---
title: "Cloudsmith CLI Overview | Cloudsmith"
description: "Watch our video overview of the Cloudsmith CLI, showing how to install, configure and some of the commands available."
canonical_url: "https://cloudsmith.com/blog/cloudsmith-cli-overview"
last_updated: "2020-04-17T00:00:00.000Z"
---
# Cloudsmith CLI Overview | Cloudsmith

[Dependency confusion](https://cloudsmith.com/blog/dependency-confusion-attacks) is a software supply chain weakness that arises from how package managers resolve dependencies across multiple sources.

It does not rely on complex exploits. It relies on normal dependency resolution.

If a build resolves from both private and public registries, and a public package shares the same name as an internal dependency, the public package may be selected. That is sufficient to introduce unintended code into a build.

Modern dependency trees often include extensive transitive dependencies, increasing the number of automatic resolution decisions made during builds.

The issue was [widely documented in 2021 ](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)when researchers demonstrated it against more than 35 large organizations by publishing public packages that matched internal names. Since then, dependency confusion has remained a known and preventable risk in modern build systems.

## Where risk appears in practice

Modern builds commonly blend:

- Internal packages
- Public open source dependencies
- Upstream proxies
- Cached artifacts

If resolution rules are not explicit, package managers make decisions on your behalf.

Different ecosystems provide different structural protections and different pitfalls.

### Ecosystem specific considerations

#### Python

PyPI operates on a flat global namespace. There are no built-in organizational scopes and no domain bound identifiers. Package names are globally unique and first come, first served.

This means internal package names, for example acme utils or internal ml core, are structurally indistinguishable from public ones unless additional controls are applied.

Python projects frequently configure multiple indexes. It is common to see:

- Internal private mirrors
- Vendor-hosted repositories such as PyTorch wheel indexes for CUDA builds
- Regional mirrors
- Index url combined with extra index url

Python tooling such as pip, uv, and Poetry evaluates candidate versions across configured sources. If the same package name exists in more than one index, the resolver may select the highest compatible version, regardless of origin.

Real-world incidents demonstrate this behavior. [In 2022, a malicious package mimicking a PyTorch dependency](https://www.reversinglabs.com/blog/pytorch-supply-chain-attack-dependency-confusion-burns-devops) was published to PyPI and installed via pip resolution during nightly builds, leading to data exfiltration before detection.

Without explicit trust boundaries or source mapping, this multi index behavior introduces ambiguity. If an internal package name is exposed and a higher version appears on a public index included in resolution, the public package may be selected.

Python’s flat namespace model, combined with common multi index configurations, makes careful source control particularly important.

#### npm

npm supports scoped packages using the @org/package format. Once registered, a scope is controlled by that organization.

However, unregistered scopes remain claimable. If an organization uses scoped internal packages but has not reserved the scope publicly, an attacker could register it and publish similarly named packages, for example @org/app. A configuration mistake in development or CI could then result in the malicious package being resolved and executed, including via lifecycle hooks such as preinstall.

Unscoped internal package names carry exposure similar to Python.

#### Maven

Maven Central uses domain-based groupId verification, providing stronger ownership guarantees when correctly configured.

However, inconsistent repository usage or additional repositories can reintroduce ambiguity in resolution order if trust boundaries are not clearly defined.

#### NuGet

While NuGet supports ID prefix reservation to prevent public name squatting, resolution ambiguity can still arise if multiple feeds are configured.

**Key safeguards include:**

- ID prefix reservationReserve your organization’s package ID prefix on nuget.org to prevent public impersonation.
- Package Source Mapping Use NuGet 6+ source mapping to bind specific package IDs or prefixes to a single trusted feed.
- Strict nuget.config configurationClear default feeds and explicitly define approved sources to prevent unintended restores.
- Signature enforcementNuGet repository signing using X.509 certificates. When signature verification is enforced in the NuGet or .NET CLI, consumers can verify that a package originated from the expected repository and has not been tampered with.

#### Docker

Docker Hub differs from language ecosystems because image references are typically registry qualified, making classic multi-source confusion less common.

However, **related risks remain:**

- Implicit Docker Hub fallback when no registry is specified
- Unregistered namespace squatting
- Mutable tags such as latest

These are mitigated through fully qualified image references, namespace reservation, digest pinning using SHA256, and image signing.

## A layered mitigation approach

Preventing dependency confusion does not require dramatic changes to developer workflows. It requires clear trust boundaries in how dependencies are resolved.

In practice, this is implemented through an internal artifact repository that controls how dependencies are proxied, cached, and resolved.

Key elements include:

- Centralizing dependency resolution
- Defining explicit upstream trust
- Controlling namespace ownership
- Using lockfiles and reproducible builds
- Enforcing artifact signing and verification

### 1. Central artifact repository

Route all builds through a central artifact repository that acts as the single source of truth for dependencies. Public packages should be proxied and cached internally rather than resolved directly from the internet.

### 2. Define upstream trust

Explicitly distinguish between trusted and untrusted sources.

Cloudsmith provides upstream trust controls that allow repositories to designate upstream sources accordingly and control how packages are blended during resolution. If a package exists in a trusted source, it cannot be overridden by an untrusted one.

Cloudsmith’s Upstream Trust currently supports:

- Python
- Maven
- npm

Support for additional ecosystems is expanding. In addition to source trust controls, policy enforcement provides another layer of protection. [Cloudsmith’s Enterprise Policy Manager](https://cloudsmith.com/product/enterprise-policy-manager) allows organizations to define rules around what packages are permitted, including conditions based on vulnerability data, malware data, version constraints, or upstream origin. This enables teams to combine resolution boundaries with policy-based controls.

### 3. Reserve namespaces

Where supported:

- Use npm scopes
- Reserve NuGet ID prefixes
- Use domain based Maven group IDs

Namespace ownership significantly reduces collision risk.

### 4. Use lockfiles

Lockfiles improve determinism, traceability, and visibility into unexpected changes. They do not eliminate dependency confusion, but they reduce instability and make tampering easier to detect.

### 5. Require signing

Signing adds cryptographic integrity to artifacts.

Cloudsmith signs hosted packages by default. Cloudsmith supports both native and non-native signing across package formats, including native signing for [Docker, NuGet, and Swift](https://cloudsmith.com/blog/native-signing-support-in-cloudsmith-extended-to-docker-nuget-and-swift). Signature validation workflows in supported ecosystems provide an additional verification layer if substitution is attempted.

Signing strengthens integrity guarantees but does not replace resolution controls.

## Conclusion

Dependency confusion is not a sophisticated exploit. It is a consequence of ambiguous resolution behavior across multiple sources.

Preventing it requires:

- A central artifact repository serving as the single source of truth for dependencies
- Explicit upstream trust boundaries
- Namespace ownership
- Lockfiles and reproducible builds
- Artifact signing and verification

Clear boundaries remove ambiguity. Removing ambiguity removes the attack path.

  
Stop leaving your build integrity to chance. [**Book a demo**](https://cloudsmith.com/book-a-demo) today to see how Cloudsmith's enterprise-grade repository controls can remove ambiguity and harden your delivery process.

**TL;DR:** LLMOps is the operational framework for managing the lifecycle of Large Language Models (LLMs). Unlike DevOps, which focuses on deterministic code, **LLMOps artifact management** must handle probabilistic assets like prompts, embeddings, and fine-tuned models. This shift requires a move from standard CI/CD to specialized **LLM pipeline management** to ensure system traceability and trust.

## What is LLMOps?

**LLMOps (Large Language Model Operations)** is a specialized set of practices for automating and managing the end-to-end lifecycle of LLM-powered applications. It extends MLOps principles to address the unique requirements of generative AI, specifically focusing on **LLM lifecycle management**, prompt engineering, and vector-based data flows.

While DevOps focuses on application code and MLOps on traditional machine learning models, **LLMOps** handles the massive complexity of:

- **Foundation and fine-tuned models:** Managing base models and their task-specific variants.
- **Prompt artifacts:** Versioning the system instructions that dictate model behavior.
- **Embeddings and vector indexes:** Curating the "knowledge" used in Retrieval-Augmented Generation (RAG) systems.
- **Dynamic inference behavior:** Monitoring outputs that change even when input code remains the same.

In essence, LLMOps is about operationalizing AI rather than just software binaries.

## LLMOps vs DevOps: Why the difference matters

The debate of **LLMOps vs DevOps** isn't about choosing one over the other; it’s about understanding where **DevOps tooling limitations for AI** begin. DevOps is built for deterministic systems; if you deploy the same code, you get the same result. LLM pipelines are probabilistic, meaning the same "code" (prompt) can yield different outputs.

```json
{
  "_key": "5a4b45476f69",
  "_type": "tableBlock",
  "caption": "LLMOps vs DevOps",
  "firstRowIsHeader": true,
  "markDefs": null,
  "table": {
    "rows": [
      {
        "_key": "d673a428-3c6a-49c3-87fa-b7dfdff2ec98",
        "_type": "tableRow",
        "cells": [
          "Category",
          "DevOps",
          "LLMOps"
        ]
      },
      {
        "_key": "453e4f7a-37ed-4c9c-8bd9-1610932f52de",
        "_type": "tableRow",
        "cells": [
          "Primary focus",
          "Application code and services",
          "Large language models and AI systems"
        ]
      },
      {
        "_key": "8bef99c7-76e1-4dc0-81f3-8f96bc8be683",
        "_type": "tableRow",
        "cells": [
          "Pipeline type",
          "Linear CI/CD pipelines",
          "LLM pipelines (training, fine-tuning, evaluation)"
        ]
      },
      {
        "_key": "30efc20f-d752-4f94-b718-b4bac0e30ace",
        "_type": "tableRow",
        "cells": [
          "Artifact types",
          "Software artifacts (containers, binaries)",
          "AI artifacts (models, prompts, embeddings)"
        ]
      },
      {
        "_key": "30be9c5f-912a-4b10-b7ba-8a3d3b594016",
        "_type": "tableRow",
        "cells": [
          "Behavior",
          "Deterministic and reproducible",
          "Probabilistic and context-dependent"
        ]
      },
      {
        "_key": "17362cff-191b-4f7a-9c4a-3c2b2a8be477",
        "_type": "tableRow",
        "cells": [
          "Change frequency",
          "Deliberate versioning",
          "Rapid iteration of prompts and datasets"
        ]
      },
      {
        "_key": "b1fc02b1-3d99-4d38-aa79-6a8215086984",
        "_type": "tableRow",
        "cells": [
          "Traceability",
          "Moderate (log-based)",
          "Critical (lineage-based for compliance)"
        ]
      }
    ]
  }
}
```

The core takeaway is that the shift from **DevOps artifact management** to **AI artifact management** involves handling much larger, more volatile assets that directly influence the "logic" of the application.

## Why artifact management matters in LLMOps

In a traditional app, an artifact is just a compiled file. In AI, **artifacts are the system.** Without robust **artifact management for LLMs**, teams face a "black box" problem where they cannot explain why a model suddenly began hallucinating or failing.

**Effective AI artifact management solves for:**

- **Reproducibility:** Re-creating a specific model state using exact dataset snapshots.
- **Auditability:** Tracking the lineage of a prompt to meet emerging AI regulations.
- **Rollback safety:** Quickly reverting to a previous "known good" version of a prompt or embedding index.
- **Cost efficiency:** Preventing redundant training by reusing existing **model artifacts**.

## What artifacts do LLM pipelines produce?

Modern **LLM pipeline management** generates a diverse array of non-code assets across the **AI model lifecycle**. Understanding these is key to moving beyond simple script-based deployments.

#### Common LLM artifacts:

- **Model artifacts:** These include base foundation models (like Llama 3 or GPT-4), fine-tuned adapters (LoRA/QLoRA), and quantized versions for edge deployment.
- **Dataset versioning:** Snapshots of training data, evaluation sets (Golden Sets), and synthetic data used for testing.
- **Prompt artifacts:** Versioned system prompts, few-shot examples, and complex prompt chains that function as the "new source code."
- **Embeddings management:** Vector database snapshots and the specific embedding models (e.g., Ada, BERT) used to generate them.
- **Inference artifacts:** Production logs, "LLM-as-a-judge" evaluation scores, and human-in-the-loop feedback.

## MLOps vs LLMOps: Where traditional approaches fall short

Many teams assume their existing MLOps stacks can handle LLMs. However, **MLOps vs LLMOps** highlights a critical gap: **prompt versioning.** Traditional MLOps tools aren't built to treat a 50-word text string (a prompt) as a deployment-critical artifact. Furthermore, the **inference artifacts** in LLMOps are much richer, requiring semantic monitoring rather than just simple accuracy metrics.

#### Feature store vs Artifact repository

A common point of confusion is the choice between a **feature store vs artifact repository**:

- **Feature stores** are for structured data used in tabular ML.
- **Artifact repositories** (like weights and biases or MLflow) are the "System of Record" for the unstructured models and prompts that define an LLM app.

## Challenges and best practices for LLMOps

Managing these assets comes with significant **challenges of artifact management in LLMOps**, including massive file sizes and the high velocity of prompt changes.

#### LLMOps best practices:

- **Treat prompts as code:** Store prompts in version-controlled repositories, not hardcoded in your app.
- **Centralize your artifact registry:** Use a single source of truth for all models and embeddings to avoid "shadow AI" across teams.
- **Automate lineage tracking:** Ensure every inference result is traceable back to the specific model version, prompt, and dataset used.
- **Implement evaluation gates:** In your **LLM workflows**, never promote an artifact to production without passing an automated evaluation suite.

## FAQ: Frequently asked questions on LLMOps

- ### How is LLMOps different from DevOps?

LLMOps manages probabilistic AI assets like models and prompts, while DevOps manages deterministic code and binaries. LLMOps requires specialized pipelines for evaluation and fine-tuning that don't exist in traditional CI/CD.

- ### Why does artifact management matter in LLMOps?

It ensures that every AI output is traceable and reproducible. Without it, you cannot debug hallucinations, comply with AI audits, or reliably roll back failed updates.

- ### What are the most important LLMOps workflows?

Key workflows include data ingestion for RAG, automated prompt evaluation, model fine-tuning, and continuous monitoring of inference quality.

## Final thoughts

The future of software is no longer just about code; it’s about **artifacts, intelligence, and trust.** As LLMs move from experiments to core infrastructure, the transition from DevOps to LLMOps is inevitable.

Teams that master **artifact management for LLMs** today will be the ones building the most reliable, scalable, and auditable AI systems of tomorrow.

To manage LLMOps at enterprise scale, use Cloudsmith as your single source of truth. Discover how by [booking your free demo](https://cloudsmith.com/book-a-demo) today.



**Cloud migration** is rarely just an infrastructure move. For most DevOps and platform teams in 2026, it’s a once-in-a-decade opportunity to rethink tooling, eliminate legacy bottlenecks, and modernize the [**software supply chain**](https://cloudsmith.com/product/software-supply-chain-security) end-to-end. One of the most overlooked, but highest-impact, areas to revisit during this transition is **artifact management**.

As organizations shift workloads and security controls into the cloud, the limitations of [**legacy artifact repositories**](https://cloudsmith.com/blog/the-true-cost-of-legacy-artifact-management) quickly become visible. What once worked in on-premise environments often creates friction, risk, and massive operational overhead in a cloud-native world.

This is why **cloud migration** isn’t just a "lift-and-shift" event. It’s the ideal moment to reassess how you store, secure, and distribute artifacts across modern **cloud migration DevOps** workflows.

## Why legacy artifact repositories struggle during cloud migration

Traditional, self-hosted repositories were designed for static infrastructure and perimeter-based security. Cloud environments invert those assumptions.

During migration, teams commonly encounter:

- **Scaling constraints:** Legacy tools often require manual server provisioning or expensive over-capacity planning.
- **Operational toil:** Managing patches, database tuning, and storage maintenance for your own repository steals focus from your core product.
- **Performance bottlenecks:** When global teams depend on a single on-premise instance, latency sabotages developer velocity.

Keeping a legacy repository while modernizing everything else often results in a "partially modern" stack with legacy risk still embedded in your delivery pipeline.

## Cloud migration exposes hidden software supply chain risk

Modern cloud adoption increases velocity, but speed without control amplifies risk across the **software supply chain**. Common exposure points include:

- **Unverified third-party dependencies:** Cloud-scale builds pull in thousands of external packages that need immediate scanning.
- **Inconsistent provenance:** Difficulty tracking exactly "who built what and where" across fragmented environments.
- **Limited policy enforcement:** Brittle legacy controls that can't handle the dynamic nature of cloud-native deployments.

Re-evaluating artifact management during migration allows teams to embed **zero-trust** governance exactly when redesigning their pipelines.

## The modernization opportunity: Fully managed artifact repositories

Cloud migration creates the perfect window to replace self-hosted infrastructure with a fully managed** artifact repository** built for elasticity and global distribution.

Modern platforms like **Cloudsmith** deliver:

- **Infinite scalability:** No more storage planning or maintenance; the platform automatically scales with your builds.
- **Edge performance:** A built-in Package Delivery Network (PDN) delivers artifacts worldwide to reduce latency.
- **Integrated security:** Features like automated vulnerability scanning and signature verification are baked in, not bolted on.

Instead of recreating legacy architecture in the cloud, organizations can move directly to a fully managed model aligned with cloud‑native principles. This shift transforms artifact management from a maintenance task into a strategic layer of the delivery platform.

## When to move: Aligning your migration strategy

Teams often postpone modernization because migration feels complex. However, delaying the decision typically leads to "double migration" work, migrating the legacy tool today and replacing it tomorrow.

**Aligning modernization with your cloud move avoids:**

1. **Re-architecting pipelines twice:** Design your CI/CD for your final destination, not a temporary stop.
2. **Moving massive stores twice:** Cloud-native migration scripts (like the Cloudsmith CLI) handle the transfer of binaries and metadata once.
3. **Carrying legacy debt:** Ensure your new cloud environment launches with a clean, high-performance foundation from day one.

## Signs your artifact management is holding you back

Before moving to the cloud, audit your current state. If these "silent killers" sound familiar, a lift-and-shift solution will only migrate your technical debt:

- **Manual maintenance toil:** Your team spends hours every month on repository upgrades, patching, and storage "garbage collection".
- **The "slow download" tax:** Global developers or remote build agents face high latency because your on-premise repository lacks a global distribution network.
- **Compliance blind spots:** You struggle to provide a complete "bill of materials" (SBOM) or audit trail for a security incident.
- **Brittle CI/CD scripts:** Your pipelines rely on custom, "home-grown" scripts to move packages between environments because your tool doesn't support native promotion workflows.

## The strategic ROI: What actually changes?

Modernizing your **artifact repository** during a cloud move isn't just a technical swap; it delivers measurable business impact:

- **Developer velocity:** By eliminating manual bottlenecks and enabling faster access to dependencies, teams often see **43% faster release cycles**.
- **Zero-trust security:** Centralized policy enforcement and automated vulnerability scanning move security from a "final check" to an integrated part of the build.
- **Operational efficiency:** Moving to a fully managed** artifact repository** removes the "toil" of server management, allowing your DevOps engineers to focus on product innovation rather than infra-maintenance.
- **Total cost of ownership (TCO):** You trade hidden infrastructure costs and administrative salaries for a predictable, transparent, fully managed model.

## Evaluating alternatives: Beyond JFrog and Nexus

Many organizations begin cloud migration using legacy tools like **JFrog Artifactory** or **Sonatype Nexus**, only to find they were built for a different era of infrastructure. Modern cloud-native platforms eliminate the need to manage repository infrastructure while delivering stronger governance and global performance. As a result, more teams are looking for [**JFrog alternatives**](https://cloudsmith.com/switch/jfrog-artifactory) and [**Nexus alternatives**](https://cloudsmith.com/switch/sonatype-nexus) that offer a fully managed, "Zero-Ops" experience.

For teams ready to [**migrate, Cloudsmith**](https://docs.cloudsmith.com/migrating-to-cloudsmith?_gl=1*1tuvjc8*_gcl_au*MjA0MTMxOTg3MC4xNzYzMzg3ODg3*_ga*NDcwNDc1ODMuMTcyMzAyNjg2MQ..*_ga_6KCWZ6W3Y9*czE3NzAyOTA3NDEkbzE1MiRnMSR0MTc3MDI5MTAwMiRqNDEkbDAkaDA.*_ga_H5NBQJ0NGM*czE3NzAyOTA3NDEkbzMxMiRnMSR0MTc3MDI5MTAwMiRqNDAkbDAkaDkzNTk0MDIyMw..) streamlines the process to minimize disruption and accelerate value realization.

## Why global leaders migrate artifact management to Cloudsmith

As teams evaluate **alternatives to JFrog and Nexus**, they increasingly move to **Cloudsmith**, designed specifically for modern DevOps and secure software delivery for the security landscape of 2026 and beyond.

**The Cloudsmith advantage:**

- **Zero-ops architecture:** A true cloud-native, fully managed experience with no databases to manage and no servers to patch.
- **Built-in package delivery network (PDN):** Hundreds of nodes deliver artifacts from the edge, ensuring your global build agents always have high-speed access.
- **Universal format support:** One single source of truth for Docker, npm, Maven, Python, and 30+ other formats.
- **Supply chain resilience:** Automated provenance tracking and signature verification help keep you compliant with key security standards and ensure that what you ship is exactly what you built.

## Conclusion: Don’t just move to the cloud – modernize what matters

Cloud migration is a rare opportunity to fix the "foundation" of your house before you move in the furniture. By re-evaluating your **artifact management** now, you ensure your cloud-native future is fast, secure, and, most importantly, manageable.

The most successful cloud migrations don’t just replicate the past. They modernize the platform that powers everything built next.

**Planning a cloud migration?** [Book a demo](https://cloudsmith.com/book-a-migration-consultation) with our experts to simplify the process.

## Frequently asked questions

- ### What is artifact management in DevOps?

It is the practice of storing, securing, and distributing build outputs, such as Docker images or Maven packages, throughout the development lifecycle. It ensures your builds are reproducible and secure.

- ### Why reconsider artifact repositories during cloud migration?

Updating your repository during a move avoids duplicate work and ensures that a legacy on-premises artifact manager doesn’t constrain your new cloud infrastructure.

- ### What are the risks of keeping a self-hosted repository in the cloud?

[Self-hosting](https://cloudsmith.com/blog/cloud-native-vs-on-premise-artifact-management-a-complete-overview) in the cloud still requires manual patching and scaling. This increases costs and creates "visibility gaps" that can lead to security breaches.

- ### How does a fully managed artifact repository improve security?

Fully managed platforms provide centralized governance, immutable storage, and automated compliance auditing, all of which are critical to a secure **software supply chain**.



For years, the bottleneck in software was “how fast can we write code?” Today, Generative AI shifts that bottleneck to **“how fast can we secure it”**.

For years, the bottleneck in software was “how fast can we write code?” Today, Generative AI shifts that bottleneck to “[how fast can we secure it](https://cloudsmith.medium.com/is-ai-quietly-making-your-software-supply-chain-less-secure-e1364de33f9a)?”

As organizations move from experimentation to production-grade AI, they are discovering that traditional DevOps tooling wasn’t built for a non-deterministic world. For example, static software composition analysis (SCA) scanners that assume deterministic dependency graphs or CI policy gates that validate known build artifacts. When a model generates code rather than a human, the software supply chain changes overnight.

Our guide, **Securing non-deterministic systems: A practical guide for AI artifacts and LLMOps**, explores three emerging security frontiers that every organization adopting AI must address:

## 1. AI-generated code introduces supply-chain hallucinations

LLMs generate dependencies probabilistically, not deterministically. This creates the emerging **slopsquatting** attack vector, where attackers register hallucinated package names suggested by AI tools and weaponize them with malicious payloads.Without validation and artifact governance, a single copied command can silently compromise an enterprise environment.

## 2. AI models behave like executable software, not passive data

Modern model formats can execute arbitrary code during deserialization, most notably through Python pickle-based loading.This **logic-weight entanglement** means downloading an unverified model from public registries such as Hugging Face or Ollama can result in full system compromise.Secure AI development requires scanning, signing, and favoring restricted formats like **safetensors**, alongside enforcing trusted provenance for every model artifact.

## 3. AI productivity and orchestration layers expand the attack surface

Frameworks that connect models to enterprise data and automate workflows introduce a new class of high-impact vulnerabilities.Recent RCE exploits in orchestration tools demonstrate that **LLMOps infrastructure itself is now part of the software supply chain**, and must be sandboxed, authenticated, and governed like any production system.

### Ready to harden your AI supply chain?

Our full guide provides a strategic roadmap for navigating the shift from DevOps to LLMOps, deconstructing threats in frameworks like Langflow, and building a “sandbox-by-default” development lifecycle.

**[Download the full guide: [Securing non-deterministic systems](https://cloudsmith.com/campaigns/securing-non-deterministic-systems-a-practical-guide-for-ai-artifacts-and-llmops)]**

**Catch up on the series:**

- [_Why Repository Structure Matters?_](https://cloudsmith.com/blog/why-repository-structure-matters)
- [_The Hybrid Repository Structure: Balancing Control and Flexibility_](https://cloudsmith.com/blog/the-hybrid-repository-structure-balancing-control-and-flexibility)

And now, let’s dive into part three: How **access control and permissions** keep your multi-format repositories secure, consistent, and developer-friendly.

In the first two blogs of this series, we explored why repository structure matters and how Cloudsmith’s Hybrid Repository Structure balances control with flexibility. While we touched on policies and permissions, we didn’t dive into the _real_ mechanics of how access control ensures artifact security, traceability, and consistency, especially in **multi-format repositories**, where different packages, languages, and tooling coexist in a single place.

While multi-format repositories allow for more flexibility in how your repositories are set up, they can introduce a new way of thinking about how and when different artifacts can be accessed and by whom. This blog breaks down how Cloudsmith provides fine-grained, flexible, and secure controls for teams of any size.

## User roles in Cloudsmith

Cloudsmith provides the following user roles:

- Owner
- Manager
- Member
- Collaborator

These roles help limit access based on organizational need and provide the foundation for more granular permissions.

## Privileges in Cloudsmith

- Administrator
- Read
- Write

You can explore the full breakdown of Cloudsmith roles, permissions, and privileges in our documentation.

You can read more about user roles, permissions, and privileges in Cloudsmith [here](https://help.cloudsmith.io/docs/access-controls).

## Global privileges in Cloudsmith

Every Cloudsmith customer is given the opportunity to set default global privileges. These global default privileges are set for the “Member” user role in Cloudsmith, which is often suited best for individual developers. Within a customer’s global workspace privileges, organizations can choose to grant members the ability to create new teams, invite new users, and even create new repositories. Organization owners can also grant “blanket” repository privileges to all users within Cloudsmith. 

While we offer the flexibility for organizations to shift responsibility and access to the developer, we often see our enterprise customers lean away from blanket permissions and access toward more fine-grained permissions. As an example, we have a semiconductor manufacturing customer that has disabled default workspace global privileges so that only Organisation owners are the only users who can invite new users, create new teams, invite 3rd-party collaborators, and create new repositories. 

In addition, this customer has access control, and privileges are scoped down to specific teams. Default global repository privileges are disabled so that they can choose exactly which team(s) should have access to repository(s). Even Cloudsmith service accounts are grouped together within a team for ease of tracking permissions and access when it comes to build and deployment times. 

## Repository privileges in Cloudsmith

If we zoom in once and look at the repository level in Cloudsmith, we can assign a default privilege for organization members for accessing packages within the repository, and we can assign specific privileges for specific teams, users, or service accounts.

This is the stage where you’ll have to consider what packages the repository is storing and if you want developers and service accounts to have default admin, read, or write permissions to the repository. Continuing to use my customer example, they have chosen to set default read permissions for all repositories; however, specific service accounts have write and [admin permissions](https://help.cloudsmith.io/docs/manage-a-repository) to different repositories. You may be okay with your developers downloading artifacts to their local machine for testing or even service accounts requesting stored artifacts tied to staging and production environments.

On the other hand, there are customers that may not want their developers having the ability to write to every repository and would most likely want specific service accounts tied to their CI/CD pipelines to only have write permissions. While this is generally best practice, there are certainly exceptions to this rule, as we also have platform teams that choose to grant specific developer teams write access to specific artifact repositories.

## Fine-grained repository controls

On top of the permission and access control settings we’ve discussed, Cloudsmith goes even further to ensure that, through various additional settings, platform teams can decide exactly what their developers need and don’t need to be reconfigured within a repository.

Platform teams are able to grant or deny developer permissions, such as:

- Copying Packages From One Repository to Another
- Moving Packages From One Repository to Another
- Deleting Packages
- Scanning Packages
- Replacing Packages
- Managing, Using, Or Viewing Entitlement Tokens

If you thought that wasn’t enough, Cloudsmith takes it a step further by scoping down permissions to the individual developer’s generated packages. So while platform teams can restrict tampering of artifacts generated by other developers or systems, they can also decide if they would like to allow developers the ability to scan, move, copy, delete, or resync their own packages.

Most of the enterprise customers I work with allow developers to do as they please with their own packages to avoid a developer mutiny! In either case, these user actions are catalogued in our [Audit Logs](https://docs.cloudsmith.com/logs-and-observability/audit-logs) for enhanced observability across your Cloudsmith environment.

## Entitlement tokens

For instances where our customers want to be very particular about what, how, and when users can access specific packages, Cloudsmith offers [Entitlement Tokens](https://help.cloudsmith.io/docs/entitlements). These scoped tokens are read-access only, so there is never a risk of a user performing a write action against the repository they have limited access to.

Customers are able to restrict access by creating a precise search query to narrow down specific packages within a repository, should they choose not to provide visibility into all the packages within the repository. On top of visibility restrictions, customers can also add token usage restrictions to avoid prolonged access and usage of the token. Parameters include:

- Token Validity & Expiry Dates
- Maximum Downloads
- Maximum Clients/IPs
- Maximum Download Bandwidth

Typically, we see our customers use entitlements for 3rd party software distribution or even for systems that don’t require logins to Cloudsmith.

## Geo/IP Restrictions

For our security-conscious customers, Cloudsmith also offers the ability to configure [geo-based restrictions](https://help.cloudsmith.io/docs/geoip-restriction) based on country, with an easy-to-use preconfigured list of countries to choose from. Choose to deny or allow access from specific countries. Although keep in mind that theoretically, no unauthenticated user should have access to your Cloudsmith workspace in general. This restriction applies more towards open-source repositories that you may be hosting in Cloudsmith, but it’s always a good idea to practice defence-in-depth!

If geo-based restrictions are too broad, you can scope down to IP-based restrictions to either allow or deny client access based on IP address. This added protection ensures that requests coming from clients with an unapproved IP address do not have access to your repositories. 

## We’re here to help

With all of these configuration options, it can be tricky to decide how you want to best enable your developers while balancing security and flexibility. Not to worry—the Cloudsmith Customer Success team is here to help you in your decisions throughout the onboarding process. We’ve walked through these decisions with many customers and have outlined decision impacts for you so you’re not left wondering “what if”. Learn more about Cloudsmith [here](https://cloudsmith.com/) to get started with us. See you on the other side! 

## FAQs (Frequently asked questions)

### 1. What is access control in a multi-format repository?

Access control defines who can read, write, or administer artifacts across different package formats stored in the same repository. It ensures secure, consistent governance across diverse tooling.

### 2. How do permissions work in Cloudsmith for multi-format repositories?

Cloudsmith supports global, repository-level, team-based, and user-specific permissions, allowing organizations to tailor access to packages, teams, service accounts, and even individual artifact actions.

### 3. Why is fine-grained access control important in software supply chain security?

Fine-grained controls reduce the blast radius of errors, prevent unauthorized writes, and help organizations enforce policies required by modern software supply chain frameworks like SLSA and SSDF.

### 4. What are entitlement tokens used for in Cloudsmith?

Entitlement tokens provide scoped, read-only access to specific artifacts without requiring user accounts, making them ideal for external distribution, automation, or least-privilege workflows.

### 5. Can developers manage their own packages in Cloudsmith?

Yes. Cloudsmith allows permissions that let developers manage only the packages they personally created—without putting others’ artifacts at risk.

### 6. How does Cloudsmith support secure CI/CD pipeline access?

Service accounts can be granted precisely the permissions needed for pipeline operations (like write or admin) while keeping developers and collaborators restricted to read-only or scoped access.

### 7. What’s the difference between global and repository-level privileges?

Global privileges affect the entire workspace, while repository-level privileges enable granular control over specific teams, users, or service accounts interacting with a particular repository.



In a world where software ships in seconds, teams are still chained to legacy systems built for a different era. What once passed as “good enough” for storing and distributing builds has become a drain on productivity - adding risk, slowing delivery, and quietly inflating costs year after year.

In this post, we’ll break down the hidden cost of legacy artifact repositories, discuss the importance of modernizing through cloud-native artifact management, and demonstrate how you can leave the old infrastructure that has been slowing your software supply chain.

## What is legacy artifact management?

Legacy artifact management involves older on-premise artifact repositories or in-house custom systems. These tools were designed in another era, when teams used monolithic applications and updates were done once a year or even less.

The modern reality is very different. Cloud-native development, continuous CI/CD pipelines, and distributed engineering teams need a modern artifact management approach that delivers scalability, uptime, and built-in security.

This is where legacy artifact repositories fall behind. Many teams assume that on-prem systems are “more secure” because they’re isolated, but isolation no longer protects against today’s threats. Most attacks now originate upstream, through open-source dependencies that already contain vulnerabilities, malicious code injections, or compromised packages. 

With the volume and speed of issues emerging in the open-source ecosystem, an isolated, self-hosted repository cannot keep pace without continuous scanning, real-time visibility, and automated updates. Without these protections, legacy artifact management becomes a blind spot in the software supply chain - quietly storing and distributing unverified or unsafe artifacts.

## The hidden costs of legacy or on-premise artifact repositories

Legacy systems can feel safer to stick with - they’re already in place and “working.” But maintaining the status quo often hides bigger costs: outdated infrastructure, ongoing maintenance, and mounting security risks from unpatched or unsupported components.

### 1. Complexity and maintenance overhead

Legacy repositories need to be manually patched, updated, backed up, and scaled. Teams spend valuable engineering time on server management instead of innovation. Each new project or environment increases the complexity of configuration and slows down the development.

### 2. Unrecognized infrastructure costs

Hosting artifact repositories either in on-prem or in self-managed cloud VMs requires continued expenditure on storage, bandwidth, and compute. The costs increase unintentionally as the size and volume of artifacts grows (especially large Docker images or build artifacts). Beyond infrastructure, many older systems also require costly vendor support contracts for upgrades, patches, and troubleshooting. These fees often increase over time and are non-negotiable.

### 3. Security and compliance risks

Legacy systems often lack built-in scanning, access control, or software bill of materials (SBOM) capabilities. Lacking transparency in dependencies leaves teams exposed to vulnerabilities and unmet compliance requirements - something that enterprises will not be able to afford in 2025 and beyond's regulatory environment.

### 4. Scalability limitations

As repositories grow, performance bottlenecks emerge - developers face slower downloads, failed builds, and pipeline downtime, all of which directly slow release velocity and drain productivity.

## Why cloud-native artifact management is a change worth making

Legacy tools may have provided the groundwork for early DevOps, but they cannot keep up with the current software landscape. Modern organizations need next-generation artifact management - cloud-native solutions designed for speed, security, scalability, and seamless integration with cloud-native CI/CD pipelines.

A [cloud-native artifact management](https://cloudsmith.com/product/cloud-native-artifact-management) platform is more than just a storage location for packages - it’s a critical pillar of your software supply chain security. It guarantees that every artifact, from source to deployment, is verified, traceable, and instantly accessible, regardless of where your teams are working.

These capabilities are exactly why more organizations are moving to modern, cloud-native platforms that combine speed, security, and scalability to support today’s software delivery demands - reasons we explore in detail below.

### 1. No maintenance and always up to date

With legacy artifact repositories, engineering teams spend hours managing servers, applying patches, and juggling storage. A truly [cloud-native artifact management platform](https://cloudsmith.com/blog/artifact-management-a-complete-guide) is different from simply hosting a repository in the cloud—it’s built to auto-scale, self-update, and deliver continuous security without manual intervention. There’s no server downtime, no upgrade windows to schedule, and no need to plan for storage expansion - everything is handled seamlessly in the background.

### 2. Scalability without complexity

Self-hosted systems cannot keep pace with the growth in artifact volume size. A cloud-native artifact management platform dynamically boosts its capacity to manage millions of artifacts across multiple teams, regions, and projects, [without compromising performance](https://cloudsmith.com/product/global-software-distribution).

Using elastic storage and edge caching CDNs, developers are always guaranteed a [quick download and high uptime](https://cloudsmith.com/blog/scaling-for-extreme-performance).

### 3. Built-in security and compliance from the ground up

In today’s world, threats move faster than ever. With malicious packages and supply chain attacks on the rise, cloud-native artifact repositories integrate vulnerability scanning, access controls, and SBOMs (Software Bill of Materials) directly into your pipelines.

This ensures that all artifacts maintained and shared are validated, trackable, and consistent with the industry regulations such as SOC 2, ISO 27001, and FedRAMP.

No extra patching or standalone security tools - modern artifact management [integrates security](https://cloudsmith.com/product/software-supply-chain-security) into every phase of your software supply chain.

### 4. Performance and speed that empower developers

A truly cloud-native artifact repository ensures artifacts are forwarded to the closest edge location, which significantly decreases both the time spent building and deploying, which has a direct impact on increasing developer productivity and CI/CD throughput.

Engineers can focus on building features rather than waiting on downloads or troubleshooting failed builds, making software delivery faster, more reliable, and predictable.

### 5. Seamless integration with the modern DevOps toolchain

Legacy repositories often require plugins or manual scripting to integrate with CI/CD tools. Cloud-native artifact management platforms offer native integrations with [GitHub Actions](https://cloudsmith.com/product/integrations/github-actions), [GitLab CI](https://cloudsmith.com/product/integrations/gitlab-cicd), [Jenkins](https://cloudsmith.com/product/integrations/jenkins), [CircleCI](https://cloudsmith.com/product/integrations/circle-ci), and more - all via robust APIs.

This ensures that artifacts flow seamlessly through your CI/CD pipelines, maintaining consistency, traceability, and reliability from development all the way to production.

### 6. Single visibility and governance between teams

In large organizations, artifacts are often scattered across multiple repositories and sometimes duplicated, making governance and visibility a constant challenge. A cloud-native artifact management system provides a centralized, single platform for managing visibility, audit, and access.

Administrators can also manage published, promoted, or consumed artifacts - to ensure compliance and reduce the risk of unauthorized access or obsolete dependencies.

### 7. Predictable, transparent costs

In contrast to self-managed solutions that have unpredictable infrastructure charges, cloud-native artifact management follows a usage-based pricing scheme, which is predictable.

You pay for what you use. You do not expect to incur costs for hardware, maintenance, or downtime. This will ultimately lead to a reduced total cost of ownership (TCO) and a better understanding of the ROI of engineering time.

Moving legacy artifact management to a new, modern, cloud-native repository is not just a technical choice but a strategic one that enhances both the security, performance, and user experience of developing a product or service, as well as reduces costs in the long run.

Migrating from legacy artifact management to a modern, cloud-native repository improves security, performance, and the overall developer experience while helping reduce long-term operational costs. By centralizing control, simplifying scalability, and strengthening the software supply chain, teams can focus on building software more efficiently and securely.

## How to upgrade from escape legacy artifact management (step-by-step)

The idea of moving away from on-premise or legacy artifact systems to a modern, cloud-native solution can be overwhelming, but with the correct plan, it is achievable.

1. **Audit your existing repositories – **Review what you store (packages, containers, Helm charts, etc.) and where.
2. **Analyze utilization and access patterns -** Learn which teams, pipelines, and tools rely on which repositories.
3. **Select a modern artifact management platform – **Seek capabilities such as universal format support, security scanning, policy management, global availability, and automation through integrations.
4. **Plan your migration strategy – **Migrate critical projects first, automate uploads, and validate integrations.
5. **Decommission legacy infrastructure – **Once migration and validation are complete, phase out outdated systems to eliminate ongoing maintenance, reduce operational overhead, and free up resources for modern, cloud-native artifact management.

🔥**Top tip: **Cloudsmith’s [Migration](https://cloudsmith.com/campaigns/cloudsmith-migration-guide) Toolkit, combined with expert support, makes the transition seamless - preserving your history and metadata while enabling improved security and scalable infrastructure.

## The real ROI of leaving legacy, on-premise artifact management behind

Teams that modernize and migrate to cloud-native artifact management see measurable returns:

- Reduce infrastructure expenses by up to 60%.
- Faster build and deployment times across CI/CD pipelines.
- Improved developer satisfaction through simplified workflows.
- Better compliance posture with automated vulnerability management.

Time spent maintaining a legacy repository directly impacts productivity and costs. Migrating to a modern, cloud-native artifact repository preserves operational efficiency and supports long-term software delivery improvements.

## How Cloudsmith makes modern artifact management effortless

All of these challenges, including scalability, security, automation, and visibility, can be solved with a truly cloud-native approach to artifact management. And if you are planning a migration to the cloud, it is worth doing it right rather than sticking with your existing provider simply because it feels easier. A migration is already a major change, and it is the perfect opportunity to elevate your entire artifact management program. 

Cloudsmith was built from the ground up as a fully cloud-native platform that helps teams break free from the limits of traditional repositories, delivering seamless automation, built-in security, and scalable reliability in a single unified system.

Here’s how Cloudsmith enables that transition seamlessly:

- **Fully managed, always available:** Cloudsmith is truly cloud-native which means hosting, scaling, and security are built in. Teams can focus on development without worrying about infrastructure maintenance and downtime.
- **Universal support for all formats:** Whether you manage containers, packages, Helm charts, or custom binaries - with multi-format repositories, Cloudsmith provides one centralized platform for all your artifacts.
- **Unified security and compliance:** Each artifact is scanned, signed, and tracked. Cloudsmith also has vulnerability scanning, dependency metadata, and SBOM generation built-in to ensure end-to-end security for your software supply chain.
- **Global performance and distribution:** Artifacts are served over Cloudsmith’s global edge network and minimizing latency and providing fast and reliable builds across the globe.
- **Seamless CI/CD integration:** Cloudsmith integrates seamlessly with the latest DevOps platforms: GitHub Actions, GitLab CI, and Jenkins - enabling teams to automate artifact workflows, reduce manual errors, and accelerate software delivery.

A modern, cloud-native artifact repository like Cloudsmith simplifies operations, strengthens security, and accelerates software delivery - without the hidden costs or complexity of legacy systems.

## Summary: don’t let legacy on-premise artifact management hold you back

Legacy artifact management is not only dated - it’s also costly, risky, and non-sustainable. The emerging generation of cloud-native artifact management platforms, such as Cloudsmith, transcends complexity with confidence, enabling teams to achieve the visibility and velocity required to build securely at scale.

The faster you retire legacy systems, the sooner your organization can build securely, on a truly modern, cloud-native platform.

## Frequently asked questions (FAQs)

#### 1. What is legacy artifact management, and why is it a problem?

The management of legacy artifacts encompasses older systems (typically [on-premise artifact management](https://cloudsmith.com/blog/cloud-native-vs-on-premise-artifact-management-a-complete-overview)) used to store and distribute software packages. Such systems do not offer the automation, scalability, and integrated security that are needed in modern DevOps, resulting in inefficiencies and increased operational costs.

#### 2. What are the unknown expenses of legacy artifact repositories?

Beyond licensing, teams also bear the costs of infrastructure maintenance, downtime, manual updates, and security risks. These hidden expenses can quickly add up, often exceeding the investment required for a modern, cloud-native alternative.

#### 3. How do I migrate to a modern artifact repository?

Begin by auditing your existing repositories, determining dependencies, and automating the migration with the help of migration tools (such as Cloudsmith’s Migration Tool). The advantage is to retain the integrity of artifacts with the purpose of avoiding manual management.

#### 4. Why choose a cloud-native artifact repository over self-hosted options?

Uptime, scaling, and security are automatically managed on cloud-native platforms. They are CI/CD integrated, can distribute faster worldwide, and can eliminate maintenance overhead, allowing your developers to focus on their core tasks

#### 5. How does modern artifact management improve security and compliance?

Modern artifact systems integrate vulnerability scanning, SBOMs generation, and access control. This will ensure artifacts are secure, traceable, and compliant – which is essential to securing your software supply chain.



Speed is very important to us at Cloudsmith. As a cloud-native solution we believe that every team member and every build system - no matter where they are on the planet - should have low-latency access to packages and assets whenever they need them. And we never stop working to make that happen!

If you’re a Cloudsmith customer you’ll already know that we allow packages to be stored in a location of your choosing. We also offer delivery across a CDN and edge-caching to minimize latency when accessing packages from the Cloudsmith platform.

We’ve now gone beyond simple storage to add global infrastructure in two more new locations: Oregon (US) and Sydney (AUS). These are just the first of many, of course, but together these two new locations allow all traffic via the Cloudsmith API to greatly benefit from the nearest geographic location - or at least more local than before. This also has a direct impact on download requests.

Even better, Cloudsmith automatically calculates which location is best in terms of performance at any given moment in time, and for any individual or process no matter where they are located. You don’t have to second guess, we’ll ensure packages are processed as fast as possible in all circumstances.

The differences can be significant. On average, response times of 480ms were reduced to 235ms for a flat request in the wake of this roll out, and in some instances latency improvements were more impressive again: from 800ms to 40ms in Sydney, for example.

The visuals below show precisely the impact of these changes - hopefully you notice the difference too!  


```json
{
  "_key": "656c542b92dd",
  "_type": "image",
  "alt": null,
  "asset": {
    "_createdAt": "2025-06-05T07:57:55Z",
    "_id": "image-ca60a94ffc6ada9536428583d908e279b65a6c26-1920x1080-png",
    "_rev": "yO7itY9PAzaQqagh0UP0tM",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-06-05T07:57:55Z",
    "assetId": "ca60a94ffc6ada9536428583d908e279b65a6c26",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "MNB|tBDP9G~pMy00%K-,9Gt6j-WUR*kCs,",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 1.7777777777777777,
        "height": 1080,
        "width": 1920
      },
      "hasAlpha": true,
      "isOpaque": false,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC60lEQVR4nFXPWUyTBwDA8T6KxnOhhTKmQyEGR4HokKzCENuvx3e0fB8FpdJW44UuLk5LVQoCQRczM7OyGR88EGdwxIGUINpoNOoSj3nGK4tuDy4zMjWZ8cqA/g2IUR/+r7/kr0swWQYSsq3xhGwro3OdjMuvYELBMiYWrmTSl6vQF39NqiNIujvMdG0TGWo9U91DNTKtpJF0pZpPhQAphVr8o3x5QJeQLQxjw+XYGZtXzsSC5Uwq+gqDZQ2TxRBTlRqmyGFSnTUYHWGS7bUkO+oxio2kOOtIEVaTUuzj46LyuG5UtoV3WRkzq4QJc5agH8Kk9aS5wqSKNRhsG0i0biBRCKO31aG3N6B3NGFwbsHgaCBJCGK0rEI3Lkdk7HuNn6mSWLCUKeJG0t31fCLWkSTUohdqMQib0NsaMNibSHJuIUncSrK0jWRlO0b5e4zSd+hM5mo+MweZYV5HpvkbMuesJVdoYHZpM7nqDqZLETLEZtLFZjLkH8ny7CTPt5vZgb2YFuwhQ9tFmrqbNK2FtNJWdB7nITRHO257G4ptP4qjFU1tQ5nfwVzPYcxaJ/lqB194OlGqjlC97Te2t17h212/s6LpNMLKI+RWdDKjvIPM+YfRLVJO4JdjLJR6qRC78bqi+MuilJVGsWk9FHmOUljWi1Z1ksi+W1y68Yg//vqPUxcesOOXO1RtPkfx8hg53h6yFvS8AytHwMqSKAFPF2WuQziVDuaqPczzxghtvcTF64949qKfvscvOX+9j5boXap/uIy85iSzfEcxeXs/BL1SN76S7jeg1I7iPIhF/hUpcIxIy23uP3jO//2DPHz8knMjYChyBfe60+QtimGqPDYMxt8H/Wo3fk8XHqkdl/0AdvsBVG8XO1tv8s/DEfDJEPgve6P3CEWu4g6eIW/xcUy+WFwXkE4M+uVY/O2y7+2yPAT+jGjdh6q2EfnpAvf/fkr/QJy+J69GwD8JNV/DFTzL54uPx7MqY4OvAZ+u8xmFb6LRAAAAAElFTkSuQmCC",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#325165",
          "foreground": "#fff",
          "population": 0.93,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#133f6c",
          "foreground": "#fff",
          "population": 8.98,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#133f6c",
          "foreground": "#fff",
          "population": 8.98,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#7068bc",
          "foreground": "#fff",
          "population": 1.45,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#94acdb",
          "foreground": "#000",
          "population": 0.25,
          "title": "#fff"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#5a54af",
          "foreground": "#fff",
          "population": 0.8,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#2857af",
          "foreground": "#fff",
          "population": 7.75,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "whole.png",
    "path": "images/rafvlnhi/production/ca60a94ffc6ada9536428583d908e279b65a6c26-1920x1080.png",
    "sha1hash": "ca60a94ffc6ada9536428583d908e279b65a6c26",
    "size": 1363921,
    "uploadId": "xFutYYN8HqzQchebk44AUb10QK6AHLsB",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/ca60a94ffc6ada9536428583d908e279b65a6c26-1920x1080.png"
  },
  "caption": "Improvements in response time by location",
  "link": null,
  "markDefs": null
}
```

```json
{
  "_key": "f69a3b2e3970",
  "_type": "image",
  "alt": null,
  "asset": {
    "_createdAt": "2025-06-05T07:57:55Z",
    "_id": "image-ca60a94ffc6ada9536428583d908e279b65a6c26-1920x1080-png",
    "_rev": "yO7itY9PAzaQqagh0UP0tM",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-06-05T07:57:55Z",
    "assetId": "ca60a94ffc6ada9536428583d908e279b65a6c26",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "MNB|tBDP9G~pMy00%K-,9Gt6j-WUR*kCs,",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 1.7777777777777777,
        "height": 1080,
        "width": 1920
      },
      "hasAlpha": true,
      "isOpaque": false,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC60lEQVR4nFXPWUyTBwDA8T6KxnOhhTKmQyEGR4HokKzCENuvx3e0fB8FpdJW44UuLk5LVQoCQRczM7OyGR88EGdwxIGUINpoNOoSj3nGK4tuDy4zMjWZ8cqA/g2IUR/+r7/kr0swWQYSsq3xhGwro3OdjMuvYELBMiYWrmTSl6vQF39NqiNIujvMdG0TGWo9U91DNTKtpJF0pZpPhQAphVr8o3x5QJeQLQxjw+XYGZtXzsSC5Uwq+gqDZQ2TxRBTlRqmyGFSnTUYHWGS7bUkO+oxio2kOOtIEVaTUuzj46LyuG5UtoV3WRkzq4QJc5agH8Kk9aS5wqSKNRhsG0i0biBRCKO31aG3N6B3NGFwbsHgaCBJCGK0rEI3Lkdk7HuNn6mSWLCUKeJG0t31fCLWkSTUohdqMQib0NsaMNibSHJuIUncSrK0jWRlO0b5e4zSd+hM5mo+MweZYV5HpvkbMuesJVdoYHZpM7nqDqZLETLEZtLFZjLkH8ny7CTPt5vZgb2YFuwhQ9tFmrqbNK2FtNJWdB7nITRHO257G4ptP4qjFU1tQ5nfwVzPYcxaJ/lqB194OlGqjlC97Te2t17h212/s6LpNMLKI+RWdDKjvIPM+YfRLVJO4JdjLJR6qRC78bqi+MuilJVGsWk9FHmOUljWi1Z1ksi+W1y68Yg//vqPUxcesOOXO1RtPkfx8hg53h6yFvS8AytHwMqSKAFPF2WuQziVDuaqPczzxghtvcTF64949qKfvscvOX+9j5boXap/uIy85iSzfEcxeXs/BL1SN76S7jeg1I7iPIhF/hUpcIxIy23uP3jO//2DPHz8knMjYChyBfe60+QtimGqPDYMxt8H/Wo3fk8XHqkdl/0AdvsBVG8XO1tv8s/DEfDJEPgve6P3CEWu4g6eIW/xcUy+WFwXkE4M+uVY/O2y7+2yPAT+jGjdh6q2EfnpAvf/fkr/QJy+J69GwD8JNV/DFTzL54uPx7MqY4OvAZ+u8xmFb6LRAAAAAElFTkSuQmCC",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#325165",
          "foreground": "#fff",
          "population": 0.93,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#133f6c",
          "foreground": "#fff",
          "population": 8.98,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#133f6c",
          "foreground": "#fff",
          "population": 8.98,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#7068bc",
          "foreground": "#fff",
          "population": 1.45,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#94acdb",
          "foreground": "#000",
          "population": 0.25,
          "title": "#fff"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#5a54af",
          "foreground": "#fff",
          "population": 0.8,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#2857af",
          "foreground": "#fff",
          "population": 7.75,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "whole.png",
    "path": "images/rafvlnhi/production/ca60a94ffc6ada9536428583d908e279b65a6c26-1920x1080.png",
    "sha1hash": "ca60a94ffc6ada9536428583d908e279b65a6c26",
    "size": 1363921,
    "uploadId": "xFutYYN8HqzQchebk44AUb10QK6AHLsB",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/ca60a94ffc6ada9536428583d908e279b65a6c26-1920x1080.png"
  },
  "caption": "Average network timings - again showing significant improvements as we move to production in multiple global locations",
  "link": null,
  "markDefs": null
}
```

There is a paradox at the heart of modern software development processes.

On the one hand, **those processes are more collective than ever before**. The old days of the lone genius are long gone. In the modern world of DevOps, continuous integration and continuous delivery, extensive teams work together as seamlessly as possible. Every cog in the machine plays a vital role.

As individuals in that process, we are used to sharing our own work and building on the work of others. Software delivery is a broader, more cooperative process than ever before.

On the other hand, however, **we have never been further apart**. Modern software teams are rarely in the same building, and in some cases, there is no ‘building’ at all. Even large developer organizations such as [GitLab](https://about.gitlab.com/company/culture/all-remote/), [Automaticc](https://automattic.com/) and [Basecamp](https://basecamp.com/) either have no office at all or let employees work wherever they feel like.

Of course, most of us will be well aware that a range of technologies help square that circle and enable highly distributed teams to work closely together. From tools such as GitHub that help us collaborate on code in a constructive way, to messaging platforms such as Slack that keep everyone in the loop, there are a multitude of products that support co-working across physical barriers.

In fact, the very existence and adoption of those tools - by the open-source community, in particular, can be said to have driven the adoption of distributed development.

But it isn’t all plain sailing.

## Where Do Software Assets Live In A Distributed World?

Let’s talk about software assets. In the collective processes we described above, packages are the essential building blocks of software. What we create is a collection of packages and dependencies, and is in turn packaged and made available for use by others within and outside the organization.

So centrally important are these packages that for reasons of security, availability and reliability most organizations are by now well-aware that these packages need to be stored within a private repository. In addition, of course, if we wish to protect our own intellectual property it will be absolutely essential to do this.

But where should that repository live?

The standard answer to that question today is (or certainly was) ‘on-premise in my development headquarters or datacenter’. As a simple answer to an apparently simple question, this has its merits.

First, locating packages and assets on-premises means that in theory, they are fast to integrate into build processes. Given that these processes can integrate thousands of packages and dependencies, and occur dozens of times a day, even marginal performance issues can quickly escalate into significant (and frustrating) increases in build times.

Second, as noted above it gives us control over the software assets within the organization. On-premises means under our watchful eye, or at least that is the theory.

Of course, you’ve probably guessed what the issue with this approach is. Which premises? **At Cloudsmith we increasingly work with clients who have teams and individuals distributed all across the globe in dozens or even hundreds of individual sites.**

And even beyond that reality, the growing rise of cloud-native continuous integration, for example, means that many of the processes that packages feed into (and emerge from) are not based on any premises anyway.

That adds up to making performance _worse_ for the majority of the organization even whilst it looks great to the CTO and the rest of the team in HQ! To counter this issue, many organizations attempt to mirror repositories across multiple locations.

This brings its own challenges. For one, we no longer have a single source of truth for our software assets. Dependent on location, we can’t be sure that we’re all looking at the same thing at the same time, or that the same controls and permissions are being applied.

In addition, whilst it might be practical to mirror to a handful of offices, that doesn’t help teams that are spread across dozens or even hundreds of locations - including, of course, those cloud-native processes we mentioned above.

Lastly, it’s just complicated and costly. On-premises solutions are already expensive to maintain, support and scale. That is why cloud services have been universally adopted in almost every other area.

Attempting to add in mirroring of software assets across multiple locations only adds to that burden, meaning the development organization has to invest significant resources into performing this task - resources that could and should be spent actually delivering software.

Ultimately, all these approaches impose a great deal of cost for little tangible reward. In addition, they really only kick the can down the road. What happens as new locations are added?

Fortunately, there is another way...

## Cloud-Native Package Management

What distributed development teams need is this:

_A ‘single source of truth’ for software assets,_ one that is available to any team or individual, anywhere on the planet, whilst maintaining the highest levels of performance for all.

The only place that source of truth can exist is in the cloud. But there is a world of difference between being ‘in the cloud’ and being ‘cloud-native’. The former does mean that security, control, auditing and provenance can be handled in a single place, and consistently across the entire organization.

Only the latter, however, can deliver outstanding performance to developers and teams wherever they are.

At Cloudsmith, we invest a significant amount of effort into ensuring that every member of a development team, and every process you integrate packages and dependencies into, are supported in this way.

- We provide the ability to choose precisely _where_ in the cloud your assets are stored (which you may want to control for legal and IP reasons, as well as performance)
- All packages are distributed around the world by a blazing fast global Content Delivery Network (CDN).
- We use edge-caching to optimize performance everywhere, and give our users fine-grained controls over exactly how long assets are cached for, all across the world.
- Upstream proxying caches upstream packages, reducing the amount of external repositories our clients depend on and protecting software and servers from downtime and slowness of official main repositories.  


Through a combination of these features and more, we believe that cloud-native private repositories don’t have to mean ANY compromise when compared to on-premises solutions, in addition to being so obviously superior for supporting distributed teams.

If you’d like to try Cloudsmith for yourself and find out why - sign up today at [cloudsmith.com](https://www.cloudsmith.com)!

At Cloudsmith we’re proud to do things differently. And when it comes to customer support and success, our customers are delighted that we do.

Here’s the thing: in huge numbers of organizations, both in the Saas universe and beyond, **customer support is broken**. Anyone reading this who has tried and failed to get timely, meaningful answers from a vendor when things go wrong knows this is true.

And even if it is just a case of finding out ways to get the most value out of a Saas product we all know it can take a huge amount of time and effort (mostly our own) to make it happen.

So if being different means not actively sucking when it comes to helping our customers succeed, we’re guilty as charged.

### What Has Gone Wrong...

Given that customer satisfaction is such an important metric for a Saas business, it is surprising that the default setting when it comes to customer support is somewhere between ‘low’ and ‘none’. After all, if our customers don’t get value from the product and can cancel at any time, we all know what happens next…

As always, fixing something starts with understanding what went wrong. We don’t claim to have thoroughly researched this phenomenon, but at the same time we watch, listen and learn - and notice what’s going on.

Here’s a best guess as to the factors behind a failing customer support function:

- **The temptations of online documentation**. Everyone knows that [nobody reads the manual](https://www.joelonsoftware.com/2000/04/26/designing-for-people-who-have-better-things-to-do-with-their-lives/). But we sure do keep writing them. Worse, the rise of online documentation has only encouraged this trend. Writing the manual has become easier than ever! Never mind that the user would prefer a product that worked intuitively. That’s **hard**. So we revert to creating a sea of information that struggling users have to navigate their way through.
- **A reliance on user communities.** A little like documentation, there’s absolutely nothing wrong with communities in themselves. In fact, just like documentation, they can be fantastically useful. But they aren’t an alternative to a properly resourced customer success function.
- **Customer support as a last line of defense**. This is probably the big one. Too many organizations now see customer support as a cost center: when the approaches above have failed, a real human being steps in before things get out of hand. This is a fundamentally negative view of the function, and negative things don’t get the focus and resources that perhaps they should. We see things differently.
- **Customer support and success are isolated from the business**. As businesses grow, specialization happens. That isn’t always a bad thing, but it often means that customer support suffers. An entire function of the organization becomes removed from the day-to-day business of product development, and as a result becomes worse (not better) at helping customers get the most from the product.
- **The need for revenue**. Customer support is what happens when your product isn’t working (and yes, if it is too opaque for a user to get started without your help, it isn’t working). Is that really something to look at as a source of revenue? Perhaps you could make more revenue by making the product worse! Unfortunately way too many business models rely on ‘services revenue’ - and customers who won’t pay get poor support.  


All these factors and more play a part. And they add up to frustrated customers. We know, because we hear these complaints frequently from new customers who arrive at Cloudsmith after giving up on one of the alternatives.

The purpose of this piece isn’t to talk about how great our service is, but nor will I pretend we don’t get told on a regular basis how much our responsive and helpful attitude to customers is appreciated. So let’s talk about how we do it.

### ...And How Cloudsmith Does Things DIfferently

It’s easy to talk at length about what is wrong. See above! But how do we fix things?

The first step is the most important: **start meaning it, and act as you mean it, when you talk about how important your customers are.**

If customers are important, start acting on it. Stop looking at customer support, and customer success, as a bolt-on, ‘responsibility’ or cost center. Look at it as perhaps the most important function in the business.

That means being responsive because you want to be responsive. Because every conversation is an opportunity to learn and improve. We see Cloudsmith as a ‘whole product’, and we see the conversations and interactions we have with customers as a part of that product. Not an extra.

Part of that, by the way, is an obsessive focus on making the product easy-to-use and as indestructible as possible. Prevention is better than cure. Cloudsmith is cloud-native because we wouldn’t wish the hassle of managing an on-premises solution on our worst enemy. Our motto is **“be awesome, automate everything”**, because we know that when we automate we reduce the risk of problems caused by user error.

_In other words, customer support and customer success are hard-coded into the product from day one._

Even so, things can go wrong. When they do, we accept that people don’t want to read a manual (even though, of course, we have awesome [documentation](https://help.cloudsmith.io/docs/welcome-to-cloudsmith-docs)) or check with a community. They want to talk to someone, and they want to talk to someone who knows what is going on.

**That’s why we don’t have a customer support team. **We have an engineering team, who talk to customers every day.

We believe that the best people to help our customers use the product are the people who wrote it. Customers get the best support possible. We get the kind of insights around product usage that we never would through any other means.

To do that we open up channels of communication that might make others nervous. We are freely available on Intercom at any time. For customers who really want to get close we share Slack channels.

And because we automate everything, those conversations focus around how best to use the product and where best to start delivering value, rather than firefighting 24/7. So they are super productive for everyone involved.

Again, if we start from the customer being important, this feels normal. For those who start from the customer being a problem to keep at bay, then it seems more like insanity. Which one are you?

Ultimately, we want our customers to learn from us, and we want to learn from them. And that isn’t just about keeping the platform up and resolving issues around usage. It is also about delivering maximum value, and discovering what can be done with package management together.

That’s our approach. It’s how we see customer success differently. It’s why in the entire two years of our existence we’ve lost fewer customers than you can count on the fingers of one hand.. Yes, it helps that we aren’t a huge, unwieldy global organization. But we truly believe that our approach can and will scale.

In fact, it needs to. Because it is at the heart of the Cloudsmith promise.

At Cloudsmith, we are always looking for new ways to make our customers’ lives easier, more efficient and more highly automated. With this in mind we are extremely excited to announce that we have developed an official Cloudsmith Zapier integration!

## What is Zapier?

Zapier is an automation platform that allows you to connect your favourite apps and services together (such as Stripe, Slack, Gmail and more). You can connect multiple apps together to automate tasks and you can do all of this without needing developers to build or code custom integrations - the simple interface is entirely point-n-click driven and is extremely easy to set up.

For example - maybe you have packages on Cloudsmith that you would like to sell commercially. Every time you get payment from a customer through your payment provider (Stripe, Shopify, Paypal etc), you could log into Cloudsmith, create an Entitlement Token in the relevant repository and then share that Entitlement Token with your customer. (For more information about Cloudsmith Entitlement Tokens, see [here](https://help.cloudsmith.io/docs/entitlements))

**OR - you could automate this entire process with the Cloudsmith Zapier integration!**

## Let’s work through an example!

Get started by logging into your Zapier account and creating a new “Zap”. A Zap is the name for the automated series of steps between your chosen apps that Zapier will perform.

Open the menu on the left and click “Make a Zap:

```json
{
  "_key": "aabe35b08157",
  "_type": "image",
  "alt": null,
  "asset": {
    "_createdAt": "2025-06-11T21:28:06Z",
    "_id": "image-ed6c281352bfcb67b2f7f8a4e56e12e9d819a11b-299x335-png",
    "_rev": "H4nqDxaFoyVvwHkz6nGhdc",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-06-11T21:28:06Z",
    "assetId": "ed6c281352bfcb67b2f7f8a4e56e12e9d819a11b",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "ecRC*+WCogt7s.DOoeozWBn%xYoekCj[e.?wflW=fkWA~qayW;ofRj",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 0.8925373134328358,
        "height": 335,
        "width": 299
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAWCAYAAADAQbwGAAAACXBIWXMAAAsTAAALEwEAmpwYAAADaUlEQVR4nI2U628UVRiH589R2vqlaqJEbBqikURL6YUu1ghFgaQGK3yQD2q0icaE+EkhEYiJRj+oIdI0lASoEjXFW5C46Uq0Xdrune3MdneuO5f3MWemWwJF2JM8ec85887vzDnn947G/7UoBM8G0wC9gJT+BaMInpU8u6uJCGEYoiESDzbhu4ieR5auIzd+RjI/IjevIUYBCbzN+VFEGARouA5im4jVuJO6jpSyyOI15O855J/fkOU0UllGGsbmfMsktC201T/mWLh0nvmZc8xfmErizDkyKp4/S2b6GzJTX5OZ/paMGs98lzy7i8XZC+jXf0eb/fAdPtibYmKwj4nhfiaGdvLGcD/HXhph8uAY748fYPLQft49sI/JQ6/w3sEx3hzdvZE7oRjs4/irL3P15Edon4/vY+DJx+je8hDdXR10d27h8Ue6eGbbU4wODrD/xVQcd/e9wOjALkb6++jd+gSPdnXGud2dHXR3PMyenq1MvX0UbfqtIxzduYNU7zZS23ti9mzvYez553g9NcSR0REOp4Z4bXgXh0cGGR/exd4dz8Y5rfxU79McG+rjh+OTaMsXp7n6xWkuf/oxs6dPxFw+lcTZMyf4/szJjRj313Pu4NQn/PrlZ+SuXERrGqvUcktUswvUCytYpQJmMU+jkIsxi4p8PG9XijgxpU241TLNmo7mui7Z7CLpdJpbtyrYloWh61SrVVarVXRdZ61Ww3UcojBEJLonURQmPrRtm0xmnrm5OfL5PPV6nWKxyMrKCjlFLke5VMI0zbgSlIlhMyJRUilBEGAYBuVyGcuy8H0ftYhpWvFY4TgOKi8Ru3eTVumpnCAU/CAijIRI1lH99XEyz30JIyFQgq4PeUNYKEdUG0LDhTVbqDuC5YHjg9Ncj/fB9QXPD9F0S7j0V8hXP/n8eTNiaVVI5yJuFCMqdai77dFwBccL0Wq2cCUTcvaXgPRKxLKeCGYKSjD54nYwW4LNgHirBUOoqd+fd3vLdlNtpT28QGj665eiDjQ++I3DT/5xrUt50IVEitalqKtWHltbW8PzPJrN5oZd1LzjOrEdHtSkZRslUCgUyGazsagythorkytzVyqVeKG2BZVhVXmpF5WhVSnWarV4TpWfWkSZvW1B1VGi6qUoUnWZPFCo+dvl1p7gfwlzH4AdsungAAAAAElFTkSuQmCC",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#5c3c3b",
          "foreground": "#fff",
          "population": 1.24,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#3f1b14",
          "foreground": "#fff",
          "population": 0.39,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#da4323",
          "foreground": "#fff",
          "population": 3.35,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#c3cccf",
          "foreground": "#000",
          "population": 0.44,
          "title": "#000"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#f5c1a7",
          "foreground": "#000",
          "population": 1.11,
          "title": "#000"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#939ba2",
          "foreground": "#000",
          "population": 0.75,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#da4323",
          "foreground": "#fff",
          "population": 3.35,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "image.png",
    "path": "images/rafvlnhi/production/ed6c281352bfcb67b2f7f8a4e56e12e9d819a11b-299x335.png",
    "sha1hash": "ed6c281352bfcb67b2f7f8a4e56e12e9d819a11b",
    "size": 12695,
    "uploadId": "ZAvLh2dNofMX9wE9HvCd873JyDfxF0z6",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/ed6c281352bfcb67b2f7f8a4e56e12e9d819a11b-299x335.png"
  },
  "caption": "Make a Zap",
  "link": null,
  "markDefs": null
}
```

### Step 1

Choose the app that you want to use to “Trigger” this Zap, in this example we are going to use Shopify:

```json
{
  "_key": "d552a18d1daf",
  "_type": "image",
  "alt": null,
  "asset": {
    "_createdAt": "2025-06-11T21:28:23Z",
    "_id": "image-cd28713ea1ed5d4b86230f7028a1af5a5beccd69-930x490-png",
    "_rev": "H4nqDxaFoyVvwHkz6nGjvs",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-06-11T21:28:23Z",
    "assetId": "cd28713ea1ed5d4b86230f7028a1af5a5beccd69",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "MTRfqZWBavt7t5~SWANHoeRn9bfkt6j[s.",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 1.8979591836734695,
        "height": 490,
        "width": 930
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABmUlEQVR4nI2QW2sUQRBG5/+boCAYLw9e/kBciJgEWV98EHxTFjYhQrK6Djvbc+me6dtMz5wwPUQShWQbDk1XdX1VXyVKK6SW1LqmbpqIMQZjLdY5nPf4tr0X5338X2tNUjYCIVNEmZFlWzabDXmeUxQFUim89/R9fy8hhCjajIK1UcimoJQFQghEnlNVFVJKtNZ0XccwDA/SdQFtLMk4qqpVFNtmGWVZRMtt28bO4+ddTuh7jHUk1tpoTWy3lEKglaJr27+ddznDACH02CjoHLVuos1aKVprCV037WcHq30/EPrJ8jShc2ij486UUjjdELyjD+PChwcJI+GWYGM8a6FZXCq+/1QsLjXLlWf5O7BcB87/BC7SPnK2nmL/cpEGsqqjMY6kUI75D8fTD5pHh5q994b9mWV/5iJPjhwHJ55nx57HR1PsNnszx4sTx9czT1Vbklwaviwsrz8ZDj5qnh/f5dWp5u1c82aueXn6f36seffZ8O3cUipNUlSSjVD82iiuUsUqne4bxvcqlVxF7uZuGGuzXDFqXQPUFD8eBb6GzAAAAABJRU5ErkJggg==",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#4f524c",
          "foreground": "#fff",
          "population": 0.5,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#1244b2",
          "foreground": "#fff",
          "population": 0.01,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#1562f1",
          "foreground": "#fff",
          "population": 7.25,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#c6cfa1",
          "foreground": "#000",
          "population": 0.11,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#6cb4fc",
          "foreground": "#000",
          "population": 0,
          "title": "#fff"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#8ba561",
          "foreground": "#fff",
          "population": 0.1,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#1562f1",
          "foreground": "#fff",
          "population": 7.25,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "image.png",
    "path": "images/rafvlnhi/production/cd28713ea1ed5d4b86230f7028a1af5a5beccd69-930x490.png",
    "sha1hash": "cd28713ea1ed5d4b86230f7028a1af5a5beccd69",
    "size": 44254,
    "uploadId": "bDdXiUS6E9YbhAbjRKbZWa4O46tVpIrV",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/cd28713ea1ed5d4b86230f7028a1af5a5beccd69-930x490.png"
  },
  "caption": "Choose Trigger App",
  "link": null,
  "markDefs": null
}
```

**NOTE** - you will need to authorize Zapier to access your Shopify account after clicking “Continue”. This process varies depending on which payment provider / platform you are using, but for Shopify you are presented with a window to log into the Shopify platform and authorize Zapier. Other payment providers work similarly, or offer you the option to add an API Key.  
  
Once you have authorized Zapier, you continue to set up the trigger event, in this case - specifying exactly what order conditions will fire this trigger:

```json
{
  "_key": "bb46d084d14f",
  "_type": "image",
  "alt": null,
  "asset": {
    "_createdAt": "2025-06-11T21:28:55Z",
    "_id": "image-834a57da97f1377d9eab16b1281dcbc441b5517e-927x785-png",
    "_rev": "G5X2gZfJcyTQGzfRUwHi4C",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-06-11T21:28:55Z",
    "assetId": "834a57da97f1377d9eab16b1281dcbc441b5517e",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "eKR:KQRjR%t7t6~oWBM|oLRk9bj[t6j[t6-:WUWCofWCM{kBofj[oL",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 1.180891719745223,
        "height": 785,
        "width": 927
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACIUlEQVR4nJWUS2/TQBRG/f+XCAkEokhdUFQQtGIBa1YsEBIrSlPSJlXq57w8Tz/iD91xEiVtScTiyKOx/M2Ze6+cKCshNYPSEkqpiDYGzjn4ENC0Lbq+30vbdQghQFuHROgKpbxDyQvkOZGjYgxc8BjeNA2GYdjLcrmMBxtrkSijIBQD4xUYG0OstRHvPfq+Pxg4DANC10E5i6TWGoxzlGUJKWU0ohPXjB9gL8sBcF0HZg0SrQ04F6iqCkLIWLu2bbFcHrbaXHkYDQUZUgAXAlmeoSgKcM5hjEHXdVuGhwPbvof1fgysWIXF3QJ5UUAIEQOpa2T6P7jgkVDhuaiQ5Wm001rHhtBBFEo13UdYQWsXDX2AkBxFWWw6HGfQ+3+GbFs16/22jXObkCaXHHmRxeuSIV15zXqEtkeJzB/QrAy9DzEwy1KUVYm6rncC7wfvM/dkGGsoWWxKmmaQQq4sx6vTqc75GDSya+b9yMYwNAHGanDOwBlDXa/CPDWE6tShabv4XK8fo93U0DcomcF0XmJynWN6y3Gz0JilBreZxW1uschdhNZx7x6LwkHUYZxDWXt8+5nj+HyCF+8u8OrDBK/PpiPnUxx/usbJ51mE1rS3w9kUb7/M8OMX/bEcEiYsvn5P8fL9BE/eXODpye8dnp9e4ujsKvLs9PLBe+Lo41WUEsogkUojLRT+zAUmM/6AK2LOIo+9n9xwTOcCWakga42/f4UKdD9GeKEAAAAASUVORK5CYII=",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#5e5f5c",
          "foreground": "#fff",
          "population": 0.62,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#0c3ea8",
          "foreground": "#fff",
          "population": 0.01,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#5e5f5c",
          "foreground": "#fff",
          "population": 0.62,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#c1d39f",
          "foreground": "#000",
          "population": 0.08,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#9ab5ed",
          "foreground": "#000",
          "population": 0.08,
          "title": "#fff"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#606fa3",
          "foreground": "#fff",
          "population": 0.02,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#2546cd",
          "foreground": "#fff",
          "population": 0.07,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "image.png",
    "path": "images/rafvlnhi/production/834a57da97f1377d9eab16b1281dcbc441b5517e-927x785.png",
    "sha1hash": "834a57da97f1377d9eab16b1281dcbc441b5517e",
    "size": 73076,
    "uploadId": "XfcIPqmGwhAk2rVDcFgbfSbNEqOhsFP0",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/834a57da97f1377d9eab16b1281dcbc441b5517e-927x785.png"
  },
  "caption": "Trigger Event",
  "link": null,
  "markDefs": null
}
```



You then test the trigger and it will pull in any orders from Shopify (or sample order data if your Shopify account does not have any paid orders yet):

```json
{
  "_key": "6c76c04174b7",
  "_type": "image",
  "alt": null,
  "asset": {
    "_createdAt": "2025-06-11T21:29:22Z",
    "_id": "image-215d8482c249b29685bf5ae61d355b6b7fc4c555-924x1017-png",
    "_rev": "G5X2gZfJcyTQGzfRUwHkBo",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-06-11T21:29:22Z",
    "assetId": "215d8482c249b29685bf5ae61d355b6b7fc4c555",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "e3Ss510000_NNa_2RiIoofbXX8t7oxWAIo~pE1D*t6xsD%tR%MtQog",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 0.9085545722713865,
        "height": 1017,
        "width": 924
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAWCAYAAADAQbwGAAAACXBIWXMAAAsTAAALEwEAmpwYAAACZ0lEQVR4nJWV6bKbMAyFef9X7J9Om82AV/BuczoS4SbpzG1Sz5yBsHxIOrIy/FBX/NQnzGaClDPmeYY2Gs45rN4jl4LWGnrv36q1xs95HzBczIiLPmFSAuMoIIRgqFIK1lrknLFt21uVWuFjxGAWC2UUpJIMWZYFMUZWSpm//gkwtwaXIga3LNDaYJ4ljKGIyl8P4yOl1qBjwGCcwywlxE1ASYWUEnp/H9Gz+rYhtQoZ/Q6c5hmjENBKI4SIWuu94J9DEwGDp5Qd1DxhHsWXEXsdA0opDG+1ofUNtT3UOrDhsXJvsGSK9yucmjCLC7s8TRO7TOA1rPBhRYwJqTSEssHnjY+l3euLfbXeEXPGQG56b6G0gFQzG+O9R0oRKScWRVpqR64bUqFjR30qR6de7J17cYgpwccF0owMdG5hYxjyovqqWrkc5bhf6wNIqUktofTehyEEhpKosY9z/n3X87V0PJcLhhAjrHO4ihFimvicthzV7cuU1v6pUgoDOUICKmPw63TG+XqD1AbWLXALmRH5hXer984fvgMTlLEMm2bJNVzWFctCDgfUVt8Ct237GhADpWasgxgnKG14YvgQucE57bpvxY+BIUZoa3G9CUxScf0S1SPv7h3D4XNgSgw8X664jRNHuM+/R5/9V8rhDiRTTpcr1tVzkf9nba8pJ2izA3+fL7DWcbrvWuV5Tvanqc2mUFTkME0dahlq7GPIfifqu+OvgbbdiylkAnU77Rqa0tykmZq1IMQCt2bYNfP5cf0w7FCtjTnDsvodlAtrf+GAZiw+Q6iMq8wwK22vx70DTqJAqG//AJ0otqdHmazUAAAAAElFTkSuQmCC",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#3c3c3c",
          "foreground": "#fff",
          "population": 0.02,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#5b792c",
          "foreground": "#fff",
          "population": 0.02,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#9ac9e0",
          "foreground": "#000",
          "population": 0.14,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#ceca9c",
          "foreground": "#000",
          "population": 0.1,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#9ac9e0",
          "foreground": "#000",
          "population": 0.14,
          "title": "#fff"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#a4aa5e",
          "foreground": "#000",
          "population": 0.08,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#48ac90",
          "foreground": "#fff",
          "population": 0.04,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "image.png",
    "path": "images/rafvlnhi/production/215d8482c249b29685bf5ae61d355b6b7fc4c555-924x1017.png",
    "sha1hash": "215d8482c249b29685bf5ae61d355b6b7fc4c555",
    "size": 120405,
    "uploadId": "A6mI3AJUwf4SuDEoG0pHgI3uFpOvQnwZ",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/215d8482c249b29685bf5ae61d355b6b7fc4c555-924x1017.png"
  },
  "caption": "Testing the Trigger",
  "link": null,
  "markDefs": null
}
```



Once you have this all completed, click “Done Editing” to move to the next step.

### Step 2

Click the "+" icon under your Trigger step, chose the Cloudsmith app from the dropdown list, and then Chose the “Action” that you wish to perform - in this case it is “Create Entitlement Token”:

```json
{
  "_key": "e8b2beb24463",
  "_type": "image",
  "alt": null,
  "asset": {
    "_createdAt": "2025-06-11T21:29:49Z",
    "_id": "image-aad3845482094a5005321f64cc60ccbaef802c94-912x486-png",
    "_rev": "H4nqDxaFoyVvwHkz6nGq3E",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-06-11T21:29:49Z",
    "assetId": "aad3845482094a5005321f64cc60ccbaef802c94",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "MTRfqZWBobt7t5~SWBRmoeRl9cj]t7j[oJ",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 1.876543209876543,
        "height": 486,
        "width": 912
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABoUlEQVR4nI2Q8WoUMRCH9/W1fxSsYhH0EaxSz1Zb8A1EKYVWRVu0vXp3u9lkM5Nkk+xPMndbVq1g4CPDZOZjJpVlB4EYRAxmB+dGPNh5EDMsM5z36PseMaa/8CGIpzLkYIihtUHTNKibRm6lFJRqhbquJdd1HULokXPGMAy35JwRYwQ7h4pckOlGoWoUtNaw1oKIhCKyluC9R0rpN9kwkYYQUJU1imC1XGK5WKBVStYtjaWoMMZj810nDwP6PqIqu2tjRKhWC1hjZPzSN/b+SzKeQSbcCEPfy2e2rYZuWzgipBil4H9JKSOmjOISITknUxqj4axBCmXljFSKBUziO0hroUxIPuL70uH0wuDkq8bpN42zS8L5j4izq4xP1xlf5mvOr7Lk/uTzdcJcJbDrUS3aiIP3Htv7hHvPLe7vWWztEbZeemF73+PRQRBKPOZveeHxYOZx9DGg1j2qn8rj6IPD7hvCzivCw9mG1yzsHjKeHTOeHjMeH65zU3ZmjCdvGe9OHFatR9XoDvOVxeVNh4v5hhJvKPkp07dpzU1t0WiDX99HPiG3dtncAAAAAElFTkSuQmCC",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#505051",
          "foreground": "#fff",
          "population": 0.64,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#2455bc",
          "foreground": "#fff",
          "population": 0.68,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#1361ef",
          "foreground": "#fff",
          "population": 4.08,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#9cb0c8",
          "foreground": "#000",
          "population": 2.33,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#64b4fc",
          "foreground": "#000",
          "population": 0,
          "title": "#fff"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#7c7c7c",
          "foreground": "#fff",
          "population": 0.09,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#1361ef",
          "foreground": "#fff",
          "population": 4.08,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "image.png",
    "path": "images/rafvlnhi/production/aad3845482094a5005321f64cc60ccbaef802c94-912x486.png",
    "sha1hash": "aad3845482094a5005321f64cc60ccbaef802c94",
    "size": 43202,
    "uploadId": "ZLQ1KI4EU2YYZW67A8Rwi9GHa3ME8vXs",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/aad3845482094a5005321f64cc60ccbaef802c94-912x486.png"
  },
  "caption": "Cloudsmith App and Action Event",
  "link": null,
  "markDefs": null
}
```

You will need to authorize Zapier to access your Cloudsmith account, and you do this by adding your Cloudsmith API Key, which you can retrieve from [here](https://cloudsmith.io/user/settings/api/)

```json
{
  "_key": "dc3d942b6641",
  "_type": "image",
  "alt": null,
  "asset": {
    "_createdAt": "2025-06-11T21:30:06Z",
    "_id": "image-f89f253a765433502996763a9d8874cf136274cb-979x470-png",
    "_rev": "IJur02g71mBjSRizOcAu0y",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-06-11T21:30:06Z",
    "assetId": "f89f253a765433502996763a9d8874cf136274cb",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "M6RW6s%M?w.8Md?wkCwIjEXT^+of9ZR*xF",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 2.0829787234042554,
        "height": 470,
        "width": 979
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA9ElEQVR4nL2S226DQAxE+/+fV7W5EAKEECCL8V7J66myvT20qqhU9WFkWR4d2fI82BD5Sz38C1B9QKzFzPopfe0ntYh12bMaOKnSnDv2ZcWurCiqmkPdfNS2HzJ0FVB9YJyEsqp53u552hVsD0d25ZFNUbItSupzlzddBRTn6Y1w6i40bUfTDbT9+KaBcz8ymAmxHvUrgLO/n+wxohiZmWRGRJFZEbX5Ape9ad2GLiR8WggxEWchXVqWriFdB4L3xOVGut0IacHFr9Bvn3I3+hAJY088bEj7R8LpiBXJcx8TLv42h/dYqGKNwZlrhukPcXkHvgCp//W20uAH0gAAAABJRU5ErkJggg==",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#3c4444",
          "foreground": "#fff",
          "population": 0.02,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#713d13",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#f09379",
          "foreground": "#000",
          "population": 0.57,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#c4d4dc",
          "foreground": "#000",
          "population": 0.01,
          "title": "#000"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#f09379",
          "foreground": "#000",
          "population": 0.57,
          "title": "#fff"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#7a7c84",
          "foreground": "#fff",
          "population": 0.03,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#e6a46e",
          "foreground": "#000",
          "population": 0.01,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "image.png",
    "path": "images/rafvlnhi/production/f89f253a765433502996763a9d8874cf136274cb-979x470.png",
    "sha1hash": "f89f253a765433502996763a9d8874cf136274cb",
    "size": 45485,
    "uploadId": "uBaWDFtgDYDPVHjxXXTsRQ8MIjJncjE9",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/f89f253a765433502996763a9d8874cf136274cb-979x470.png"
  },
  "caption": "Zapier Cloudsmith API Authorization",
  "link": null,
  "markDefs": null
}
```



Once you have entered your Cloudsmith API Key you then specify the details of the Entitlement Token that you would like to create. The only required fields are:

1. Token Name
2. Repository Owner (namespace)
3. Repository

You can enter a Token Name manually or you can pull in output from your initial trigger step (such as an email address, customer ID or other identifying information from your Shopify order). For the Repository Owner and Repository you can select from the dropdown menus. In addition, you can specify a custom string for the Token itself (although if you don't then one is generated for you!)

You can optionally specify any restrictions you would like associated with this Entitlement Token, such as an allowed number of downloads or a valid to/from date.

```json
{
  "_key": "7195a997082b",
  "_type": "image",
  "alt": null,
  "asset": {
    "_createdAt": "2025-06-05T07:58:53Z",
    "_id": "image-a13074b8b1291de5c6868f309769023fbe50867d-910x1401-png",
    "_rev": "2MVa2LY6RC9Yy6hPJdhRd4",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-06-05T07:58:53Z",
    "assetId": "a13074b8b1291de5c6868f309769023fbe50867d",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "dER{+1WCoc%M~TWVRkkB9hj]s,WV^#WBWEj[9iWBs-of",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 0.6495360456816559,
        "height": 1401,
        "width": 910
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAfCAYAAADnTu3OAAAACXBIWXMAAAsSAAALEgHS3X78AAADC0lEQVR4nI1W227TQBDNtwIPXF7gU6ASRSpQFan/gOhFqtRPACFVBYpQVcd3r+31XpwcNLNeZ5M6bSIdZXdtn5yZMzPObLFYwFoLrTWUcqA1QXYdyrJCHMeIogjz+Rx5nvO1qc9yucSMLlZVhTRNkaYZsiznh+iMCJVSkFKOoH3f9/zwiEWPZd/z+YxuKIocUXSHOE5GQiEEP2yMgR1grOVo1mAMrOrQqw7WGqdQiApxErPKsixZXdu2HBoRPgitYTrJpPQDM0UhC8Hq0jRBXYsxtEfJGAMhwRhHWAqBeRxz8omQyAjenAehFHTbwMg2IKycwizL0DTN7mQDoWobaNnAGu1dFkiSFEVRjOGGeJRQShglYcgUn0NSR852Q6kQaB3ut0FrzQ6zKexyXbM6IiR3w7ojEOnmmb9PDeZRDY4ue8K6rscb6dsj3G8SK1+rXJe9V9ggHxSSKVMIFbk2Xc+tGUhHhXmRc1GTyikin8uVGgcz1CPvqfWInWovy1M2hkhJqQeREtlj5WOHH2DCpqlRVq7lNkMldbu0oLV+OLDCGmU57bLP1S6E1plimMiNLzccNk3wOXqIsB/HF08baj3Xy77AQ6W7FbZdKaSQvUI/XAmhOd6gsC7DwrdhHXpCUjdljC9qXzqbdWi2hZwkyVoON7sj7O2wx/V62dw3ZTNUiiBsy6n2s9auFBIJvdFIoc+VJwk7J+yYSYX9YArlLQx5SmGoNETrc0u59CHTBTKEJg6RTz24DW3brtWqG7CVyyEbsiVPU/AmaQrZBL0sRI00y5DnBU9vmj4eHC6HvFp7dbxuWv5D4PPIIZPsssj5hV+JiucjgW4eMezDc1o3rRzzx4SdsojyDlf/Cvz8W+DqtsF1pHEdWfwizC3+xBY3scXvuV2dR8N6bnGT9IjFAp3uMctri/MfGvunLd5+bbH3rcPeicbeiWG8PzP4dOGwf+bOQrw7MfhwbnD63SKtLWZ3hcGXS41XRxJPDiSefVzH80OJ18cd3hx3eHF4//rTA4mXRxKfLzRuC4v/krRIRdonSvcAAAAASUVORK5CYII=",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#686869",
          "foreground": "#fff",
          "population": 0.12,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#0d63d2",
          "foreground": "#fff",
          "population": 0.29,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#166af3",
          "foreground": "#fff",
          "population": 1.99,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#d7c4ba",
          "foreground": "#000",
          "population": 0.01,
          "title": "#000"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#a3dcfc",
          "foreground": "#000",
          "population": 0.33,
          "title": "#000"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#858584",
          "foreground": "#fff",
          "population": 0.35,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#166af3",
          "foreground": "#fff",
          "population": 1.99,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "Screenshot-2020-04-10-at-09.43.22.png",
    "path": "images/rafvlnhi/production/a13074b8b1291de5c6868f309769023fbe50867d-910x1401.png",
    "sha1hash": "a13074b8b1291de5c6868f309769023fbe50867d",
    "size": 110414,
    "uploadId": "3VFMYVfPv9JQjqEkDioSBVdNp45T7ezH",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/a13074b8b1291de5c6868f309769023fbe50867d-910x1401.png"
  },
  "caption": "Create Entitlement Token Step",
  "link": null,
  "markDefs": null
}
```



In the example above, we will use the customer email address from the Shopify order as the Token Name, the order placement date as the Token Valid From date, and we will limit the number of downloads to 10.

You can then click “Continue” to test and review your selections, and then click “Done Editing” to complete this step.

**At this point, your Zap is now set up to create an Entitlement Token in your specified Cloudsmith Repository for every complete Shopify order that you receive.**

If we now create an order in Shopify, and then check the repository that we specified in the “Create Entitlement Token” action, we can confirm that the Entitlement Token has been created, with the details from the Shopify order:

```json
{
  "_key": "96f29e7e855b",
  "_type": "image",
  "alt": null,
  "asset": {
    "_createdAt": "2025-06-11T21:30:36Z",
    "_id": "image-9fc8f2358bff0ab25177164b5fe69453c02f437a-1203x402-png",
    "_rev": "IJur02g71mBjSRizOcAyLE",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-06-11T21:30:36Z",
    "assetId": "9fc8f2358bff0ab25177164b5fe69453c02f437a",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "DDRMPV%%TIMyEhtR=|xt%L-p",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 2.9925373134328357,
        "height": 402,
        "width": 1203
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABm0lEQVR4nD2PS2/TQBSF/etZdMEeCQWBkFgUQVXUFaJAG2jT1DRJm9K4dp7Ow48Zz4xfjaPkQ0kV7tEn3XsW5+hauTak2qBMhtAFQufI7W5yYlOiiyXZckW2rJ6p1siywJFDrhd3NBdjGoGhHRcERYWllUEpjVSaWCriWCKimDgURJFEyAS9LU1TjMl2xaGMcWYOnXGHzqBHy+vTnfjMEoOV6BSlDcYYVBSRTEZoz0O5LnHfI3AdJndtHu0releXeHYT/7bFpNtmdt8iaJ4zrx/jt06ZjvrbQIM2hjzPKVSCmo4RrotyPdRoyPRvl/Ojj7x/ecCbgxec1F7R+/aVeeMCcX2Brp8Qfn/H0P7MYNjFioQilgkmyynLcvfeIhAkQvOUZcgwwD77wae3NQ5rrzn7csTEbpLc2JhOg/Shzsw55WH0m37sYd32A24eZ9yPIhZJTv5U7Viu1qzXa6pqiZKCxdRn7vvIMKRUCZUQrJKIVRaRFxGyFJgqxTpuDPjw0+Hwl8cfLyYtKzabDf9ns9nd2/A9e38Hz+z1Dw9UA8bZpVH5AAAAAElFTkSuQmCC",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#30381c",
          "foreground": "#fff",
          "population": 0.01,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#ae2136",
          "foreground": "#fff",
          "population": 0.01,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#c1c9cb",
          "foreground": "#000",
          "population": 2.57,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#c1c9cb",
          "foreground": "#000",
          "population": 2.57,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#f3cc71",
          "foreground": "#000",
          "population": 0.05,
          "title": "#000"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#55aa59",
          "foreground": "#fff",
          "population": 0.94,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#bc2c15",
          "foreground": "#fff",
          "population": 0.22,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "image.png",
    "path": "images/rafvlnhi/production/9fc8f2358bff0ab25177164b5fe69453c02f437a-1203x402.png",
    "sha1hash": "9fc8f2358bff0ab25177164b5fe69453c02f437a",
    "size": 137888,
    "uploadId": "oVube9cm418FbUAk6FVPCXMivDwFndYQ",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/9fc8f2358bff0ab25177164b5fe69453c02f437a-1203x402.png"
  },
  "caption": "Token created in Cloudsmith Repository",
  "link": null,
  "markDefs": null
}
```

You may wish to add an additional output step to the Zap that could, for example, email the Entitlement Token to your customer directly or maybe use an additional Zapier app to integrate with your chosen mail or CRM platform - This would enable you keep a track of Entitlement Tokens so that you can automatically disable them using the “Disable Entitlement Token” action in the Cloudsmith Zapier integration (perhaps if a customer unsubscribes or cancels)

We hope that this demonstrates how simple it is to automate a payment and token creation workflow for a Cloudsmith repository. There are many integrations available on the Zapier platform and we are pleased to be able to offer this official Cloudsmith integration as an option for our customers that use the Cloudsmith platform for distribution. As always, if you need any help, guidance or additional information please just [contact us](/company/contact-us) and we will be happy to work through it with you!  


Happy order processing! :-)  
  














You spoke, we listened!

Cloudsmith is all about giving developers the tools they need to deliver great code as efficiently as possible. And that includes ensuring that to the greatest extent possible they don’t need to learn new tools and approaches to get the full benefit of our platform.

With that in mind **we’re delighted to announce improved support for Rust and the associated Cargo package manager**. Specifically, we now support the upload of Cargo packages to the Cloudsmith platform using the native Cargo publish command.

Whilst we’ve supported Rust and Cargo for some time, until now uploading to the Cloudsmith platform has been either through the Cloudsmith UI or via the Cloudsmith CLI. Support for Cargo publish now means that developers can stay within the Cargo / Rust environment they know when pushing packages to Cloudsmith.

Below is a very short video that shows exactly how this works:

```json
{
  "_key": "44ef71f115b7",
  "_type": "video",
  "id": "d6gxK5jXBWA",
  "markDefs": null,
  "thumbnail": {
    "_type": "image",
    "asset": {
      "_ref": "image-54a4771a727c691f7432707a8f03761b9c0906bc-480x360-jpg",
      "_type": "reference"
    }
  },
  "title": "Native Cargo Uploads In Cloudsmith",
  "url": "https://www.youtube.com/embed/d6gxK5jXBWA?feature=oembed"
}
```

Once there, of course, they are available within a private ‘single source of truth’ for software assets, that:

- Can be managed, secured and controlled in a systematic way
- Is available to teams and individuals within the organization anywhere in the world via a ‘web-scale’ cloud infrastructure
- Can be distributed on a commercial/licensed basis if necessary on the same basis
- Supports assets all common languages and formats (Rust and Cargo being just one of dozens of supported formats)

Our aim is to make getting to this point as simple and intuitive as possible for developers. We want to support existing workflows and existing environments, not replace them. So it’s important for us to ensure that for every format, publishing to the Cloudsmith repository can be done without having to use Cloudsmith itself.

This is one further step on that journey.

We are proud to announce the availability of Cloudsmith for CocoaPods.

One of the key attributes of the Cloudsmith platform is _universality_. We think it’s important that you can use Cloudsmith to manage packages and dependencies no matter what format they are in.

Taking this approach means distributed development teams have a single source of truth for _all_ their software assets, and can store, share and secure them all in exactly the same way and in the same place.

It also means that other processes within the DevOps stack only need to speak to one partner rather than many, with a consequent reduced risk of things going wrong.

Result: **faster delivery pipelines, less broken builds, happy customers**.

### Introducing CocoaPods

To ensure that Cloudsmith is and remains a ‘universal’ package management solution, we continue to add formats and extend the scope of the platform. Hence the launch today of our support for CocoaPods.

[CocoaPods](https://cocoapods.org/) is the dependency manager for Swift or ObjectiveC packages (or Pods in this context) used within Cocoa projects. And [Cocoa](https://en.wikipedia.org/wiki/Cocoa_(API)) is the framework within which MacOS and iOS applications are developed.

As a result, Cocoa and CocoaPods are popular. [In 2019 Swift was the 6th most loved programming language in the Stack Overflow developer survey](https://codeburst.io/10-top-programming-languages-in-2019-for-developers-a2921798d652) and the 10th most active language on GitHub.

It is also commonly used alongside other formats and languages (no surprise for a framework focused solely on MacOS and iOS) so being just one of many popular formats supported by Cloudsmith really matters.

It’s easy to get control of your Pods. In fact it only [takes a minute to set up a private repository](https://cloudsmith.io/user/signup/) with Cloudsmith. The short demo video below should help you get started:

```json
{
  "_key": "91d21c617ce5",
  "_type": "video",
  "id": "VHhSZ8MqCDc",
  "markDefs": null,
  "thumbnail": {
    "_type": "image",
    "asset": {
      "_ref": "image-69c3f55bbd9b01dfbe8dedf3ad373237ef6e014a-480x360-jpg",
      "_type": "reference"
    }
  },
  "title": "Getting Started with CocoaPods and Cloudsmith",
  "url": "https://www.youtube.com/embed/VHhSZ8MqCDc?feature=oembed"
}
```

This short demo shows how easy it is to get started with your own private CocoaPods repository.

Then your entire team can enjoy cloud-native, secure and universal package management - with none of the hassles associated with managing an on-premises solutions.

Taking the Cloudsmith approach allows development teams to:

- Develop Pods internally and share them privately to other teams
- Distribute and deploy your own Pods in a pipeline at your org
- Distribute Pods as commercial software
- Make modifications to public Pods, without republishing publicly
- Mirror public Pods and isolate from uncontrolled upstream issues
- Capture the exact state of your dependencies at a particular version/release
- Control (whitelist/blacklist) the exact Pods allowed for your org
- Keep track of the exact versions/releases of the Pods you have/use

In short: **deliver all the benefits of Cloudsmith that are already enjoyed by development teams all over the world today**.

If you want to join them, [sign up today](https://cloudsmith.com/signup/) and start hosting and distributing your Pods with Cloudsmith!
