Home/Upwarden Cloud
Upwarden Cloud · live now

Managed Upwarden. Zero infrastructure.

Upwarden Cloud — fully managed, zero infrastructure — is live. Sign up, mint a key, and point your package manager at it. The same silent rollback and the same scanner as self-hosted Upwarden, without a server to operate.

Upwarden Cloud is live. The steps below are exactly how you get protected — sign up, mint a key, point your package manager, and watch the firewall work. Prefer to keep everything inside your own network? You can self-host instead.

1 · Sign up

Create your organization in the Upwarden Cloud console. There's nothing to install — the firewall is provisioned behind your account.

Console: https://app.upwarden.io/

2 · Get a key

Every install authenticates with a vk_… project key, scoped to one project inside your organization. In the console:

  • New organization → give it a slug + name.
  • Open it → ProjectsNew project (usually one per repo or pipeline).
  • Open the project → API keysNew key. The vk_… string is shown once — copy it into your secret store now.

Full walkthrough (UI and scriptable API): Create your first key.

3 · Point your package manager

One config line per ecosystem, pointed at the managed endpoint <eco>.pkg.upwarden.io. Drop your vk_… key into the matching environment variable. Every install from then on flows through the firewall.

.npmrc — npm, bun, pnpm, yarn
registry=https://npm.pkg.upwarden.io/
//npm.pkg.upwarden.io/:_authToken=${VG_NPM_API_KEY}
pip.conf — pip, uv
[global]
index-url = https://${VG_PYPI_API_KEY}@pypi.pkg.upwarden.io/simple/
.cargo/config.toml — cargo
[source.crates-io]
replace-with = "upwarden"

[registries.upwarden]
index = "sparse+https://crates.pkg.upwarden.io/index/"

bun is first-class — it reads the standard registry config, so it's covered exactly like npm. Private and scoped packages keep working: your existing upstream tokens pass straight through. Other ecosystems (Maven, NuGet, Go, RubyGems) follow the same <eco>.pkg.upwarden.io convention — see the full quickstart.

4 · Verify it works

Install anything. A safe package installs as usual — the only added latency is a single proxy hop. To watch the firewall act, request a version known to be blocked and see it roll back:

terminal
$ npm install lodash
upwarden › lodash@4.17.22 — BLOCKED (malware signature match)
upwarden › resolving to last safe version → 4.17.21
added 1 package — lodash@4.17.21  ✓ build green

Floating ranges roll back automatically; exact pins to a blocked version fail loudly with an actionable [UPWARDEN] message. More: Verify it's working and Troubleshooting.

What we can see — and what we can't

Upwarden Cloud is the managed path, so — unlike self-host — your install requests transit our managed infrastructure. We keep that honest:

  • Isolated per tenant. Every organization's data is separated at the database row level; one tenant can never see another's.
  • We see package coordinates, not your code. Upwarden is a registry proxy — it sees the dependency names and versions you request and the artifacts it serves, not your source.
  • Your audit log, yours to query. Each install and block is recorded against your project; retention depends on your plan. We never sell or share it.
  • Want nothing to leave your network at all? Self-host keeps every byte inside your perimeter with zero telemetry — the same product, your infrastructure.
Get started

Ready to start?

Create your account and mint your first key in minutes.

Two ways to run Upwarden

Managed when you want speed. Self-hosted when you want sovereignty.

Spin up on the managed console in minutes, or run it free inside your own perimeter — and talk to us if you're rolling out across an org.