15-Factor App
Principles for Cloud-Native Applications

The original 12-Factor App principles from Heroku were groundbreaking for cloud-native development. With the evolution of cloud infrastructure, microservices and security requirements, three more essential factors were added: API First, Telemetry and Authentication & Authorization.

The first three factors form the foundation for reproducible and maintainable cloud applications. They define how code is managed, dependencies declared and configuration separated from code.

1. Codebase

One codebase, many deployments. Each application is managed in a single version control system. Different versions are deployed in different environments – dev, staging, production – but all stem from the same codebase.

2. Dependencies

Explicitly declare and isolate. All dependencies must be explicitly declared (e.g. via requirements.txt, package.json, go.mod). The application must never rely on system-wide packages.

3. Config

Store config in the environment. Everything that varies between deployments (credentials, URLs, feature flags) belongs in environment variables – never in code. This enables secure and flexible deployments.

These factors define how applications interact with external services and how the lifecycle from build to runtime is organized. They promote loose coupling and clear separation of deployment phases.

4. Backing Services

Treat services as attached resources. Databases, message queues, SMTP servers and other backing services are treated as swappable resources. A change should only require a config change, not a code change.

5. Build, Release, Run

Strict separation of build and run stages. Build creates a deployment artifact from code, release combines build with config, run executes the application. These stages must never mix.

6. Processes

Execute app as stateless processes. Processes should be stateless and share-nothing. Persistent state belongs in backing services like databases or object storage, never in process memory.

The factors for modern network architecture and horizontal scaling. They describe how services are exposed, how scaling works and why fast startup times are critical.

7. Port Binding

Export services via port binding. The application is fully self-contained and exposes services via port binding (e.g. HTTP on port 8080). It is not dependent on an external web server like Apache or nginx.

8. Concurrency

Scale out via the process model. Scaling happens horizontally by starting more processes, not vertically via larger machines. Different workload types (web, worker, cron) are treated as separate process types.

9. Disposability

Robustness through fast startup and graceful shutdown. Processes should start in seconds and shut down cleanly on SIGTERM. This enables fast scaling, robust deployments and fault tolerance.

These factors address daily operations: How does dev/prod stay in sync? How are logs handled? And how do you run administrative tasks without violating the 12-factor principles?

10. Dev/Prod Parity

Keep dev, staging and production as similar as possible. Minimize time, personnel and technical differences between environments. Developers should be able to do their own deployments, and all environments should use the same backing services.

11. Logs

Treat logs as event streams. The application writes logs to stdout/stderr and does not concern itself with routing or storage. This enables flexible log aggregation and analysis by external tools like Loki or VictoriaLogs.

12. Admin Processes

Run admin tasks as one-off processes. Database migrations, one-time scripts or REPL sessions are executed in the same environment as regular application processes – with the same codebase and config.

The three new factors reflect the evolution of modern cloud architectures: API-First Design for interoperability, Telemetry for observability and Authentication & Authorization for zero-trust security.

13. API First

Design APIs first, then implement. Define API contracts with OpenAPI/Swagger before writing code. This enables parallel development, early stakeholder alignment, automatic documentation and mock services – and significantly reduces dependencies between teams.

14. Telemetry

Observability through metrics, traces and events. Logs alone are not enough – modern applications need structured metrics, distributed tracing and real-user monitoring. Telemetry enables proactive monitoring, faster debugging and data-driven decisions in complex microservice environments.

15. Authentication & Authorization

Security from the start, in every layer. All API endpoints must be authenticated and authorized. Use modern standards like OAuth2, OpenID Connect and JWT. Implement Role-Based Access Control (RBAC) and serve exclusively over HTTPS.

The original 12 factors were defined in 2011 – an era before microservices dominance, container orchestration and zero-trust security. The three new factors are not optional, but essential for modern cloud-native applications:

Our Managed Kubernetes platform is specifically designed for 15-factor applications. From automatic TLS certificates to integrated observability to identity & access management – we offer everything modern cloud-native apps need.