Ephemeral Credential - CI/CD Glossary Definition
An ephemeral credential is a short-lived secret minted on demand for a single job and discarded afterward.
An ephemeral credential is a token or key issued just-in-time for one CI run and expiring quickly, so nothing long-lived is stored. OIDC-based cloud auth and GitHub App installation tokens are common sources.
Why they are safer
Because the credential is gone (or expired) by the time a log is inspected or an artifact is exfiltrated, ephemeral credentials remove the standing-secret leak risk that static keys carry.
Related guides
OIDC Subject - CI/CD Glossary DefinitionOIDC Subject: An OIDC subject is the `sub` claim in the OpenID Connect token GitHub issues to a workflow, enc…
Installation Token - CI/CD Glossary DefinitionInstallation Token: An installation access token is a token a GitHub App mints for a specific installation. I…
Token Expiry - CI/CD Glossary DefinitionToken Expiry: Token expiry is the lifetime after which a token is rejected. Short expiries limit the window a…