Credential Management
Secure credential generation, rotation, and distribution for your non-human identities.
Features
Secure Generation
Cryptographically secure credential generation with configurable entropy.
Auto Rotation
Schedule automatic rotation with zero-downtime credential rollover.
Encryption at Rest
AES-256 envelope encryption for all stored credentials.
TTL & Expiration
Time-bound credentials that automatically expire after use.
Credential Format
VeraID credentials follow a structured format for easy identification:
Environment: live, test, or jit
Random: 32-character secure random string
Creating Credentials
POST /api/v1/credentials
Content-Type: application/json
{
"identityId": "id_abc123",
"name": "production-api-key",
"scopes": ["read:data", "write:data"],
"expiresAt": "2025-12-31T23:59:59Z",
"usageLimit": 10000,
"metadata": {
"purpose": "Production API access"
}
}{
"id": "cred_xyz789",
"key": "kd_live_abc123def456...", // Only shown once!
"name": "production-api-key",
"scopes": ["read:data", "write:data"],
"expiresAt": "2025-12-31T23:59:59Z",
"createdAt": "2024-01-15T10:30:00Z"
}The credential key is only returned once at creation time. Store it securely in your secret management system. VeraID only stores a hash for verification.
Rotation Policies
Configure automatic rotation to maintain security without manual intervention:
{
"rotationPolicy": {
"enabled": true,
"intervalDays": 30,
"gracePeriodHours": 24,
"notifyBeforeDays": 7
}
}During the grace period, both the old and new credentials remain valid, allowing for zero-downtime rotation in distributed systems.
Verification
Verify credentials in real-time with the verification endpoint:
POST /api/v1/credentials/verify
Content-Type: application/json
{
"key": "kd_live_abc123def456..."
}
// Response
{
"valid": true,
"identityId": "id_abc123",
"scopes": ["read:data", "write:data"],
"expiresAt": "2025-12-31T23:59:59Z"
}