Machine Identity & Credential Mediation

Your workload no longer holds the real credential. It holds a label. Excalibur sits on the network path, identifies the caller, swaps the label for the real credential, completes whatever upstream authentication the destination requires, records the decision, and only then lets the request leave.

This section is the user-facing manual for everything Excalibur does around machine identity, credential brokering, and policy enforcement. You can read top-to-bottom for the full picture, or jump straight into a workflow.

Machine Identity & Credential Mediation — see how Excalibur identifies the caller, swaps a label for the real credential on the wire, and records every decision

---

Read in order

1. Why this exists & how it works — the secret-residency problem, the broker topology, the four principal kinds, and the three-tier hardware-rooted trust root.

2. Quickstart — boot the proxy, install the CA, point a client at it, and watch one real request get mediated.

Workflow walkthroughs

Each walkthrough is a self-contained recipe with real commands and real screenshots from the live dashboard. Every step also tells you what the audit log records and what the dashboard pages look like.

• Onboarding a workload — service credential, SSH session identity, Kubernetes attestation, and developer-device (NetBird) paths.
• Onboarding an upstream credential — operator-provisioned placeholders and adopting credentials Excalibur has already observed in the wild.
• Writing translation-authorisation rules — author a rule, dry-run it against a candidate request, deploy it, see it gate a real flow.
• Egress & namespace policy — domain allow/block lists and hierarchical namespaces with cascade-validated narrowing.
• Rotating a credential without restarting the workload — one control-plane write, in-flight requests cut over to the new value, zero retries on the workload side.
• Cryptographic mediation: JWT, DPoP, mTLS, AWS SigV4 — server-side signing for the four crypto families that string substitution cannot cover.
• Responding to an incident — stolen-token replay, typo-squat exfiltration, hash-chained audit reconstruction, surrogate revocation.

Reference

• Dashboard tour — every page, every panel, every control.
• excalibur-ctl CLI reference
• Selected control-API endpoints
• Glossary

---

Visual quick map

You want to…	Read	UI page
Understand the model	Concept & trust model	Overview
Boot, trust the CA, see the first mediated request	Quickstart	Overview, Flows
Give a long-lived server an identity	Onboarding a workload	Sessions & Services
Identify a Kubernetes pod by its service-account JWT	Onboarding a workload	Fleet & Namespaces
Turn a captured live secret into a managed placeholder	Onboarding a credential	Onboarding
Restrict who can redeem which placeholder	Translation rules	Translation Auth
Restrict where a workload can call out to	Egress & namespace policy	Egress, Fleet
Rotate a key without bouncing the workload	Rotating a credential	Escrow & Surrogates
Sign upstream with JWT, DPoP, mTLS, or SigV4	Cryptographic mediation	Crypto Mediation
Investigate a stolen-token replay or a blocked exfiltration	Responding to an incident	Audit, Workstation, Threat
Verify audit-chain integrity	Responding to an incident	Audit