RSS

A Proposal for an Open Credential Lifecycle Standard

funkdified1 pts0 comments

A Proposal for an Open Credential Lifecycle Standard · GitHub

/" data-turbo-transient="true" />

Skip to content

-->

Search Gists

Search Gists

Sign in

Sign up

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

Instantly share code, notes, and snippets.

abrambailey/proposal.md

Created<br>June 7, 2026 08:39

Show Gist options

Download ZIP

Star

(0)

You must be signed in to star a gist

Fork

(0)

You must be signed in to fork a gist

Embed

Select an option

Embed<br>Embed this gist in your website.

Share<br>Copy sharable link for this gist.

Clone via HTTPS<br>Clone using the web URL.

No results found

Learn more about clone URLs

Clone this repository at &lt;script src=&quot;https://gist.github.com/abrambailey/086c1cc4f6417a1f504ef7360962dbfc.js&quot;&gt;&lt;/script&gt;

" readonly="readonly" data-autoselect="true" data-target="primer-text-field.inputElement " aria-describedby="validation-24f7faee-604a-4b22-9560-7ed80a1bfcab" class="form-control FormControl-monospace FormControl-input FormControl-small rounded-left-0 rounded-right-0 border-right-0" type="text" name="gist-share-url-sized-down" />

Save abrambailey/086c1cc4f6417a1f504ef7360962dbfc to your computer and use it in GitHub Desktop.

Embed

Select an option

Embed<br>Embed this gist in your website.

Share<br>Copy sharable link for this gist.

Clone via HTTPS<br>Clone using the web URL.

No results found

Learn more about clone URLs

Clone this repository at &lt;script src=&quot;https://gist.github.com/abrambailey/086c1cc4f6417a1f504ef7360962dbfc.js&quot;&gt;&lt;/script&gt;

" readonly="readonly" data-autoselect="true" data-target="primer-text-field.inputElement " aria-describedby="validation-d2e5be7c-6144-4bd4-a08f-1f62e50647d6" class="form-control FormControl-monospace FormControl-input FormControl-small rounded-left-0 rounded-right-0 border-right-0" type="text" name="gist-share-url-original" />

Save abrambailey/086c1cc4f6417a1f504ef7360962dbfc to your computer and use it in GitHub Desktop.

Download ZIP

A Proposal for an Open Credential Lifecycle Standard

Raw

proposal.md

A Proposal for an Open Credential Lifecycle Standard

Modern software depends on API keys, service tokens, database credentials, webhook secrets, cloud roles, OAuth clients, and environment variables scattered across local machines, CI systems, hosting platforms, cloud providers, analytics tools, databases, and third-party services.

The industry has made real progress on storing secrets more safely. But the larger problem remains unsolved: developers and teams still lack a standard way to create, scope, locate, rotate, revoke, and audit credentials across services.

When everything is working, this is annoying. After a supply-chain compromise, leaked .env file, malicious dependency, stolen laptop, or exposed CI environment, it becomes a crisis. “Rotate your keys” sounds simple, but in practice it means remembering every vendor dashboard, every project, every secret store, every local script, every GitHub Action, every Vercel/Netlify/Cloudflare environment, every database connection, and every forgotten analytics job that might depend on a credential.

We need a better convention.

The problem

Today, credential management is fragmented in five major ways:

Credential creation is vendor-specific. Every service hides key creation, scoping, and rotation in a different admin interface.

Credential purpose is often undocumented. A key may be named API_KEY_PROD, but that rarely tells us who created it, what it can do, why it exists, or which systems depend on it.

Credential usage is hard to inventory. The same key may be copied into local .env files, CI secrets, hosting environments, background jobs, serverless functions, notebooks, scripts, and dashboards.

Rotation is brittle. Replacing a key safely requires knowing all dependent systems, updating them in the right order, testing them, and only then revoking the old credential.

Compromise recovery is too manual. After a breach, teams are told to rotate everything, but there is no universal machine-readable map of what “everything” means.

The proposal

Create an open, vendor-neutral convention for credential lifecycle management.

At minimum, every service that issues credentials should expose a standardized, machine-readable credential manifest, for example:

/.well-known/credential-issuer

This manifest would describe what credential types the service supports, how credentials can be requested, what scopes or permissions are available, how credentials can be rotated or revoked, and how usage/audit metadata can be retrieved.

The goal is not to replace OAuth, OIDC, passkeys, workload identity, Vault, 1Password, Infisical, Doppler, cloud IAM, or existing secrets managers. The goal is to create a common lifecycle layer that...

credential gist clone proposal lifecycle github

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.