Open Credential Lifecycle Standard · GitHub

/" data-turbo-transient="true" />

Skip to content

-->

Search Gists

Search Gists

Sign in

Sign up

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

Instantly share code, notes, and snippets.

abrambailey/better-envs.md

Created<br>June 9, 2026 02:22

Show Gist options

Download ZIP

Star

(0)

You must be signed in to star a gist

Fork

(0)

You must be signed in to fork a gist

Embed

Select an option

Embed<br>Embed this gist in your website.

Share<br>Copy sharable link for this gist.

Clone via HTTPS<br>Clone using the web URL.

No results found

Learn more about clone URLs

Clone this repository at &lt;script src=&quot;https://gist.github.com/abrambailey/e8748f370975027430d6fab37e31b841.js&quot;&gt;&lt;/script&gt;

" readonly="readonly" data-autoselect="true" data-target="primer-text-field.inputElement " aria-describedby="validation-5b9d57f8-9e7f-4452-a2b4-5c96a2880171" class="form-control FormControl-monospace FormControl-input FormControl-small rounded-left-0 rounded-right-0 border-right-0" type="text" name="gist-share-url-sized-down" />

Save abrambailey/e8748f370975027430d6fab37e31b841 to your computer and use it in GitHub Desktop.

Embed

Select an option

Embed<br>Embed this gist in your website.

Share<br>Copy sharable link for this gist.

Clone via HTTPS<br>Clone using the web URL.

No results found

Learn more about clone URLs

Clone this repository at &lt;script src=&quot;https://gist.github.com/abrambailey/e8748f370975027430d6fab37e31b841.js&quot;&gt;&lt;/script&gt;

" readonly="readonly" data-autoselect="true" data-target="primer-text-field.inputElement " aria-describedby="validation-006022ab-6ccb-40f9-bf08-3cfa6d38666b" class="form-control FormControl-monospace FormControl-input FormControl-small rounded-left-0 rounded-right-0 border-right-0" type="text" name="gist-share-url-original" />

Save abrambailey/e8748f370975027430d6fab37e31b841 to your computer and use it in GitHub Desktop.

Download ZIP

Open Credential Lifecycle Standard

Raw

better-envs.md

A Proposal for an Open Credential Lifecycle Standard

Why this matters

API keys and service credentials remain one of the messiest parts of modern software development.

The problem is not simply that secrets need to be stored securely. We already have good tools for that. The larger unsolved problem is that credentials are created, copied, scoped, stored, injected, rotated, revoked, and audited differently across every API provider, cloud platform, hosting service, CI system, database, analytics tool, and developer environment.

This becomes painful during normal development. It becomes critical after a compromise.

When a local npm package steals environment variables, a .env file leaks, a GitHub repo is exposed, a CI log reveals secrets, or a developer laptop is compromised, the standard advice is: “Rotate your keys.”

But in practice, that means answering hard questions quickly:

Which credentials were exposed?

What can each credential access?

Where is each credential used?

Which projects, jobs, deploys, scripts, and dashboards depend on it?

What is the safe order of rotation?

Can we update the replacement everywhere before revoking the old key?

How do we know production will not break?

How do we prove the recovery was completed?

Today, there is no common, vendor-neutral way to answer those questions.

What is new here

This proposal is not for another secrets manager, password vault, IAM system, OAuth flow, or secret scanner. Those tools already exist and many are excellent.

The missing piece is a shared credential lifecycle standard .

Existing tools solve pieces of the problem:

Secrets managers store and sync credentials.

Cloud IAM systems issue credentials inside specific cloud ecosystems.

OIDC federation can reduce the need for long-lived secrets in supported CI/cloud workflows.

OAuth and OIDC help with delegated authorization and identity.

Secret scanners detect exposed credentials.

Custom scripts can automate one vendor or one team’s workflow.

But none of these provide a general, cross-vendor convention for discovering how credentials are created, scoped, approved, injected, inventoried, rotated, revoked, and audited across the broader software ecosystem.

The proposed new layer is a standard way for providers to expose credential lifecycle capabilities to approved tools and agents.

A simple starting point could be a machine-readable endpoint such as:

/.well-known/credential-issuer

This endpoint would tell developer tools how a provider handles credential creation, permission scopes, rotation, revocation, audit trails, and supported authentication methods.

The goal is to make credential lifecycle management discoverable, automatable, auditable, and interoperable.

Core use...