Credential brokering
Credential brokering lets a user check out the credentials for a session from a central store — directly on the connection entry itself — without ever handling the raw credential. The connection manager decides which stored credential a session may use and supplies it at connection time. Learn how it works and how it differs from credential injection.
What is credential brokering?
In a managed environment, credentials shouldn't be pasted into individual connection entries or shared between colleagues. Credential brokering solves this by keeping credentials in a central store and linking them to connections by reference. When a user launches a session, the right credential is checked out for that session on the entry itself — so access is centrally governed instead of copied around.
How does credential brokering work?
Brokering separates the connection entry from the credential it uses:
- Credentials are stored centrally in a vault or data source, not inside each connection entry.
- A connection entry references a stored credential rather than containing it.
- When the user launches the session, the correct credential is checked out for that session on the entry.
- Access is governed centrally, so credentials can be updated or revoked in one place.
Credential brokering vs. credential injection
The two work together but describe different things. Brokering governs which credential a session may use and checks it out on the entry; injection is the mechanism that then inserts that credential into the live session without revealing it.
| Credential brokering | Credential injection |
|---|---|
| Checks out credentials for a session from a central store on the entry. | Inserts those credentials into the live session without exposing them. |
| Decides which credentials a session may use. | Delivers those credentials invisibly into the session. |
In short: brokering governs access to the credential; injection is how it reaches the session unseen.
Why does credential brokering matter?
Because credentials live in one central place and are only referenced by connections, they never have to be copied into entries or shared between team members. A password can be rotated or revoked once and take effect everywhere, access can be scoped by role, and the organization keeps a clear picture of which credentials back which connections. It is a foundation for both least-privilege access and clean auditing.
Example
A support team manages hundreds of servers. Rather than storing an administrator password on each connection entry, each entry references a single brokered credential in the vault. When a technician opens a server, the credential is checked out for that session on the entry, and the connection authenticates. When the password is rotated, it changes in one place — every connection keeps working, and no one ever had a copy to leak.
Frequently asked questions
What is credential brokering?
Credential brokering lets a user check out the credentials for a session from a central store, directly on the connection entry itself, without handling the raw credential. The connection manager decides which stored credential a session is allowed to use and supplies it at connection time.
How is credential brokering different from credential injection?
Credential brokering is the model of checking out credentials for a session from a central store on the entry, deciding which credential a session may use. Credential injection is the mechanism that then inserts that credential into the live session without exposing it to the user. Brokering governs access to the credential; injection delivers it invisibly.
Why use credential brokering instead of storing passwords in each connection?
Because credentials stay in one central store and are only referenced by connections, they never have to be copied into entries or shared between colleagues. A password can be rotated or revoked once and take effect everywhere, access can be scoped by role, and the organization keeps a clear record of which credentials back which connections.
Credential brokering in practice
Broker credentials from a central vault so your team connects by reference — never by handling raw passwords.
Related terms
Credential injection
Secure input of credentials into a session without revealing them to the user.
Read now →Privileged session manager (PSM)
Controls, monitors, and records privileged sessions to critical systems.
Read now →