Skip to main content
Credentials let your services prove their identity to Enkryptify and retrieve secrets without a human login. Enkryptify supports API tokens for machine-to-machine access:

API Tokens

Static tokens for CI/CD pipelines, scripts and any environment where you need a simple Bearer token. Tokens have a fixed expiration and can be rotated or revoked at any time.

How it works

API tokens follow this pattern:
  1. You register a credential in Enkryptify (with a name, permission and scope)
  2. Your application presents the credential to the Enkryptify API
  3. Enkryptify validates it and returns a short-lived JWT (15 minutes)
  4. Your application uses the JWT to read or write secrets
The credential itself never grants direct access to secrets. It is always exchanged for a scoped, time-limited JWT first.

Permissions and scope

API tokens support the same permission and scope model used across Enkryptify:
  • Permission controls what the credential can do: Read only or Read & Write
  • Scope controls what the credential can access: the entire workspace, or specific teams, projects and environments
A credential can never exceed the permissions or scope of the user who created it. Members (read-only role) can only create read-only credentials. See Roles and permissions and Scoped access for details.

Managing credentials

Credentials are managed from the Credentials page in the dashboard sidebar. API tokens appear in a table sorted by creation date. From the table you can:
  • See who created each credential and when it was last used
  • Revoke any credential immediately (the underlying JWT becomes invalid within 15 minutes)
  • Rotate API tokens (generates a new token value with the same settings)