HQ Pro — Vault, Teams & Identity
Part of the split HQ ecosystem. HQ Pro is the cloud backend that the hq-console admin UI and the hq-deploy data plane both build on.
HQ Pro is the team and identity backend for HQ. It provisions the shared identity, stores secrets and files in an encrypted vault, and runs the team platform that turns a solo HQ into a multi-member organization. It is an SST v3 application on AWS.
What it provides
- Vault — capability-based access. Encrypted S3 storage with a deny-all default, per-company KMS keys, and STS-scoped capabilities. Access is granted as narrow, time-bound capabilities rather than broad credentials. This is what the hq-secrets and hq-share CLI capabilities operate against.
- Shared Cognito identity. One identity pool that every cloud app trusts —
hq-consolesigns in against it (OIDC) andhq-deployverifies JWTs minted by it. Neither runs its own user store. - Team platform. Companies, memberships, roles, and entitlements — see Team Platform.
- Onboarding. GitHub federated auth and team creation/joining — see GitHub Auth and Onboarding.
In this section
- Team Platform — companies, memberships, entitlements
- GitHub Auth — federated sign-in
- Onboarding — creating and joining teams
- HQ Installer — the native macOS onboarding wizard
- Installer Quickstart · Cognito Setup · Troubleshooting
Related capabilities
- hq-secrets — schema-driven secret access against the vault
- hq-share — single-use vault share-session links