See Every Machine Credential in Your Org — and Which Ones Are Overdue

Last week we shipped Non-Human Identity management — machine tokens, agent identities, OIDC federation, and the discovery API. The data was there, but you had to use the CLI or API to see it.

Now there's a dashboard for all of it.

Five pages, one sidebar entry

The NHI section in the dashboard is a single entry point with five tabs: Overview, Inventory, Agents, Policies, and Credentials. It's gated to admin+ users on Pro plans and above.

Overview

The overview page answers one question: how healthy is our NHI posture?

At the top, five summary cards show the total count of NHI entities and their status breakdown — active, disabled, expired, and revoked. Below that, a type breakdown shows how many machine tokens, agents, and OIDC identities you have.

The centrepiece is the security posture score: a single number from 0 to 100 that summarises five dimensions:

• Ownership — are NHIs tied to real owners, or orphaned?
• Staleness — are there tokens that haven't been used in months?
• Privilege — are tokens over-provisioned for what they actually need?
• Rotation — are credentials being rotated on schedule?
• Expiration — do tokens have expiry dates, or do they live forever?

Each dimension has a progress bar, a score, a weight, and a list of specific issues found. Below the score, actionable recommendations tell you exactly what to fix first.

Inventory

The inventory page is a unified, filterable list of every NHI entity in your organisation. Filter by type (machine token, agent, OIDC) or status (active, disabled, expired, revoked). Each card shows the entity name, type badge, status badge, permission level, last used date, and expiry.

Actions are inline: disable, enable, or revoke — and they dispatch to the correct API endpoint based on entity type. No need to remember whether you're working with a machine token or an agent identity.

Agents

The agents page is full CRUD for agent identities — the non-human accounts you create for CI/CD pipelines, automation tools, and AI coding agents.

Click Create Agent, fill in a name, permission level (read or read/write), expiry, and an optional secret allowlist. secr generates a token and shows it exactly once in a warning banner. Copy it, store it in your pipeline, dismiss the banner.

Each agent card shows the name, status, permission, the last four characters of the token, any scope restrictions, and the secret allowlist as pills. Disable, enable, or revoke from the card.

Policies

Policies let organisation owners set guardrails for all NHI tokens. There are six policy keys:

Each policy can be set as enforced (hard block) or advisory. Only the org owner can modify policies — admins can view them but not change them.

Credentials

The credentials page runs an external credential audit across all your stored secrets. It uses pattern matching to identify known third-party credentials — AWS keys, Stripe keys, database connection strings, SendGrid tokens — and tracks how long ago each was last rotated.

Three summary cards show total secrets, recognised external credentials, and how many are overdue for rotation. A project filter lets you scope the view. Category pills break down credentials by type (cloud, payment, database, email, monitoring, auth, CI/CD, messaging).

The main table shows each credential with its key name (monospace), identified service, category badge, environment, days since rotation, and a red Overdue or green OK status badge.

Why this matters

The average organisation has 17x more machine identities than human ones, and that ratio is growing. Most teams have no visibility into which tokens are active, what they can access, or when they were last used.

The NHI dashboard makes this visible in under a minute. No CLI commands, no API calls, no spreadsheets — just open the dashboard and look.

If your posture score is below 75, start with the recommendations on the overview page. They're ordered by impact.