Identity types

The practice of regulating access to resources or systems based on permissions and authorization policies. Secrets managers implement access control mechanisms to restrict who can view, modify, or retrieve stored secrets, ensuring that only authorized users or applications have access.

Categories:

External Account

Identity types

An external account is an identity that originates outside an organization’s primary identity domain. Instead of being provisioned and governed internally, it is issued by a third-party platform, cloud provider, CI/CD service, or SaaS environment.

Federated Identity

Identity types

Federated identity allows users, machines, or workloads to authenticate once with a trusted identity provider and access resources across multiple domains or organizations without managing separate credentials for each.

Bot Identity

Identity types

Unlike a human ID or a generic service account shared everywhere, bot identity ensures each automated actor is individually verified and granted scoped access permissions. This enables individual accountability for every automated action.

Identity Federation

Identity types

Identity Federation is a security framework that enables users or workloads to authenticate once with an identity provider (IdP) and subsequently access multiple systems or service providers across different security domains without requiring separate credentials at each destination. Federation establishes cryptographic trust relationships between identity providers and relying parties through standardized protocols such as SAML 2.0, OAuth 2.0, and OpenID Connect, enabling secure sharing of authentication attributes and authorization decisions across organizational boundaries.

Daemon Identity

Identity types

A daemon identity represents the unique ID and permissions assigned to a background process or service that runs without any human interaction. These daemon applications run continuously on servers or in the cloud, handling tasks like backups, data synchronization, and automated monitoring.

Workload IGA

Identity types

Workload IGA (Identity Governance and Administration for Workloads) extends traditional identity governance principles, such as access reviews, provisioning, and policy enforcement, to non-human identities like applications, services, and AI agents. It ensures that every workload has the right access, at the right time, for the right purpose.

Client Credentials

Identity types

Client credentials are authentication tokens used by non-human entities (like applications, services, APIs, and automated scripts) to prove their identity and obtain access to protected resources. Unlike user credentials that require interactive sign in, client credentials enable crucial machine-to-machine communication without any human involvement. In OAuth 2.0, the client credentials grant type is a specific flow where a client application proves its identity directly to a server using its own credentials (usually a client ID and client secret) to receive a temporary access token.

Bearer Token

Identity types

A bearer token is an access token that grants the bearer (whoever holds it) the right to use a protected resource without additional identity proof. It is sent in an HTTP Authorization: Bearer header and treated like a “key” for access.

Machine Credentials

Identity types

Machine credentials are digital secrets, such as API keys, access tokens, SSH keys, or certificates, that allow software-based entities (like applications, workloads, and agents) to authenticate and access other systems autonomously. They serve as the identity proof for machines communicating within and across networks.

Non-Human Identity

Identity types

A non-human identity (NHI) is a digital identity assigned to a software-based entity, such as an application, service, workload, API, and AI agent, that needs to authenticate and access resources autonomously. It functions much like a user account but is designed for machines, not people.