> ## Documentation Index
> Fetch the complete documentation index at: https://docs.xloud.tech/llms.txt
> Use this file to discover all available pages before exploring further.

# Application Credentials

> Create and manage scoped application credentials for automation pipelines, CI/CD systems, and service accounts in Xloud Identity.

## Overview

Application credentials allow automation pipelines, CI/CD systems, and service accounts
to authenticate without embedding user passwords. They are scoped to the user's current
project and role assignments, and can be restricted further to a specific subset of roles
or API paths. Unlike user passwords, application credentials have explicit expiry dates
and can be revoked independently.

<Note>
  **Prerequisites**

  * An active Xloud account with appropriate permissions
  * Access to the **Xloud Dashboard** or CLI configured with credentials
  * API credentials sourced (`source openrc.sh`)
</Note>

<Warning>
  Application credentials are bound to the creating user. If that user is disabled or
  deleted, all their application credentials are invalidated immediately. For long-lived
  service accounts, create a dedicated service user to own the credentials.
</Warning>

***

## Create an Application Credential

<Tabs>
  <Tab title="Dashboard" icon="gauge">
    <Steps titleSize="h3">
      <Step title="Navigate to Application Credentials" icon="terminal">
        Log in as the user who will own the credential. Navigate to
        **User Center > Application Credentials** (via profile dropdown) and click **Create Application Credential**.
      </Step>

      <Step title="Configure the credential" icon="key">
        | Field               | Description                                                    |
        | ------------------- | -------------------------------------------------------------- |
        | **Name**            | Descriptive identifier (e.g., `ci-pipeline-prod`)              |
        | **Secret**          | Leave blank to auto-generate a cryptographically secure secret |
        | **Expiration Date** | Set an expiry for credentials used in short-lived pipelines    |
        | **Roles**           | Restrict to a subset of your role assignments (optional)       |
        | **Access Rules**    | Limit the credential to specific API paths and HTTP methods    |
      </Step>

      <Step title="Save the credential securely" icon="download">
        After creation, the Dashboard displays the credential ID and secret **once**.
        Download the `clouds.yaml` snippet for immediate use.

        <Danger>
          The secret is shown only once and cannot be retrieved again. Store it in a secrets
          manager (such as Xloud Key Management or HashiCorp Vault) immediately after creation.
        </Danger>
      </Step>
    </Steps>
  </Tab>

  <Tab title="CLI" icon="terminal">
    <Steps titleSize="h3">
      <Step title="Authenticate" icon="key">
        Source your credentials file to authenticate with the Xloud platform:

        ```bash title="Load credentials" theme={null}
        source openrc.sh
        ```

        <Tip>
          Your administrator provides the RC (credentials) file for your project. See [CLI Setup](/cli-setup) for configuration details.
        </Tip>
      </Step>

      <Step title="Create the credential" icon="plus">
        ```bash title="Create application credential with expiry" theme={null}
        openstack application credential create \
          --description "CI/CD pipeline credential" \
          --expiration "2026-12-31T00:00:00" \
          ci-pipeline-prod
        ```

        Note the `id` and `secret` values from the output — they are shown only once.
      </Step>

      <Step title="Create credential with restricted roles" icon="shield">
        ```bash title="Create credential restricted to reader role only" theme={null}
        openstack application credential create \
          --description "Read-only monitoring credential" \
          --role reader \
          --expiration "2026-12-31T00:00:00" \
          monitoring-readonly
        ```
      </Step>
    </Steps>
  </Tab>
</Tabs>

***

## Authenticate with Application Credentials

Application credentials replace user passwords in the `clouds.yaml` configuration file.

<Steps titleSize="h3">
  <Step title="Add to clouds.yaml" icon="file-code">
    Add the following to your `~/.config/openstack/clouds.yaml`:

    ```yaml title="~/.config/openstack/clouds.yaml" theme={null}
    clouds:
      xloud-ci:
        auth:
          auth_url: https://api.<your-domain>:5000/v3
          application_credential_id: "<CREDENTIAL_ID>"
          application_credential_secret: "<CREDENTIAL_SECRET>"
        auth_type: v3applicationcredential
        region_name: RegionOne
    ```
  </Step>

  <Step title="Test the credential" icon="circle-check">
    ```bash title="Verify authentication with the credential" theme={null}
    openstack --os-cloud xloud-ci token issue
    ```

    <Check>A token is issued — the credential is valid and functional.</Check>
  </Step>
</Steps>

***

## Access Rules

Access rules restrict a credential to specific API operations, providing fine-grained
control beyond role-level permissions.

```bash title="Create credential with access rules" theme={null}
openstack application credential create \
  --description "Image upload only" \
  --access-rules '[
    {"path": "/v2/images", "method": "POST", "service": "image"},
    {"path": "/v2/images/**", "method": "PUT", "service": "image"}
  ]' \
  image-uploader
```

| Field     | Description                                                       |
| --------- | ----------------------------------------------------------------- |
| `path`    | API path pattern (supports `**` wildcard)                         |
| `method`  | HTTP method: `GET`, `POST`, `PUT`, `DELETE`, `PATCH`              |
| `service` | Service type: `compute`, `image`, `identity`, `volume`, `network` |

***

## Manage Existing Credentials

<Tabs>
  <Tab title="Dashboard" icon="gauge">
    Navigate to **User Center > Application Credentials** (via profile dropdown) to view all credentials owned by
    the current user. Delete expired or unused credentials to reduce attack surface.
  </Tab>

  <Tab title="CLI" icon="terminal">
    <CodeGroup>
      ```bash title="List application credentials" theme={null}
      openstack application credential list
      ```

      ```bash title="Show credential details (without secret)" theme={null}
      openstack application credential show ci-pipeline-prod
      ```

      ```bash title="Delete a credential" theme={null}
      openstack application credential delete ci-pipeline-prod
      ```
    </CodeGroup>
  </Tab>
</Tabs>

<Tip>
  Rotate application credentials before their expiration date. Create the replacement
  credential first, update all consumers, then delete the old credential. This zero-downtime
  rotation pattern avoids pipeline interruptions.
</Tip>

***

## Next Steps

<CardGroup cols={2}>
  <Card title="Users" href="/services/identity/users" color="#197560">
    Manage user accounts that own application credentials.
  </Card>

  <Card title="Multi-Factor Authentication" href="/services/identity/multi-factor-auth" color="#197560">
    Add TOTP-based two-factor authentication to user accounts.
  </Card>

  <Card title="Identity Admin Guide" href="/services/identity/admin-guide" color="#197560">
    Configure token policies and security hardening for your Identity deployment.
  </Card>

  <Card title="Troubleshooting" href="/services/identity/troubleshooting" color="#197560">
    Resolve credential rejection and authentication failure issues.
  </Card>
</CardGroup>