Just-in-Time Secret Injection

The ideal credential lifecycle is: generated at the moment of need, used for the duration of the task, and destroyed when the task completes. No standing credentials. No long-lived tokens. No persistent access. Just-in-time injection is the architectural pattern that achieves this — the agent requests a credential, the vault generates one with a TTL matching the expected task duration, and the credential auto-expires when the TTL elapses.

1. Request-Scoped Credentials The agent authenticates to the vault, requests a credential for a specific resource, and receives a dynamically generated credential with a TTL. The credential is scoped to the requested resource — a database credential grants access to only the requested database, not all databases. When the TTL expires, the credential is revoked automatically.
2. Task-Bounded Access For task-oriented agents, the credential TTL matches the expected task duration plus a buffer. A data analysis task expected to take 10 minutes gets a credential with a 15-minute TTL. If the task runs over, the agent requests a renewal. If the task completes early, the agent explicitly revokes the credential. Explicit revocation is faster than waiting for TTL expiry.
3. Lease Management Every dynamic credential is a lease. The vault tracks all active leases, their TTLs, and their consumers. A dashboard of active leases shows the current credential exposure — how many credentials exist right now and when each expires. If an agent is compromised, revoking its active leases instantly removes all its access.