Skip to content
Latchkey

What Is Service-to-Service Auth? How Machines Trust Each Other

Service-to-service authentication is how one workload proves its identity to another with no human involved, using tokens, certificates, or workload identity.

Service-to-service authentication, sometimes called machine-to-machine auth, is the backbone of automated systems. There is no one to type a password, so services prove their identity with credentials they hold or can mint. CI/CD is almost entirely service-to-service: pipelines authenticate to source hosts, registries, and clouds dozens of times per run.

How machines authenticate

  • API keys or tokens presented on each request.
  • Mutual TLS, where both sides present certificates.
  • Workload identity, where the platform vouches for the service via OIDC.

Why it differs from human auth

Humans use passwords and MFA; machines cannot. They rely on stored or minted credentials, which means the risk shifts from phishing to credential leakage. The defenses are scoping, short lifetimes, and minimizing standing secrets.

The workload identity pattern

The modern approach avoids stored secrets entirely. The platform issues the workload a signed identity token (OIDC) describing what it is, and the target service trusts that issuer. The pipeline gets short-lived credentials without any long-lived key to leak.

Service-to-service auth in CI/CD

Every pipeline step that touches an external system uses service-to-service auth: cloning, pulling dependencies, pushing images, deploying. The strongest setups use OIDC-based workload identity so there is no durable credential sitting in the pipeline.

Mutual TLS

In service meshes and internal systems, mutual TLS has both services present certificates, so each proves its identity to the other. It provides strong, certificate-backed authentication for traffic between internal services.

Auth and the runner

Service-to-service credentials are handled on the runner during the job. Isolated, ephemeral runners (such as Latchkey managed runners) ensure those credentials are confined to one job and destroyed afterward, so they cannot be reused by another.

Key takeaways

  • Service-to-service auth lets machines prove identity to each other without humans.
  • Workload identity via OIDC avoids stored secrets by minting short-lived tokens.
  • Mutual TLS provides strong certificate-backed auth between internal services.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →