VeraIDVeraID
Identity Security
Security Posture (ISPM)Threat Detection (ITDR)Directory IntegrationAI Agent Security
Governance
Lifecycle AutomationOffboarding CascadesComplianceCross-Cloud Correlation
FeaturesSecurityDocumentation
Blog
Partner ProgramMSP PartnersReseller PartnersTechnology PartnersReferral Partners
AboutCareersContact
Pricing
Join WaitlistLogin
Documentation/JIT Access

Just-In-Time Access

Request temporary elevated access with approval workflows and automatic expiration.

How JIT Access Works

Just-In-Time (JIT) access provides temporary credentials that are created on-demand, reducing standing privileges and minimizing the blast radius of compromised credentials.

Request
Identity requests access
Approve
Manager or auto-approval
Grant
Temporary credential issued
Expire
Auto-revocation after TTL

Request Flow

Create JIT Request
POST /api/v1/credentials/jit
Content-Type: application/json

{
  "identityId": "id_abc123",
  "reason": "Emergency production database access",
  "scopes": ["read:database", "write:database"],
  "duration": "4h",
  "notifyChannels": ["slack", "email"]
}
Response (Pending Approval)
{
  "id": "jit_xyz789",
  "status": "PENDING",
  "requestedAt": "2024-01-15T10:30:00Z",
  "expiresAt": null,
  "approvers": [
    {
      "email": "security@company.com",
      "status": "PENDING"
    }
  ]
}

Approval Policies

Manual Approval

Requires explicit approval from designated approvers. Supports multi-party approval for sensitive resources.

Auto-Approval

Automatically approved based on policy conditions: time, risk score, previous access patterns.

Time-Bound

Approvals valid for a limited time. Requests expire if not approved within the window.

Escalation

Automatic escalation if primary approvers don't respond within SLA.

Auto-Approval Rules

Configure automatic approval for low-risk requests:

Auto-Approval Policy
{
  "name": "dev-environment-auto-approve",
  "autoApprove": true,
  "conditions": [
    {
      "type": "RESOURCE",
      "operator": "STARTS_WITH",
      "value": "dev:"
    },
    {
      "type": "DURATION",
      "operator": "LESS_THAN",
      "value": "2h"
    },
    {
      "type": "RISK_SCORE",
      "operator": "LESS_THAN",
      "value": 30
    }
  ],
  "maxDuration": "4h",
  "maxUsage": 100
}

Key Features

  • Zero Standing Privileges - No permanent access; credentials created only when needed
  • Automatic Revocation - Credentials expire automatically after TTL or task completion
  • Full Audit Trail - Every request, approval, and action is logged for compliance
  • Slack/Teams Integration - Approvers receive notifications and can approve from chat
  • Break-Glass Emergency Access - Bypass workflows for critical incidents with extra logging

Credential Format

JIT credentials use a special prefix to identify temporary access:

JIT Credential
// JIT credentials have a special prefix
kd_jit_abc123def456...

// Standard credential for comparison
kd_live_xyz789ghi012...