Skip to content

Connect a provider

CrossXCloud reaches your cloud accounts using credentials you store in a local, passphrase-sealed vault. Connect at least one provider before you can build on the canvas.

Provider Credential type What you paste into CrossXCloud
Hetzner API token A single token string with read and write scope
Google Cloud Service account key A JSON file downloaded from the Google Cloud console

CrossXCloud tags every resource it creates with a managed-by=crossxcloud label and a crossxcloud-node label that maps back to the canvas node. Your credential needs enough scope to read and write resources with these labels.

If the app just launched, unlock your vault with your passphrase. The vault status control in the top bar shows whether it is locked or unlocked.

You can save a credential while the vault is locked (saving only needs the public key), but you cannot use it until the vault is unlocked. See Credentials and the vault for the full lifecycle.

A Hetzner Cloud API token with read and write scope. Hetzner uses a single project-scoped token, not a key pair or OAuth flow.

  1. Open the Hetzner Cloud Console and sign in.
  2. Select or create a project. CrossXCloud will manage resources within this project.
  3. In the project sidebar, go to Security and then API Tokens.
  4. Click Generate token.
  5. Give the token a name you will recognize later, such as crossxcloud.
  6. Set the permissions to Read & Write. CrossXCloud needs write access to create, update, and delete servers, networks, and floating IPs.
  7. Click Generate token and copy the token. It is shown only once.

Open the Cloud Connections page in CrossXCloud, select Hetzner, and paste the token into the API token field. CrossXCloud validates the token immediately with a read-only call to the Hetzner API. If the token is invalid or lacks the right scope, you see an error before you try to build anything.

The connections list shows the providers you have saved. A saved credential is usable the moment the vault is unlocked.

When you open a project canvas, CrossXCloud reads your current infrastructure from the connected provider and lays it out as nodes. This is your starting state. From there everything you do is an edit on top of it.

Step What happens Where the credential is
Save You paste a token or key. It is encrypted with the vault public key. Encrypted blob in the keystore on disk.
Use Plan or Apply needs the credential. The vault decrypts it in memory. Plaintext in memory only, never written to disk.
Lock You lock the vault or close the app. The private key is cleared. Encrypted blob stays on disk, unusable until next unlock.

After saving a credential, use the Test action on the connection card. CrossXCloud makes a read-only call to the provider to confirm the credential works and has the right scope.

For Hetzner, this happens automatically when you save (the token is validated on save). For Google Cloud, the test call confirms the service account can reach the Compute Engine API for the project in the JSON.

If the test fails, check:

  • The credential has not expired or been revoked on the provider side.
  • The required APIs are enabled (GCP).
  • The token or key has read and write scope.

To rotate a credential, create a new one on the provider side, save it in CrossXCloud, and delete the old one from the connections list. The next Plan and Apply uses the new credential.

You do not need to re-lock or recreate the vault to rotate a credential. The vault guards the key that encrypts credentials, not the credentials themselves. See Credentials and the vault.

Your credentials stay on your machine, sealed in the keystore, and are decrypted only in memory while the vault is unlocked. They are never sent to CrossXCloud, to CrossXWeb, or to any third party. The canvas talks to your cloud directly using them. This is the core security model, explained in Security and the vault.

With a provider connected, continue to Your first canvas to drag a node, join a network, and apply your first change.