> ## Documentation Index > Fetch the complete documentation index at: https://docs.keydris.com/llms.txt > Use this file to discover all available pages before exploring further. # Identity tokens (KITs) > How agents prove who they are and the policy they run under. A KIT (Keydris Identity Token) is the short-lived, signed credential an agent presents to prove its identity and the policy it operates under. It is the link between an agent and the rules Keydris enforces on its behalf. ## How issuance works When you issue a KIT, Keydris generates a single-use bootstrap key. The agent exchanges that key once at the authorization webhook to complete authorization. The key is revealed a single time at issuance and consumed when the agent authorizes. Keydris stores only a reference to the token, never the raw bearer secret, so the plaintext value cannot be retrieved again. The single-use key is shown only once. Copy it at issuance. Keydris does not store the raw value, so a lost key cannot be recovered and must be reissued. ## The credential lifecycle Each KIT is scoped to its work and does not outlive it. In the audit trail you can replay the full lifecycle of an ephemeral credential kit: The kit is minted, scoped to the action, and assigned a requested time-to-live (TTL). The agent performs its action against a target resource. Keydris records whether the action was allowed or blocked. The kit is destroyed after use. Its credentials can no longer authenticate. ## Expiration and revocation A KIT carries an expiration you choose at issuance, such as 30, 90, or 365 days, or no expiry. Expired and revoked keys stop authorizing requests immediately. An agent must obtain a fresh KIT to continue. You can monitor upcoming expirations from the [Key Management](/features/key-management) dashboard and rotate or revoke a key at any time. ## Related Step-by-step issuance from the console. Track, rotate, and revoke agent credentials.