Platform · Credential Rotation

Credentials change before attackers can use them.

12Port rotates passwords, SSH keys, and API tokens on a schedule, on demand, on event, per-asset, per-tenant, with full audit. Triggered changes happen the second a session ends.

Reduce credential risk in real time and eliminate standing credentials that attackers rely on.

Book a demo
Start free trial
secure password and key management

Five operations

What rotation actually does.

Password reset

Generate a new password against your formula, set it on the target, vault it, log it. Old password is invalidated immediately. Used for service accounts, local admin, database users, network device users.

Key rotation

SSH key pairs and API tokens. Generate the new key, install the public key on the target, vault the private key, retire the old one on a configurable lag so existing sessions don’t break.

Reconciliation

When the vault and target drift (manual changes, restored backups, sync failures), reconciliation detects the mismatch, rotates to a known good value, and writes the audit record.

Triggered updates

Fire a rotation the moment a session closes, when an admin offboards, when an alert fires, or via API. Closes the window where a leaked credential is still valid.

AI agent credentials

Rotate credentials used by AI agents and automated workflows on every run, schedule, or policy event. Prevents long-lived secrets in agentic systems and enforces just-in-time issuance.

What gets rotated

Operating systems, databases, identity stores, network devices.

12Port rotates credentials wherever your privileged users authenticate. Built-in connectors plus a scriptable workflow library mean even niche targets get covered without a per-platform plugin.

  • Operating systems: Windows local + domain accounts, Linux, Unix, macOS, Active Directory, Entra ID.
  • Databases: SQL Server, Oracle, PostgreSQL, MySQL, MongoDB, plus generic ODBC/JDBC.
  • Network & security devices: Cisco, Juniper, Arista, Palo Alto, Fortinet, and F5. SSH and Telnet recipes.
  • Cloud + SaaS: AWS IAM, Azure, GCP, Kubernetes service accounts, API tokens via REST.
  • Anything scriptable: Shell, PowerShell, Groovy, RegEx, XSLT for custom targets.

How it works

Schedule it, trigger it, or run it from the API.

Scheduled. Per-asset cadence: daily, weekly, monthly, or business-hours only. Each asset can have its own password formula and rotation window. Useful for the long tail of service accounts that change rarely but should still rotate.

On session close. Trigger a rotation the second a privileged session ends. Used for break-glass accounts, vendor accounts, and any credential where one-time use is the policy. The next session gets a fresh value.

API-driven. Rotate from your SIEM, your ticketing system, your offboarding workflow. Full REST endpoint with audit-log linkage so the rotation is tied to the trigger that fired it.

See it in action

Inside the 12Port platform.

Click any tile to zoom in. Use the arrow keys or on-screen controls to step through.

centralized secret rotation
Centralized Secret Requirements with Inheritance and Override
automated credential rotation
Centralized Secret Requirements with Inheritance and Override
intelligent job and task automation
Intelligent Job and Task Automation with Script Libraries
LDAP Administrator and User management interface on 12Port platform for network security.
Intelligent Job and Task Automation with Script Libraries
Unix password reset process screenshot on 12Port platform, emphasizing secure account management.
Comprehensive Audit Trail with Job and Event Reporting
Virtual network management and monitoring with 12Port dashboard.
Comprehensive Audit Trail with Job and Event Reporting

See rotation in action.

A 30-minute walkthrough on your environment. Pick three assets and watch them rotate live.

Book a demo
Request a quote
12Port

See it in your environment.

30 minutes. Real screens. A live privileged session against a system you pick.

Book a demo
Start free trial