How we built it: a zero-trust architecture for cloud development environments

On October 1, 2024, Gitpod Flex was launched as the first automation platform for zero-trust cloud development environments. The system is built around the 'principals concept' for users, runners, environments, and accounts. It uses JWT tokens for authentication and authorization, with the management plane being the only entity authorized to issue tokens. Gitpod Flex also supports a multi-tenancy model using organizations, allowing users to be logged into multiple organizations simultaneously while maintaining strict isolation between them. The platform's architecture is designed to embody the core principles of 'zero trust', ensuring security is built into its DNA and providing a foundation for future features and extensions that inherit this security-first approach.