Clonit Cloud

Clonit Cloud is an optional extension to the Clonit CLI. The CLI is fully functional on its own — every core operation works locally with no cloud connection. Clonit Cloud layers team collaboration, cross-device access, and snapshot sharing on top of that standalone foundation.

Standalone-first

You never need Clonit Cloud to use Clonit. Build, load, subset, sanitize, and push/pull to your own S3 or Cloudflare R2 buckets all work offline with nothing but the binary. Cloud is something you opt into when you want to share with a team — and you can opt back out at any time without losing local data.

What Cloud adds

When you connect Clonit to Clonit Cloud, you gain:

• A snapshot catalog you can reach from any device. Register an agent on each machine, and your organization’s snapshots, targets, and storage profiles show up everywhere you sign in — laptop, CI runner, or a teammate’s workstation.
• Team sharing. Mark a sanitized snapshot as shared and the rest of your organization can pull it. Share originals only with the people who need them, and distribute clean, sanitized copies to everyone else.
• Organization and team management. Invite members, assign roles (owner, admin, member, viewer), and organize access through SSO groups synced from your identity provider.
• Managed storage via presigned URLs. Push and pull through the cloud without configuring S3 or R2 credentials on every machine. The cloud hands the agent a short-lived presigned URL, and the agent uploads or downloads directly to managed storage.
• Cloud-side AI sanitization analysis. Run sensitive-column detection server-side, per organization, so a shared analysis and generated sanitization query are available to your whole team — using either a per-organization Anthropic key or the deployment’s shared key.

How it stays optional

Cloud-aware commands only do anything when cloud is configured. Until you set a cloud URL and credentials, those commands explain that cloud is not configured and exit cleanly, while every standalone command keeps working.

The two storage pathways live side by side. Plain push/pull use a local storage profile (your own bucket). Adding the --cloud flag opts a single command into the cloud pathway instead:

clonit push mydb            # → your S3/R2 via the target's local storage profile
clonit push mydb --cloud    # → your org's managed storage via a cloud presigned URL

Your URLs and credentials stay local

clonit cloud sync uploads only target names and database types so they can be seen from other devices. Connection URLs and stored credentials are never sent to the cloud — they stay encrypted at rest on the machine that owns them.

Signing in: humans vs. automation

Clonit Cloud separates interactive human sign-in from headless automation:

• Humans run clonit login, which signs you in through your browser using an OAuth 2.0 Device Authorization Grant (RFC 8628). Clonit prints a short code and a URL, you approve in your browser, and the session is stored locally and refreshed automatically. No API key or password is ever typed into the terminal. Identity, SSO, and single sign-on are owned by an external auth service — Clonit runs no login form of its own and stores no passwords.
• CI/CD and other automation authenticate with a Clonit Cloud API key instead. The key is a machine credential that scopes everything it does to one organization, ideal for unattended pipelines.

Use the right credential for the job

Interactive login is for people at a keyboard. Don’t bake a personal login session into a pipeline — issue an API key for automation so access can be rotated and revoked independently of any human account.

A typical cloud workflow

clonit login                       # sign in through your browser (humans)
clonit cloud register              # register this machine as an agent
clonit cloud sync                  # publish target names/types to the catalog
clonit build mydb                  # capture a snapshot locally
clonit sanitize mydb               # strip sensitive data
clonit push mydb --cloud           # upload the sanitized snapshot to managed storage

A teammate on another machine then signs in, finds the shared snapshot, and pulls it:

clonit pull mydb --cloud --snapshot-id <id>

See Push & Pull via Cloud for the full upload and download flow.

Where to go next

• Sign In & Login — interactive browser sign-in with clonit login, sessions, and whoami / logout.
• Web Sign-In — sign in to the cloud landing site in a browser.
• Connect Your Agent — configure the connection, register a machine, and sync targets.
• Push & Pull via Cloud — move snapshots through managed storage with --cloud.
• Sharing Snapshots — share sanitized snapshots with your organization.
• Organizations & Teams — members, roles, and SSO groups.
• API Keys — machine credentials for CI/CD and automation.
• Cloud AI Analysis — server-side, per-organization sanitization analysis.

See also

• cloud command — manage the Clonit Cloud connection and resources from the CLI.
• serve command — the web UI includes a Cloud section for managing all of the above in a browser.
• Cloud Storage guide — set up your own S3/R2 storage profiles for the standalone push/pull pathway.