non-human identity control plane

trstctl

Discover, issue, deploy, rotate, revoke, and retire every machine credential from one self-hosted control plane. Private keys stay in an isolated signer process. Audit stays in your infrastructure.

Run locally See the architecture

6credential families

keys isolatedprivate keys never join the control plane

0cloud control plane required

X.509 + SSHCertificate issuance, inventory, revocation, and trust distribution.

Secrets + API keysOwnership, rotation state, audit trail, and blast-radius context.

SPIFFE identitiesWorkload identity lifecycle across agents and clusters.

Human-safe opsIdempotent mutations, approvals, outbox delivery, and rollback evidence.

01 / COVERAGE

One register for credentials that humans do not remember.

Certificates, SSH trust, service tokens, API keys, and workload identities usually sprawl across teams and tools. trstctl treats them as one lifecycle with one inventory and one audit trail.

Inventory that knows ownership

Every credential points back to an owner, tenant, source, expiry, risk, and operational state instead of living as an orphaned blob.

Issuance behind a hard boundary

The control plane orchestrates. The signer process holds keys and signs over a constrained channel. That separation is the product, not a deployment detail.

Graph context for risk

See where a credential is used, what it can reach, which systems depend on it, and what breaks if it expires or is revoked.

02 / LIFECYCLE

From discovery to retirement without a side spreadsheet.

The lifecycle is explicit: every state change emits an event, every external action goes through an outbox, and every retry is idempotent.

Discover

Agents and connectors find certificates, SSH trust, keys, secrets, and workload identities.

Issue

Profiles, policies, approvals, and signer-backed CA custody turn requests into credentials.

Deploy

Connectors write to the target only after intent is recorded durably in the outbox.

Rotate

Policy-driven renewal keeps expiry from becoming an outage, with retry-safe operations.

Retire

Revocation, decommission, and audit close the loop instead of leaving stale trust behind.

03 / ARCHITECTURE

Built around the things you cannot bolt on later.

Tenant isolation, event-sourced state, signer separation, memory discipline, and backpressure are first-order architecture constraints.

→

Storage isolation at the floor

Every tenant-scoped query is backed by PostgreSQL row-level security, not a best-effort application filter.

→

Event log as source of truth

Read models and audit trails are projections of immutable events, so state can be rebuilt and inspected.

→

Bulkheads for every subsystem

Bounded worker pools keep discovery, connectors, policy, API traffic, and external calls from starving one another.

event trace · sample

09:41:22Z request POST /api/v1/issuance

09:41:22Z idem key accepted · operation locked

09:41:23Z policy profile=prod-web · approved=true

09:41:23Z event credential.issue.requested appended

09:41:23Z signer UDS call · key handle only

09:41:23Z event credential.issued appended

09:41:24Z outbox deploy nginx-pool-7 · pending

09:41:24Z result certificate id=crt_7c91 · audit linked

04 / SECURITY POSTURE

Make the safe path the default path.

trstctl is for teams that need automation without losing custody, blast-radius control, or auditability.

Cryptography behind one boundary

Signing, parsing, certificate handling, and secret material stay behind the dedicated internal crypto boundary.

Audit you can replay

Events are immutable; projections can be rebuilt. The audit trail is not a separate story from product state.

Tenant isolation by construction

Database policy enforces the tenant line, so a missed condition is a test failure instead of a customer incident.

No silent side effects

External calls are durable intents first, worker actions second. Retry semantics are built into the write path.

~ / local eval

$ git clone https://github.com/ctlplne/trstctl

$ cd trstctl

$ docker compose -f deploy/docker/docker-compose.yml up --build

✓ control plane serving /readyz

✓ signer isolated UDS boundary

✓ PostgreSQL RLS active tenant floor

✓ event log online projection tailing

05 / DEPLOY

Self-host it. Keep the keys close.

Run a local evaluation stack, deploy with Docker or Helm, then connect agents and CA/deployment integrations as your environment grows.

source-available PostgreSQL-backed NATS JetStream events Docker / Helm agent workers OpenAPI + gRPC

trstctl.com

Control the credentials your infrastructure already depends on.

Start with discovery. Keep going until issuance, rotation, revocation, and audit are boring.

View on GitHub Read the docs