Welcome to Voidkey

Eliminate long-lived secrets with dynamic, OIDC-based credential minting

What is Voidkey?

Voidkey is a zero-trust credential broker that eliminates the need for long-lived secrets in modern workflows. It dynamically mints short-lived, scoped credentials using OIDC-based authentication, creating a secure bridge between identity providers and cloud resources.

Zero Trust Architecture

No shared secrets between clients and cloud providers. Each component authenticates independently.

Dynamic Credentials

Generate temporary credentials on-demand with configurable expiration times.

OIDC Integration

Native support for GitHub Actions, Auth0, Okta, Keycloak, and more identity providers.

Multi-Cloud Support

Works with AWS and MinIO, with Azure and GCP support coming soon.

Key Features

🔐 True Zero-Trust: Separate authentication for clients and broker with no shared secrets
🔑 Key-Based Access: Fine-grained permission control with named credential keys
🚀 Production Ready: Enterprise-grade NestJS server with comprehensive security features
🛠️ Developer Friendly: Easy-to-use CLI and well-documented REST API
📦 Extensible: Plugin architecture for custom identity and cloud providers
🧪 Well Tested: Comprehensive test suite with full coverage

Use Cases

CI/CD Pipelines

Eliminate hardcoded secrets in your CI/CD pipelines. Voidkey integrates natively with GitHub Actions, GitLab CI, and other platforms to provide secure, temporary credentials for deployments.

Development Workflows

Provide developers with time-limited access to cloud resources without distributing long-lived credentials. Perfect for local development and testing scenarios.

Microservices Authentication

Enable secure service-to-service communication with dynamic credential generation based on service identity.

Compliance & Auditing

Meet security compliance requirements with comprehensive audit logging and credential lifecycle tracking.

Quick Example

# Request temporary AWS credentials
voidkey mint --keys AWS_DEPLOYMENT

# Use in your workflow
export $(voidkey mint --keys AWS_DEPLOYMENT --output env)
aws s3 cp build/ s3://my-bucket/ --recursive

Architecture Overview

sequenceDiagram
    participant CLI as Client
CLI
    participant ClientIdP as Client IdP
(Auth0, GitHub, etc)
    participant Broker as Voidkey
Broker
    participant BrokerIdP as Broker IdP
(Keycloak, Okta, etc)
    participant Provider as Access
Provider (STS)

    CLI->>ClientIdP: 1. Get client OIDC token
    ClientIdP->>CLI: Return client token
    
    CLI->>Broker: 2. Request credentials with token
    Note over Broker: 3. Validate client token
    
    Broker->>BrokerIdP: 4. Get broker OIDC token
    BrokerIdP->>Broker: Return broker token
    
    Broker->>Provider: 5. Mint credentials with broker token
    Provider->>Broker: 6. Return temp credentials
    
    Broker->>CLI: 7. Return temp credentials to client
    
    CLI->>Provider: 8. Use credentials for operations

Client gets OIDC token from their identity provider (GitHub Actions, Auth0, etc.)
Client requests credentials from Voidkey broker with OIDC token and key names
Broker validates client token against the client’s identity provider JWKS
Broker gets its own token from the broker’s identity provider for authentication
Broker mints credentials using its token to authenticate with cloud provider STS
Cloud provider returns temporary, scoped credentials to the broker
Broker returns credentials to the client with expiration information
Client uses credentials for authorized operations against cloud resources

Next Steps

Quick Start

Get up and running with Voidkey in minutes using our Docker sandbox environment. Start Here →

Architecture

Understand the components and security model behind Voidkey. Learn More →

Configuration

Configure identity providers, access providers, and permissions. Configure →

API Reference

Explore the REST API endpoints and integration options. View API →