Automated Credential Rotation At Scale

via “credential-rotation-and-lifecycle-management”

Hey HN! Today we're launching Agent Vault - an open source HTTP credential proxy and vault for AI agents. Repo is at https://github.com/Infisical/agent-vault, and there's an in-depth description at https://infisical.com/blog/agent-vault-the-open-sour

Unique: Implements agent-aware credential rotation that can notify agents of credential changes and invalidate cached values, rather than just rotating credentials in the backend without agent coordination

vs others: More practical than manual rotation (which is error-prone and doesn't scale) and more agent-focused than backend-native rotation that doesn't account for agent caching or notification

via “multi-credential-agent-support”

Official Agent SDK for the Agentic Name Service (ANS) — orchestrates MCP tool calls across Gateway and Guardian for trilateral authentication

Unique: Supports credential chains with automatic fallback, allowing agents to authenticate with alternative credentials if the primary credential fails. Tracks which credential succeeded and logs fallback events for audit purposes.

vs others: More resilient than single-credential authentication because it provides fallback paths; more flexible than manual credential switching because fallback is automatic and transparent to the agent.

via “secure credential vault with encrypted secret storage and rotation”

** - Enterprise MCP gateway with SSO, RBAC, audit trails, and token vaults for secure, centralized AI agent access control. Deploy via Helm charts on-premise or in your cloud. [webrix.ai](https://webrix.ai)

Unique: Implements server-side credential injection where secrets are stored encrypted in the gateway vault and injected into MCP tool invocations server-side, preventing credentials from ever being transmitted to or stored by client applications, with automatic rotation support and full audit trails

vs others: More secure than environment variable or config file storage (which are often unencrypted and difficult to rotate) and more MCP-native than generic secret managers, enabling tool-specific credential policies without modifying tool code

via “secret rotation and versioning with zero-downtime updates”

Enable secure and efficient management of encrypted data vaults through a standardized protocol interface. Facilitate seamless integration of encrypted storage and retrieval operations within your applications. Enhance data security and accessibility by leveraging this server's capabilities.

Unique: Implements zero-downtime secret rotation as an MCP operation, allowing clients to query available versions and migrate gradually without external orchestration

vs others: More integrated than manual rotation scripts but less sophisticated than dedicated secret rotation platforms with automatic client updates

via “integrated iam, oauth2, and oidc authentication with credential rotation”

** - Open source MCP server specializing in easy, fast, and secure tools for Databases.

Unique: Decouples authentication from tool execution through a credential provider interface, allowing different sources to use different auth methods (e.g., one source uses IAM, another uses OAuth2) within the same server instance. Implements automatic token refresh with exponential backoff in internal/server/config.go, eliminating manual credential rotation.

vs others: Outperforms static credential approaches (API keys, passwords) by supporting automatic rotation and fine-grained IAM policies, reducing credential exposure surface area in production deployments.

via “provider-credential-management”

** - Single tool to control all 100+ API integrations, and UI components

Unique: Centralizes credential management for 100+ providers in a single MCP tool, supporting heterogeneous authentication schemes (API keys, OAuth, JWT, etc.) with unified token refresh and expiration tracking logic

vs others: More comprehensive than environment variable management because it handles OAuth token refresh and expiration tracking automatically, whereas .env files require manual credential rotation

via “credential exchange and token refresh orchestration”

Plug and play auth for Model Context Protocol (MCP) servers

Unique: Automates token refresh at the MCP server level, handling provider-specific refresh policies and rotation strategies transparently without requiring client-side refresh logic

vs others: More reliable than client-side token refresh because the server manages refresh proactively before expiration, preventing authentication failures mid-session

via “automated-credential-rotation-at-scale”

via “provider credential management”

via “credential-and-access-management”