Service identity without the secrets sprawl
Aembit authenticates workloads — API calls, service accounts, AI agents — using ephemeral OIDC tokens and mTLS, not stored credentials that expire wrong and rotate manually.
The problem
The pattern that keeps security leads up at 2am
12 microservices. 47 environment variables. 3 different secrets managers. Someone just committed a service account key to git. Credential rotation breaks prod, so rotation gets skipped. Credentials never expire.
The average engineering team manages 230+ non-human credentials across services and CI pipelines.
Credentials that never rotate
Rotation breaks prod on Tuesday morning, so the 90-day policy exists in the runbook and nowhere else. The service account key from 2022 is still active.
Zero audit trail
Your SIEM shows network traffic. It does not show which of 200 parallel agent invocations made that call to the internal data API at 03:47 UTC.
Blast radius of any leak
One shared API key across 200 concurrent agent instances means one leak equals total exposure. Revocation takes down every service that shares the credential.
How it works
Authentication without stored secrets
Three steps. No credential storage anywhere in the path.
1
Workload presents its SPIFFE SVID
The workload's runtime issues a SPIFFE SVID — a cryptographically-signed identity document. No passwords, no API keys, no shared secrets needed at this step.
spiffe://cluster.local/ns/prod/sa/api-svc
2
Aembit verifies and issues a scoped token
Aembit validates the SVID against your access policy and issues a short-lived OIDC token — scoped to exactly the target service, with a 15-minute TTL.
iss: aembit.aembits.org exp: +900s
3
Target service accepts the token
The token is attached to the outbound request. The target service validates it. When the TTL expires, the token is dead. No revocation needed. Nothing to rotate.
Authorization: Bearer <ephemeral-jwt>
Use cases
Where workload identity breaks without Aembit
AI Agent calling external APIs
Your LangChain agent needs AWS S3 access. Today: one API key shared across 200 concurrent agent instances, no session-level audit trail.
Aembit issues a 15-min token scoped to the agent's runtime identity, not a shared key in .env.
AI agent identity
Service-to-service in Kubernetes
Sidecar intercepts every outbound call, attaches a cryptographically-bound token. No code changes required in your application.
mTLS between services plus per-call audit log. Policy enforced at the proxy layer.
Service mesh auth
GitHub Actions to cloud
CI pipeline authenticates to AWS without storing access keys. Token tied to the specific workflow run, scoped to the target environment.
When the workflow ends, the token expires. Zero long-lived keys in GitHub Secrets.
CI/CD identity
Cloud Function to database
Lambda gets time-bounded access scoped to the invocation. When the function exits, the token is dead. No execution role over-provisioning required.
Adds less than 2ms to cold start. Supports Lambda, Cloud Functions, Cloud Run, and Cloudflare Workers.
Serverless identity
Integrations
Works with the stack you already run
SPIFFE/SPIRE
Kubernetes RBAC
AWS IAM
GCP Workload Identity
GitHub Actions OIDC
HashiCorp Vault
Istio
Envoy
We had a service account key sitting in our Kubernetes secret for 14 months. Nobody knew who created it or what it accessed. Aembit gave us a complete audit trail and let us remove the key entirely in a single sprint.
Staff Platform Engineer at a logistics technology company