NHI

Non-Human Identity Management

Machine credentials are the #1 breach vector — and most secrets managers ignore them entirely. secr is the first lightweight secrets manager with full NHI lifecycle: discovery, posture scoring, conditional access, and automated governance.

The Problem: Shadow Machine Identities

The average organization has 17x more machine identities than human users. CI/CD tokens, service accounts, API keys, and AI agent credentials — they're created fast, shared freely, and forgotten.

  • 1.No lifecycle — tokens are created and never expire, never rotate, never get reviewed.
  • 2.No ownership — when the person who created a CI token leaves, nobody knows it exists.
  • 3.No governance — there's no policy requiring expiry, rotation, or scoping. Every token is org-wide by default.
  • 4.AI agents make it worse — Claude Code, Cursor, and Copilot need API access but shouldn't have production credentials.

Three Identity Types, One Platform

secr manages every category of non-human credential your organization creates:

Machine Tokens

secr_mt_

Purpose-built CI/CD credentials with environment hints embedded in the prefix. Lifecycle states (active → disabled → expired → revoked), zero-downtime rolling, and ownership tracking with automatic transfer on member removal.

Agent Identities

secr_agent_

Scoped tokens for AI coding agents. Secret allowlists restrict which keys an agent can access. Mandatory expiry ensures credentials don't outlive their purpose. Kill switch for immediate revocation.

OIDC Identities

Tokenless

Zero-secret CI/CD authentication. GitHub Actions, GitLab CI, AWS IAM, GCP Workload Identity, and Kubernetes service accounts exchange platform JWTs for short-lived secr access. No tokens to leak, rotate, or manage.

Discovery & Posture Scoring

One command inventories every NHI and scores its security posture across five dimensions: expiry, rotation age, scope, conditional access, and activity.

Terminal
$ secr nhi discover

  NHI Inventory — acme-corp
  ──────────────────────────────────────────────
  Type             Count   Active   At Risk
  Machine tokens     12       9        3
  Agent identities    4       3        1
  OIDC bindings       6       6        0
  ──────────────────────────────────────────────
  Total              22      18        4

$ secr nhi posture

  Posture Report — acme-corp          Overall: B
  ──────────────────────────────────────────────
  Identity                    Score  Issues
  GitHub Actions prod (mt)      A    —
  Vercel deploy (mt)            C    No expiry, no IP restriction
  Claude agent (agent)          B    Broad secret scope
  Legacy deploy (mt)            F    Expired, never rotated, no scope

Conditional Access

Add zero-trust rules to any machine token or agent identity. Requests that don't match the conditions are rejected — even if the token is valid.

IP Allowlists

Restrict tokens to known CIDR ranges — GitHub, Vercel, your office VPN.

Time Windows

Allow requests only during business hours or deploy windows (UTC).

User-Agent Matching

Glob patterns matched against the request User-Agent header.

Terminal
$ secr token create \
    --name "GitHub Actions" \
    --env ci \
    --expires 90d \
    --ip-allow 140.82.112.0/20 \
    --time-window mon-fri/06:00-22:00

  ✓ Token created: secr_mt_ci_a1b2c3d4...
  Conditions: IP allowlist (1 range), time window (weekdays 06-22 UTC)

Governance & Automated Remediation

NHI policies enforce org-wide rules continuously. Non-compliant tokens are flagged, and secr nhi fix walks you through fixing every issue interactively.

PolicyEffect
require-expiryNew tokens must have an expiration date
max-lifetimeTokens cannot live longer than N days
auto-disableStale tokens are disabled after N days of inactivity
brownoutGradually reject requests from non-compliant tokens
Terminal
$ secr nhi fix

  Fixing: Vercel deploy (secr_mt_ci_...)
  ────────────────────────────────────────
  ⚠ No expiry set
    → Set expiry to 90 days? (Y/n) Y
    ✓ Expiry set to 2026-06-18

  ⚠ No IP restriction
    → Add Vercel IP ranges? (Y/n) Y
    ✓ IP allowlist updated

  ✓ All issues resolved. Org posture: B → A

What's Next

NHI management in secr is actively evolving. Here's what's coming:

MCP Server

secr mcp serve — let Claude Code, Cursor, and AI agents access secrets via the Model Context Protocol.

NHI Dashboard

Visual inventory, posture trends, activity timeline, and policy management in the web UI.

Anomaly Detection

Baseline learning for each identity: flag unusual volumes, IPs, times, and secret access patterns.

Compliance Reports

SOC 2 evidence generation for machine identity controls: expiry, rotation, access reviews.

Get started in 30 seconds

npm i -g @secr/cli

secr nhi discover

secr nhi posture

Get StartedRead the Docs