Desktop · Install
Install the desktop app.
Axiom on your workstation: local Terraform execution, OS keychain credential storage, native notifications, and background scanning. macOS preview now; Windows Q2 2026; Linux Q3 2026.
Where each platform is right now
desktop-v* tag. Signing + notarization activate automatically when Apple Developer + Windows EV cert secrets are configured — until then, builds are honestly labelled developer build · unsigned with a one-time install-friction step per OS (see below). The web platform is fully available now.01
Web vs desktop — when to install
Both surface the same operational data. The desktop app unlocks:
- Local execution — Terraform applies run from your workstation using your own AWS CLI profile, never through Axiom's cloud
- OS keychain credentials — AWS credentials remain in macOS Keychain / Windows Credential Manager / Linux libsecret, never in the app
- Background scanning — menu-bar agent runs scans on schedule without keeping a browser tab open
- Native notifications — approval requests, drift alerts, scan completions delivered via OS notifications
- Offline audit export — drag-and-drop audit log export to SIEM, no browser needed
- Workstation mode — enterprise option that disables all outbound telemetry; all operational data stays on your machine
02
Install — macOS (Apple Silicon + Intel)
Download from /download
Visit /download. The page auto-detects Apple Silicon vs Intel and links to the matching .dmg from the latest desktop-v* GitHub release.
Open the .dmg + drag to Applications
Mount the disk image. Drag Axiom Agent to /Applications. Eject the DMG.
First launch — handle Gatekeeper honestly
When Apple Developer ID signing + notarization secrets are configured, double-click runs the app cleanly. Until then: right-click the app in /Applications → Open → Open again at the prompt. macOS records the one-time exception and won't prompt again.
Sign in to your workspace
The app opens to a sign-in screen. Use your existing Axiom credentials. After auth, it pairs the workstation and starts receiving HMAC-signed handoffs.
03
Install — Windows x64
Download the .msi
The desktop-v* GitHub release contains a Windows MSI installer.
SmartScreen first-run dialog (unsigned builds)
When the EV code-signing certificate is configured in CI, the installer runs cleanly. Until then: when Windows SmartScreen warns, click More info → Run anyway. The MSI is published from a verified CI pipeline and only carries developer-mode binaries.
Standard MSI install
Walk through the installer. The app installs to %LocalAppData%\Programs\Axiom Agent and pins to the Start menu.
Sign in
Same Axiom credentials as the web. The desktop pairs your workstation on first sign-in.
04
Install — Linux x64
Pick a packaging format
Each release ships an .AppImage, a .deb, and a .rpm. AppImage works on every distribution; .deb covers Debian/Ubuntu; .rpm covers RHEL/Fedora.
AppImage — chmod + run
Linux doesn't require signing for end-user run. Make the AppImage executable and double-click:
chmod +x ./Axiom-Agent-*.AppImage ./Axiom-Agent-*.AppImage
.deb — sudo dpkg -i
sudo dpkg -i axiom-agent_*_amd64.deb
.rpm — sudo rpm -i
sudo rpm -i axiom-agent-*.x86_64.rpm
Sign in
Launch axiom-agent (or open from the application menu). Use your Axiom credentials to pair the workstation.
05
CLI binary — available now
If you want headless / CI/CD usage today, the axiom-cli binary is available cross-platform now:
brew install axiom-cli(macOS, Linux)scoop install axiom-cli(Windows)npm install -g @axiomops/cli(cross-platform)
The CLI supports scanning, plan export, approval, and apply — same operations as the desktop app, headless.
Trust questions
What does the desktop app do that the web doesn't?
Local Terraform execution, OS-keychain credential storage, background agent with native notifications, offline audit export, optional workstation mode.
Why install it?
Stricter security posture, reduced cloud round-trip latency, and ability to work offline.
Is the desktop app safe?
Binaries publish from a public CI pipeline you can inspect. Signing + notarization activate the moment Apple Developer + Windows EV cert secrets are configured. The HMAC handoff signer + local-apply block are enforced on every build, signed or unsigned.
Where are credentials stored?
OS keychain (macOS Keychain / Windows Credential Manager / Linux libsecret). Never in the app's own files.
Can I revoke?
Sign out + uninstall. Credentials in OS keychain are removed on sign-out.
What if my org blocks Apple-signed apps?
Enterprise deployment via managed Apple Business Manager / Jamf is supported on the Enterprise tier.
Need a human?
Most flows are documented — but we'll help if anything is unclear.