They tried to breach the door, but the door knew their name.

Identity-Aware Proxy for Mercurial is no longer optional. Every repo you guard contains more than code—it contains the blueprint of your product. A password alone is a weak lock. An IP whitelist is a fence anyone can climb. The only real control is binding access to the person, not just an account.

An Identity-Aware Proxy sits between your Mercurial repositories and anyone trying to reach them. It verifies who they are before a single line of data moves. The proxy checks identity through secure authentication systems like OAuth, SAML, or OpenID Connect, then enforces fine-grained access policies. It can decide exactly which repo or branch a user can touch, and it can log every attempt with full context.

With Mercurial, speed is built-in. The right Identity-Aware Proxy preserves that speed while adding a security layer that attackers can't fake. By integrating identity directly into the connection, you eliminate shared credentials, reduce lateral movement risk, and make offboarding instant. Developers work as usual, but every action is tied to a verified identity.

The benefits are tangible:

• Centralized authentication across all Mercurial repos.
• Role-based access control down to the branch level.
• Real-time session logging and anomaly alerts.
• Enforcement of MFA without changing developer workflows.

Deploying an Identity-Aware Proxy for Mercurial used to be painful. It meant patching workflows, standing up custom gateways, and gambling on latency. Now it can be done with minimal friction, zero local setup, and native support for existing identity providers. Configuration that once took weeks can take minutes.

The line between safe and breached is drawn here: direct access only for verified identities; nothing else passes. It's the difference between guessing and knowing.

You can see it live, protecting any Mercurial repository, in minutes with hoop.dev. No layers of theory—just real, working identity-aware security you can deploy now.