Feature ideas

Summary Support for concurrent (overlapping) client secrets with configurable time-to-live (TTL) to enable automated, zero-downtime secret rotation. Problem When rotating a Port client secret, the old secret is immediately invalidated upon replacement. In distributed systems, consuming services need time to pick up the new secret value. During this propagation window, services still using the old secret experience authentication failures, causing downtime or errors. Currently, the same secret name cannot hold two valid values simultaneously, and there is no built-in mechanism to set an expiry/lifetime on a secret. While a custom automation can partially work around this, the lack of native support makes automated rotation fragile and error-prone. Proposed Solution Concurrent secrets: Allow at least two valid secrets to coexist for the same credential (e.g., a "primary" and "secondary" key pattern, similar to Azure AD app registrations or AWS IAM access keys). Both secrets should be accepted for authentication until the older one is explicitly revoked or expires. Secret TTL / expiry: Allow an optional time-to-live to be set when creating or rotating a secret. Once the TTL elapses, the secret is automatically invalidated. This enables a "create new → wait for propagation → old expires" workflow without manual cleanup. Rotation API: Expose a secret rotation endpoint (or extend the existing secrets API) that creates a new secret while keeping the previous one valid for a configurable grace period. This would integrate naturally with self-service actions for automated rotation schedules. Use Case As a platform team operating Port integrations across multiple Kubernetes services (Ocean integrations, CronJobs, Lambda functions), we want to automate client secret rotation on a regular cadence via a self-service action. The rotation flow would be: Generate a new secret (old secret remains valid) Propagate the new secret to consuming services (via K8s secrets, SSM parameters, etc.) Old secret expires after a configured grace period (e.g., 24 hours) Without concurrent secret support and TTL, there is always a window where some consumers hold a stale secret, resulting in failed API calls. Alternatives Considered Custom automation with rapid propagation: Rotate the secret and immediately push to all consumers. This is brittle — any delay or failure in propagation causes outages. - Scheduled maintenance window: Coordinate rotation during low-traffic periods. This doesn't scale and defeats the purpose of automation.

When using the Custom Integration: Webhook feature ( https://docs.port.io/build-your-software-catalog/custom-integration/webhook/ ) we have the option of specifying a secret - i.e. for inbound request signature verification. The "secret" value is directly input to the webhook settings screen. When creating a webhook via IaC (e.g. port_webhook resource in Terraform), the secret is exposed in source code! It would improve security if there was support for Port secrets here - i.e. the "secret" value references a secret, rather than having the raw secret value.

The ability to have the Port-hosted integration integrate with a 3rd party secret provider such as Vault

Ocean: The SSL certificate used to proxy HTTPS requests is not fully compliant with the verification rules applied by Python 3.13, but should be.

The Ocean container image runs as user ocean with UID 999 . Some organizations have security policies that prohibit running containers with UIDs below 1000. This restriction blocks deployment unless the default UID is overridden, which can break functionality or impact performance (e.g., issues with certificate updates or /tmp access). Request: Parameterize the UID in the Dockerfile or Helm chart, or provide a supported way to run Ocean with a user UID >= 1000 , to comply with stricter security policies.

Currently, Port's /v1/auth/access_token API requires clientId and clientSecret to be passed in the POST request body. This creates challenges for security-conscious implementations where: Secret masking: Many logging and monitoring systems can mask header values but not POST body content, leading to potential credential exposure in logs OAuth2 standard compliance: The OAuth 2.0 specification (RFC 6749) supports sending client credentials via the Authorization header using Basic authentication Automation workflows: Users building automation flows need to handle credentials securely without introducing additional infrastructure like cloud functions Proposed Solution Add support for passing client credentials via the Authorization header using HTTP Basic Authentication, in addition to the existing POST body method. Example implementation: curl --location --request POST ' https://api.getport.io/v1/auth/access_token ' \ --header 'Authorization: Basic <base64_encoded_clientId:clientSecret>' \ --header 'Content-Type: application/json' This would be in addition to (not replacing) the current method, ensuring backward compatibility. Benefits Enhanced security: Enables credential masking in logs and monitoring systems Standards compliance: Aligns with OAuth 2.0 best practices Simplified automation: Reduces the need for intermediate services to handle authentication Flexibility: Provides users with multiple authentication methods based on their security requirements

To add the ability for users to customize CORS headers in Port’s API settings. This would allow customers to whitelist their own domains and enable browser-based API calls from tools like Docusaurus OpenAPI Docs that support “Try it out” functionality.

Add the ability to hide the password field value in the Kafka tab of the UI. Currently, the password displays in plain text, and users would like it to be masked for security reasons, similar to how client secret is handled after using the REMOVE_SECRETS feature flag

To enhance the security and isolation of our data handling processes, a dedicated Kafka queue will be a necessary feature.