IDaaS centralizes credentials that are otherwise scattered across code, configurations, or passed manually between teams. It encrypts them at rest, enforces least-privilege access, and lets applications retrieve credentials at runtime through an API or SDK — eliminating plaintext storage on disk and hard-coded secrets.
Credential types
In IDaaS, a credential is data or a key used to prove the identity of an entity — a user, device, or application service. IDaaS manages two categories:
| Long-term credential | Short-term credential | |
|---|---|---|
| Examples | API key, AK/SK | JSON Web Token (JWT), OAuth token |
| Validity | Long-term; requires manual rotation | Short-term; expires automatically |
| Management | Manage the key itself (create, view, revoke) | Manage issuance rules (algorithm, validity period, issuer) |
| How clients get it | Manually obtained from the issuer and saved to the client | The client fetches it automatically from the credential provider using JWT or OAuth |
| Security model | Relies on confidentiality; higher risk if leaked | Relies on signatures and time limits; leak risk is bounded |
IDaaS maps these two categories to two configuration areas:
Credential providers — configure short-term credential issuance (OAuth, JWT). See Manage credential providers.
Credentials — store and manage long-term credentials (API keys). See Manage credentials.
Choose a credential type
Short-term credentials (credential providers) offer stronger security. Short-lived tokens limit the blast radius of a leak, support fine-grained scope control, and expire automatically. Use long-term credentials only when the external service does not support short-lived tokens.
Use short-term credentials (credential providers) when:
Your application can request a new token at runtime.
You need fine-grained scope control.
Security posture is a priority.
Use long-term credentials when:
The external service issues a fixed API key that cannot be replaced with a short-lived token.
You are managing credentials for a Large Language Model (LLM) or an external service in an agent workflow.
Access the credential management interface
Log on to the Application Identity Management console.Application Identity Management Console
Click EIAM.
Locate the target EIAM instance and click Console in the Actions column.
In the navigation bar, click Asset Management > Credential.
Manage credential providers
Credential providers control how IDaaS issues short-term credentials to applications. IDaaS supports OAuth and JWT providers.
Create a credential provider
Access the credential management interface.
Select the Credential Provider tab.
Hover over Create Credential Provider and select OAuth or JWT.
Fill in the configuration fields for your chosen type.
OAuth configuration
| Field | Description |
|---|---|
| Credential Provider Name | Display name in the console. Not used during authentication. |
| Description | Optional description. Not used during authentication. |
| Credential Provider Identifier | Unique identifier for this provider. |
| Client ID | The client identifier assigned by your OAuth provider. IDaaS sends this when requesting tokens. |
| Client Secret | The client key paired with the Client ID. Generated by your OAuth provider. |
| Token Endpoint | The endpoint IDaaS calls to exchange an authorization code for a token. |
| Scope | Default permissions granted to clients. Press Enter after each scope to add it. You can add multiple scopes. If a client request includes a scope, that scope takes precedence; otherwise, this default applies. |
JWT configuration
| Field | Description |
|---|---|
| Credential Provider Name | Display name in the console. Not used during authentication. |
| Description | Optional description. Not used during authentication. |
| Credential Provider Identifier | Unique identifier for this provider. |
| Generate Short Token | When enabled, IDaaS generates a short token alongside the standard JWT when this provider is called. |
| Jwt Token Expiration | Token validity period. Set in minutes, hours, or days. |
| Issuer Whitelist | Restricts which issuers can make JWT requests to this provider. Requests from issuers not on the list are denied. |
View a credential provider
Access the credential management interface.
Select the Credential Provider tab.
Click Details in the Actions column for the target provider.
Edit a credential provider
Access the credential management interface.
Select the Credential Provider tab.
Click Edit in the Actions column for the target provider.
Delete a credential provider
A credential provider must be disabled before deletion.
Access the credential management interface.
Select the Credential Provider tab.
In the Status column, disable the target provider.
Click Delete in the Actions column.
Manage credentials
Credentials store third-party API keys and similar long-term secrets in IDaaS. All credentials are encrypted using Alibaba Cloud KMS Secrets Manager by default.
Create a credential
Access the credential management interface.
Click the Credential tab.
Hover over Create Credential and select API Key.
Fill in the following fields:
| Field | Description |
|---|---|
| Credential Name | Display name in the console. |
| Description | Optional description. |
| Business Type | Select Large Language Model (LLM) or External Service. These map to the corresponding node types in the Agent identity security configuration guide. |
| API key ID | Unique identifier for this hosted API key. |
| API Key | The API key value to store. |
| Secure Storage | Fixed to Default Encrypted Credential. The key is saved in Alibaba Cloud KMS Secrets Manager. This cannot be changed. |
View a credential
Access the credential management interface.
Click the Credential tab.
Click Details in the Actions column for the target credential.
Edit a credential
Access the credential management interface.
Click the Credential tab.
Click Edit in the Actions column for the target credential.
The original API Key value is not shown during editing. Leave the field blank to keep the existing key, or enter a new value to replace it.
Delete a credential
A credential must be disabled before deletion.
Access the credential management interface.
Click the Credential tab.
In the Status column, disable the target credential.
Click Delete in the Actions column.
FAQ
Why do I see "You cannot host credentials in KMS Secrets Manager because the required IDaaS EIAM service-linked role is missing"?
Click Create in the prompt to create the required service-linked role. Once the role is in place, you can create credentials normally. Skipping this step causes an error when you try to create a credential.