← All updates

Leased Credentials, on-demand database logins that expire on their own

Your applications can now get short-lived database logins on demand. Connect a database once from the Secrets page (+ New Secret, then Leased Secret), set how long a login should live, and SikkerKey mints a fresh login in your database each time a machine reads the secret. When the lease ends, the login is removed.

Each machine gets its own login, scoped to exactly the access you grant, and it lives only as long as the workload needs it.

Setting one up

The New leased secret wizard has two configuration steps, then a review.

1. Connection. Pick your database provider and enter its connection details, plus an admin role SikkerKey uses to create and remove logins. Test connection confirms the role can create logins before you continue.

2026-07-01_18-46

2. Lease & credential. Choose the password shape and optional grant SQL, then set the lease policy: the credential lifetime, plus toggles for renewing on read, a hard maximum, database-native expiry, revoke-on-disable, and minting fresh on every read.

2026-07-01_18-47

How a lease works

The first time a machine reads the secret, SikkerKey creates a login in your database with the password shape and privileges you defined, and returns the full connection: host, port, database, username, and password. While the login is within its lease, the same machine reading again gets the same login, and SikkerKey extends it when your policy allows. After it expires, the next read issues a new one.

You set the lease policy per secret:

Reading them

A leased credential is read like any other secret. The SDK signs the request with the machine's identity and returns the connection fields:

db = sk.get_fields("sk_db_prod")
conn = connect(
    host=db["host"], port=db["port"], dbname=db["database"],
    user=db["username"], password=db["password"],
)

The same read works from the CLI and every SDK: Python, Node.js, Go, .NET, JVM, and PHP.

Cleanup

Deleting a leased credential, its project, or its vault removes the minted logins from your database, so a login never outlives the secret that created it. Mint, renewal, and revocation are recorded in the audit log.

Availability

Leased credentials are available for PostgreSQL today, with MySQL / MariaDB, MongoDB, Redis, and Microsoft SQL Server planned.

Docs