Skip to main content
A KIT (Keydris Identity Token) is the short-lived, signed credential an agent presents to prove its identity and the policy it operates under. It is the link between an agent and the rules Keydris enforces on its behalf.

How issuance works

When you issue a KIT, Keydris generates a single-use bootstrap key. The agent exchanges that key once at the authorization webhook to complete authorization. The key is revealed a single time at issuance and consumed when the agent authorizes. Keydris stores only a reference to the token, never the raw bearer secret, so the plaintext value cannot be retrieved again.
The single-use key is shown only once. Copy it at issuance. Keydris does not store the raw value, so a lost key cannot be recovered and must be reissued.

The credential lifecycle

Each KIT is scoped to its work and does not outlive it. In the audit trail you can replay the full lifecycle of an ephemeral credential kit:
1

Issued

The kit is minted, scoped to the action, and assigned a requested time-to-live (TTL).
2

Used

The agent performs its action against a target resource. Keydris records whether the action was allowed or blocked.
3

Revoked

The kit is destroyed after use. Its credentials can no longer authenticate.

Expiration and revocation

A KIT carries an expiration you choose at issuance, such as 30, 90, or 365 days, or no expiry. Expired and revoked keys stop authorizing requests immediately. An agent must obtain a fresh KIT to continue. You can monitor upcoming expirations from the Key Management dashboard and rotate or revoke a key at any time.

Issue a KIT

Step-by-step issuance from the console.

Key Management

Track, rotate, and revoke agent credentials.