platforms One-line integrations into kubernetes, cloud identity documents, service mesh...

One-line integrations into kubernetes, cloud identity documents, service mesh...


Combine identities across authorization frameworks and identity providers

Secure exchange of oAuth, JWTs, X509, ACME, SSH certificates, SDS...


Complete lifecycle management of cryptographic identities

Workflows for deploying, renewing, revoking, and federating workload identities


Production Identity delivered commitment free

Apache 2 licensed code with a community of contributors

Empower Developers

Remove the restraints and allow your developers to focus on the best solution, regardless of platform or location. Build secure hybrid applications across on-premise and cloud providers.

Production Identity automates securing of all remote services requests and connections using TLS across any cloud or platform. Start quickly with one-line integrations into popular platforms including kubernetes, AWS, Azure, Google Cloud, Envoy, and others.

Use Any Network

Enhance existing network security initiatives with another level of defence, production identity. Connect workloads, devices and people any-to-any across networks at the application layer.

Mutually authenticate services using TLS to encrypt all traffic at the application layer. Avoid complex routing and iptable configurations and even secure traffic where you don’t own the network layer.

End-To-End Encryption

Easily verify services (or apps, or functions..) and encrypt all communications. Use production identities for end-to-end encryption across any cloud or platform.

Securely connect workloads using TLS, the most widely deployed security protocol with integrations into every popular platform and language. Leverage TLS adoption and support ubiquity to architect secure systems without custom protocols.

Clean Compliance Audits

Deliver regulatory requirements (FIPS 140-2, common criteria, …) and clean compliance audits using proven cryptography standards. Extend legacy application lifetimes with a modern approach to security.

Identity Authority makes the arcane art of automated certificate management a simple, intuitive process. Knowing who or what made a request makes it easier to measure and debug, improving runtime visibility.

Open Source

Built around 100% Open Source step CLI and step Certificates, smallstep provides a rich set of security capabilities free from lock-in. Because smallstep is Open Source, production identity is delivered commitment-free.

Open-source code can be audited by anyone delivering verifiable security without the traditional vendor procedural overhead. Users influence and accelerate new capabilities through a growing community of contributors.


  1. An internal certificate authority (CA) that can issue certificates to workloads, devices, and people
  2. Streamlined generation of artifacts required for an internal CA - Automatically builds root & intermediate certificates and private keys
  3. A variety of authentication mechanisms for provisioning certificates in different environments
  4. A command line tool for generating keys, working with cryptographic artifacts, and interacting with the CA to automate certificate issuance, renewal, and revocation
  5. Proven industry defaults for easy secure choices including root and intermediate private key hygiene
  6. Automated certificate renewal to empower best practices of issuing short-lived (e.g. 24-hour) certificates.
  7. Passive revocation to avoid the challenges of implementing infrastructure support for active revocation.
  8. Key pair generation to create a public key that can be distributed and shared with the world and a corresponding private key that should be kept confidential by the owner.


  • ACME
  • OAuth
  • OIDC
  • JWT (JOSE)
  • SSH Certificates
  • X.509
  • Envoy SDS
  • TLS

Built for DevOps and Modern Systems