Term · 32. Workload Identity & Cloud-native
Short-Lived Credentials
Definition
Authentication tokens with brief lifetime (minutes to hours) instead of long-lived secrets (months to years). Foundation of modern workload identity — services receive short-lived tokens via OIDC federation, never store long-lived credentials. Reduces blast radius of credential theft.
- Synonyms
-
- Ephemeral credentials
- Time-bound credentials
- Application
- Regulatory: NIST SP 800-63 (Digital Identity Guidelines) · OWASP NHI Top 10 (2025) / SAMM
- Standards & regulations
-
- NIST
- OWASP
- Sources
-
- AWS STS (Security Token Service) primary source
Related terms
-
Secrets Management (SM)
Centralized lifecycle management of API keys, database passwords, certificates, OAuth client secrets, encryption keys, a …
-
Secrets Vaulting
Sub-discipline of Secrets Management focused on cryptographically secure storage and retrieval of machine credentials. V …
-
Ephemeral Credentials
Credentials with very short lifetime (minutes) issued just-in-time and revoked after use. Replaces long-lived secrets in …
-
Non-Human Identity (NHI)
Identities for service accounts, API keys, OAuth client secrets, machine certificates, workload identities (AWS IAM role …
-
AI Agent Credential Lifecycle Management
Specialised lifecycle workflows for AI agent credentials — provisioning short-lived tokens scoped to specific tasks, rot …
-
AI Agent Identity
Identity assigned to an autonomous AI agent acting on behalf of a human or workflow. Distinct from human identities (wit …