Short-lived tokens still create risk when the workload that issues them can be compromised or abused. In that case, the attacker simply requests fresh credentials and maintains access through renewal rather than persistence through one stolen secret. The control point is the issuing path, not just the token lifetime.
Why This Matters for Security Teams
Short-lived tokens reduce exposure time, but they do not remove the control failure that matters most: the entity that can mint, renew, or exchange them. If an application, agent, runner, or orchestration layer is compromised, the attacker can keep asking for fresh access and stay inside the environment without ever needing a long-lived secret. That shifts the risk from token theft to issuance-path abuse, which is harder to spot with basic secret scanning. NIST Cybersecurity Framework 2.0 is clear that identity and access must be managed as an ongoing control, not a one-time event, and the same logic applies to token issuance paths. The problem is visible in real incidents such as the Salesloft OAuth token breach, where stolen or abused access was more important than token age alone.
NHIMG research shows why time limits are only part of the story: in The State of Secrets Sprawl 2026, GitGuardian reported that 64% of valid secrets leaked in 2022 are still valid and exploitable today, which underscores how detection without revocation fails. In practice, many security teams encounter this only after a workload has already been repurposed as a credential broker, rather than through intentional testing.
How It Works in Practice
The safer model is to treat short-lived tokens as disposable outputs of a trusted workload identity, not as the primary trust boundary. A workload should prove what it is, request only the access needed for the task, and receive a credential that expires quickly and is bound to a specific action, environment, or audience. That is where JIT credential provisioning, intent-based authorisation, and workload identity intersect. Current guidance suggests using cryptographic workload identity, such as SPIFFE or OIDC-backed service identities, so the platform can make a runtime decision about whether the request is legitimate.
In practice, that means:
- Issue credentials only after policy evaluation at request time, not at deployment time.
- Bind the token to the intended resource, scope, and workload identity.
- Revoke or invalidate the credential as soon as the task completes or the context changes.
- Log issuance, exchange, and refresh events separately from ordinary API access.
This is especially important in pipelines and agentic systems, where an autonomous system may chain tools, call downstream services, and request renewed access without a human in the loop. The Guide to the Secret Sprawl Challenge shows how broadly secrets spread across tickets, chat, and code, and that makes the issuance path as exposed as the token itself. NIST Cybersecurity Framework 2.0 and NIST Cybersecurity Framework 2.0 both support continuous control monitoring, which is essential when access is dynamic rather than static.
These controls tend to break down in highly distributed environments where token refresh is embedded in multiple microservices and no single team owns the issuer.
Common Variations and Edge Cases
Tighter token controls often increase operational overhead, requiring organisations to balance stronger containment against developer friction and service reliability. That tradeoff becomes visible when teams rely on cached credentials, shared service accounts, or long-lived refresh tokens hidden inside automation. Best practice is evolving, but there is no universal standard for this yet: some environments can enforce very short TTLs, while others need a layered design that combines short TTLs with device-bound or workload-bound proof and aggressive anomaly detection.
Edge cases matter. A short-lived token is still risky if the issuer is overly privileged, if refresh tokens are stored insecurely, or if a compromised agent can continuously re-authenticate through an allowed path. The JetBrains GitHub plugin token exposure is a useful reminder that the surrounding integration can become the weak point even when a secret is technically ephemeral. Likewise, the broader patterns in the Guide to the Secret Sprawl Challenge show that duplication and hidden storage often outlive the original token lifetime.
The practical rule is simple: if the system that can mint or renew access is not strongly protected, token lifetime only limits how long a stolen credential works. It does not stop an attacker who has already compromised the identity that can ask for a new one.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Short-lived tokens still fail when NHI issuance and rotation are abused. |
| NIST CSF 2.0 | PR.AC-4 | Continuous access control is central when credentials are minted on demand. |
| NIST AI RMF | Autonomous systems can renew access without human oversight, creating AI governance risk. |
Apply AI RMF governance to runtime authorisation, logging, and accountability for agent access.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 30, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
