# Pattern: Short-lived Credentials Status: reviewed Readiness target: RL3 production Primary owners: NetKingdom, Railiance platform, flex-auth Genesis family: Secrets and cryptography ## Problem Static credentials remain useful after compromise and are difficult to inventory, rotate, and scope. ## Context Use this pattern for object storage, SSH, API tokens, database access, workload secrets, and operator elevation. ## Forces - Consumers need stable integration contracts. - Backends differ in session or lease support. - Refresh and expiration behavior must be tested. - Audit must link issuance to actor, tenant, resource, and purpose. ## Solution Prefer credentials with explicit TTL, scope, lease metadata, and revocation path. Normalize issuance through identity, authorization, and brokered secret authority. ## Verification - Credentials include scope, expiry, and owner metadata. - Consumers refresh before expiration. - Expired credentials are rejected by backends. - Issuance and revocation are auditable. ## Related Patterns - STS Credential Vending. - Dynamic Secrets. - Short-Lived SSH Certificates. - Time-boxed Privilege Elevation.