NHI Management

Non-Human Identity Management

secr tracks every machine credential in your organization — CI/CD tokens, AI agent identities, and OIDC bindings. Discover what exists, score its security posture, and enforce governance policies automatically.

Three Identity Types

secr manages three categories of non-human identity:

Machine Tokens

secr_mt_{env}_{hex}

Purpose-built CI/CD credentials with environment hints, lifecycle states (active/disabled/expired/revoked), rolling, and ownership tracking.

Machine token documentation →

Agent Identities

secr_agent_{hex}

Scoped tokens for AI coding agents (Claude Code, Cursor, Copilot). Secret allowlists restrict which keys agents can read. Mandatory expiry and kill switch.

OIDC Identities

Tokenless

Zero-secret CI/CD authentication. GitHub Actions, GitLab CI, AWS, GCP, and Kubernetes workloads exchange platform JWTs for short-lived secr access.

Discovery

secr nhi discover inventories every non-human identity in your organization and reports its type, status, age, and last-used timestamp.

CLI

$ secr nhi discover

  NHI Inventory — acme-corp
  ──────────────────────────────────────────────
  Type             Count   Active   At Risk
  Machine tokens     12       9        3
  Agent identities    4       3        1
  OIDC bindings       6       6        0
  ──────────────────────────────────────────────
  Total              22      18        4

  ⚠ 4 identities flagged — run `secr nhi posture` for details

Posture Scoring

Each identity receives a posture score (A–F) based on five dimensions:

Dimension	What It Checks
Expiry	Token has an expiration date and it's within policy limits
Rotation age	Token was rotated within the recommended window
Scope	Token is scoped to a specific project, not org-wide
Conditional access	IP, time window, or user-agent restrictions are configured
Activity	Token has been used recently (not stale)

CLI

$ secr nhi posture

  Posture Report — acme-corp          Overall: B
  ──────────────────────────────────────────────
  Identity                    Score  Issues
  GitHub Actions prod (mt)      A    —
  Vercel deploy (mt)            C    No expiry, no IP restriction
  Claude agent (agent)          B    Broad secret scope
  Legacy deploy (mt)            F    Expired, never rotated, no scope

NHI Policies

Define org-level governance rules that are continuously enforced:

Policy	Description
require-expiry	All new tokens must have an expiration date
max-lifetime	Maximum token lifetime (e.g. 90 days)
auto-disable	Disable tokens unused for N days
brownout	Gradually reject % of requests from non-compliant tokens

CLI

# View current policies
secr nhi policies

# Set a policy
secr nhi policies set require-expiry --enabled
secr nhi policies set max-lifetime --days 90
secr nhi policies set auto-disable --after 30d

Guided Remediation

secr nhi fix walks you through fixing every posture issue interactively — adding expiry dates, rolling stale tokens, scoping overly-broad credentials, and setting up conditional access.

CLI

$ secr nhi fix

  Fixing: Vercel deploy (secr_mt_ci_...)
  ────────────────────────────────────────
  ⚠ No expiry set
    → Set expiry to 90 days? (Y/n) Y
    ✓ Expiry set to 2026-06-18

  ⚠ No IP restriction
    → Add Vercel IP ranges? (Y/n) Y
    ✓ IP allowlist updated

  ✓ 2 issues fixed for Vercel deploy

Take control of your machine identities

Discover, score, and govern every NHI in minutes.

Get Started Machine Tokens