Problem:

Self-service backends require shared credentials (API keys, tokens) to authenticate invocations from Port. This creates friction for enterprise customers with zero-trust security requirements who want to avoid storing any secrets in Port.

Proposed solution:

Port embeds its own OIDC provider (like GitHub Actions and TFE dynamic credentials). On each invocation, Port issues a signed identity token with claims like the triggering user, run ID, and action context. The downstream system verifies the token against Port's public signature - no shared secrets needed.

Why it matters:

Instead of customers giving Port a secret to call their systems, Port proves who it is and who triggered the action. No credentials exchanged, no secrets to manage or rotate. This is a pattern customers already use with GitHub and TFE and expect from their IDP.