API Tokens
Static tokens for CI/CD pipelines, scripts and any environment where you need a simple Bearer token. Tokens have a fixed expiration and can be rotated or revoked at any time.
Kubernetes (OIDC)
Zero-secret authentication for Kubernetes workloads. Your pods prove their identity using short-lived tokens issued by the cluster. No static credentials stored anywhere.
How it works
Both credential types follow the same pattern:- You register a credential in Enkryptify (with a name, permission and scope)
- Your application presents the credential to the Enkryptify API
- Enkryptify validates it and returns a short-lived JWT (15 minutes)
- Your application uses the JWT to read or write secrets
Which one should I use?
| API Token | Kubernetes (OIDC) | |
|---|---|---|
| Best for | CI/CD, scripts, non-Kubernetes servers | Kubernetes pods |
| Credential lifetime | Days to months (you choose) | ~1 hour (auto-rotated by Kubernetes) |
| Stored as a secret | Yes (you store the ek_live_* token) | No (generated dynamically) |
| Blast radius if leaked | Valid until expiration or revocation | Valid for ~1 hour max |
| Setup complexity | Copy-paste a token | Configure a service account + projected volume |
Permissions and scope
Both credential types support the same permission and scope model:- Permission controls what the credential can do:
Read onlyorRead & Write - Scope controls what the credential can access: the entire workspace, or specific teams, projects and environments
Managing credentials
All credentials are managed from the Credentials page in the dashboard sidebar. Both API tokens and Kubernetes identities appear in a single table, sorted by creation date. From the table you can:- See who created each credential and when it was last used
- Revoke any credential immediately (the underlying JWT becomes invalid within 15 minutes)
- Rotate API tokens (generates a new token value with the same settings)