Dynamic Secrets

Dynamic secrets generate ephemeral, unique credentials on demand. Instead of sharing one static database password across multiple services, each service gets its own short-lived username and password.

Why use Dynamic Secrets?

  • Zero Shared State: No static master passwords stored in code.
  • Automated Cleanup: Credentials (leases) expire automatically after a set TTL.
  • Granular Revocation: Instantly revoke a single service's access without rotating for everyone else.

Life of a Dynamic Secret

  1. Request: An application requests a credential from CustomKeys.
  2. Provisioning: CustomKeys connects to the target backend (e.g., PostgreSQL) and creates a temporary user with specific permissions.
  3. Lease: The app receives the credential and its expires_at timestamp.
  4. Expiry: When the lease expires, CustomKeys deletes the user from the database.

Supported Backends

Currently available for PostgreSQL and MySQL.

Configuration Example

{
  "admin_dsn": "postgresql://superuser:pass@host:5432/db",
  "ttl_hours": 4,
  "permissions": "SELECT, INSERT ON ALL TABLES IN SCHEMA public"
}

SDK Usage

// Each call generates a fresh, unique credential
const lease = await client.generateDynamic('db-config-id');

console.log(lease.username); // "ck_a1b2c3..."
console.log(lease.password); // "generated-pass..."
Last updated: 4/20/2026Report Issue