Credential Management service (CM) is intended for identification of endpoints by endpoint tokens.

CM provides REST APIs to manage endpoint tokens and their states. CM maintains a token state machine summarized in the following diagram.

CM token state FSM

Token can be in one of the following states:

  • Inactive is the initial state for newly provisioned token that has not been used to identify an endpoint.
  • Active is the state token automatically moves to after it was first used for endpoint identification. Token can be suspended or revoked from the active state.
  • Suspended state is for temporarily disabled tokens. CM service will reject identification requests with suspended token. Suspended token can be re-activated.
  • Revoked state is the terminal state for token that is no longer valid.

CM persists all credentials-related data to MariaDB.


CM supports a number of interfaces to perform its functional role. The key supported interfaces are summarized in the following diagram.

CM interfaces diagram

For inter-service communication, Kaa services mainly use REST APIs and messaging protocols that run over NATS messaging system.


CM supports Endpoint and Client Authentication Protocol for Communication services to validate tokens presented by endpoints.

CM broadcasts endpoint token revocation events whenever, endpoint tokens transition from active to suspended or revoked state, or get deleted.

Token management

CM provides a REST-based interface to manage endpoint tokens:

  • provisioning new tokens
  • transitioning token states
  • deleting tokens

EP unregistered events

CM listens to endpoint unregistered events to keep the list of valid endpoint tokens up to date. After receiving such events, CM deletes corresponding endpoint tokens from the database.

Tekton integration

CM is integrated with the Kaa Tekton for centralized application configuration management. It receives configuration update messages from Tekton over 17/SCMP and uses Tekton REST API to retrieve current configs.

See configuration for more information.

Kaa Tenant Manager integration

CM supports multi-tenancy with each tenant using a separate OAuth 2.0 issuer for authentication, authorization, and resource management. The list of the existing tenants is managed by the Kaa Tenant Manager, which provides REST API for retrieving tenant security configs.

See the security configuration for more details on how to enable multi-tenancy in CM.