Skip to main content
When your application runs in production, there is no human to log in. Credentials let your services prove their identity to Enkryptify and retrieve secrets automatically. Enkryptify supports API tokens for machine-to-machine access:

API Tokens

Static tokens for CI/CD pipelines, scripts and any environment where you need a simple Bearer token. Tokens have a fixed expiration and can be rotated or revoked at any time.

How it works

API tokens follow this pattern:
  1. You register a credential in Enkryptify (with a name, permission and scope)
  2. Your application presents the credential to the Enkryptify API
  3. Enkryptify validates it and returns a short-lived JWT (15 minutes)
  4. Your application uses the JWT to read or write secrets
The credential itself never grants direct access to secrets. It is always exchanged for a scoped, time-limited JWT first.

Permissions and scope

API tokens support the same permission and scope model used across Enkryptify:
  • Permission controls what the credential can do: Read only or Read & Write
  • Scope controls what the credential can access: the entire workspace, or specific teams, projects and environments
A credential can never exceed the permissions or scope of the user who created it. Members (read-only role) can only create read-only credentials. See Roles and permissions and Scoped access for details.

Managing credentials

Credentials are managed from the Credentials page in the dashboard sidebar. API tokens appear in a table sorted by creation date. From the table you can:
  • See who created each credential and when it was last used
  • Revoke any credential immediately (the underlying JWT becomes invalid within 15 minutes)
  • Rotate API tokens (generates a new token value with the same settings)