Credential Vault
The credential vault is where AccessHive stores all identity credentials – passwords, API keys, JSON key files, and OAuth client secrets. Every credential is encrypted before it is saved, and access is logged. Understanding the vault helps you know how your credentials are protected and how to reveal or rotate them when needed.
How the credential vault works
When you create an identity (or when the system provisions one automatically), the credentials are encrypted and stored as a single secure entry in the vault. The vault keeps one entry per identity. Only authorized users can decrypt and view credentials, and every access is recorded in the audit trail.
Human Interactive identities are the exception – they authenticate through single sign-on (SSO) and have no vault entry.
What is stored for each identity type
| Identity type | Fields stored in the vault |
|---|---|
| Shared Credential (external) | Username, password |
| Shared Credential (managed) | Username, password (set automatically by Google Workspace) |
| Service Account | Service account email, JSON key file content |
| API Key | Key label, API key value |
| OAuth App | Client ID, client secret |
| Human Interactive | Nothing – authentication is handled through SSO |
Revealing credentials
You can view stored credentials from the identity detail page.
- Open the identity – Go to Identities and select the identity you want to view.
- Click Reveal – The system decrypts the credentials and displays them on screen.
- Credentials auto-hide after 30 seconds – The displayed values are cleared automatically to reduce exposure. You can click Reveal again if needed.
Every time someone reveals credentials, AccessHive logs who viewed them, when, and for which identity. Only users with the Agency Owner role can reveal credentials.
Password rotation
Managed Shared Credentials support automatic password rotation. Each time a team member checks the credentials back in, the system generates a new password.
- Team member checks in – When a checkout session ends (manually or when time expires), the system starts rotation.
- New password is generated – Google Workspace (GWS) resets the password on the domain user account.
- Vault is updated – The new password replaces the old one in the vault. The previous password is no longer valid.
This means that after every checkout, the password changes automatically – so even if a team member noted the password during their session, it will not work after check-in.
If you created a Shared Credential in external mode, you manage the password yourself. To update it, edit the identity and enter the new password. See Managing Credentials.
Related pages
- Identity types – Learn which types store credentials and which use SSO. See Identity Types.
- Provisioning – Understand what happens when credentials are first stored in the vault. See Provisioning.
- Manage credentials – Reveal, rotate, and update stored credentials. See Managing Credentials.
- PAM sessions – Configure checkout governance and automatic rotation policies. See PAM Sessions.