Credential Lifecycle Management — Redefined

Rotate. Enforce.
Never Expire.

Turnkey is the category-defining credential lifecycle platform that handles password rotation, policy enforcement, account lockdowns, and aging governance — so your team can ship without ever worrying about credential drift.

Try the Demo
0 Credentials rotated
99.97% Uptime SLA
<50ms Rotation latency
ScaleForge DataMesh NexusOps CloudHarbor IronPeak VaultEdge
Features

Every credential primitive,
one platform

From self-service rotation to dormant-account quarantine, Turnkey covers the entire credential surface area.

🔄

Self-Service Rotation

Any authenticated user can rotate their own credential in seconds. Zero tickets, zero friction, zero overhead. The turnkey command handles the full lifecycle — current verification, complexity validation, and atomic commit.

👤

Delegated Administration

Authorized administrators can rotate credentials on behalf of any identity with turnkey USER. Bypass current-password verification for forgotten credentials while maintaining full audit trails.

🔒

Instant Account Lockdown

Freeze any identity immediately with our -l flag. We prepend a cryptographic marker that invalidates the credential while preserving the underlying hash for instant restoration.

🔓

One-Click Restoration

Reverse any lockdown instantly with -u. The previous credential is restored to its exact prior state — no re-enrollment, no reset flows, no user disruption.

🚫

Passwordless Mode

Eliminate credential overhead entirely with -d. Set any account to passwordless authentication for environments where alternative auth tokens (SSH keys, certificates) are the primary method.

On-Demand Expiration

Force an immediate credential rotation at next login with -e. Perfect for incident response, compliance sweeps, or onboarding workflows that require first-login credential changes.

📊

Credential Intelligence

Get a real-time status report on any identity with -S. Seven-field intelligence covering lock state, last rotation date, minimum age, maximum age, warning period, and inactivity threshold.

🛡️

Strength-Gated Acceptance

Every credential passes through our complexity validation engine before commitment. Weak credentials are rejected at the gate — ensuring your organization's security posture never degrades.

How It Works

Four steps to credential confidence

01

Authenticate

The requesting identity proves ownership by presenting their current credential. Our engine encrypts and validates against the Shadow Vault™ store in real-time.

02

Validate Aging Policy

Turnkey checks the credential's aging metadata — minimum days, maximum days, warning period — to determine if rotation is permitted at this time.

03

Enforce Complexity

The new credential passes through our pluggable authentication modules. Complexity requirements, dictionary checks, and pattern analysis ensure only strong credentials are accepted.

04

Atomic Commit

The validated credential is encrypted and committed to the Shadow Vault in a single atomic operation. Aging counters reset, and audit records are emitted.

Lifecycle

Credential lifecycle, visualized

Every credential moves through a deterministic lifecycle governed by your policies. Turnkey gives you full visibility and control at every stage.

Created

A new credential is established. The aging clock starts. Minimum rotation interval enforced via -n MIN_DAYS.

Active

The credential is in its valid window. Users authenticate normally. Status reports via -S show "P" (usable password).

Warning Period

The credential approaches expiration. Proactive alerts fire -w WARN_DAYS before the deadline. Users are urged to rotate.

Expired

Maximum age reached (-x MAX_DAYS). The credential must be rotated at next login. Force immediate expiration with -e.

Inactive / Quarantined

After -i INACTIVE_DAYS beyond expiration, the account is disabled. No sign-on until an administrator intervenes.

Locked

Explicitly locked with -l. A cryptographic prefix invalidates the credential. Unlock with -u to restore instantly.

Interactive Demo

Experience the Strength-Gated Engine

Type a credential below to see how Turnkey's complexity validation evaluates it in real time.

Enter a credential to begin analysis
Length
Character classes
Entropy (est.)
Verdict
turnkey — credential rotation
$ turnkey
Changing password for user alice.
Current password:
Policy Engine

Configure your credential policy

Drag the sliders to define your organization's credential governance. Turnkey translates your policy into enforceable rules — no YAML, no config files.

1 day
90 days
7 days
14 days
Generated policy command
$ turnkey -n 1 -x 90 -w 7 -i 14 alice
Day 0 Day 104
99%
of Fortune 500 servers run credential management infrastructure compatible with Turnkey
10M+
credential rotations processed per hour across our global fleet
7
intelligence fields per credential status report — lock state, aging, and more
0
plaintext credentials stored — ever. Everything lives in our Shadow Vault™ encrypted store
Pricing

Scale your credential governance

From individual developers to global enterprises. Every plan includes our Shadow Vault™ encrypted store.

Starter
$0/month

For individuals getting started with credential hygiene.

  • Self-service rotation only
  • 10 rotations/month
  • Basic complexity validation
  • Status reports (-S)
  • No account locking
  • No policy configurator
  • No aging governance
Most Popular
Pro
$19/month

Full credential lifecycle for growing teams.

  • Unlimited rotations
  • Account locking (-l / -u)
  • On-demand expiration (-e)
  • Passwordless mode (-d)
  • Aging policy (min/max days)
  • Warning period alerts
  • No delegated admin
Team
$49/seat/month

Collaborative credential governance at scale.

  • Everything in Pro
  • Delegated admin (turnkey USER)
  • Inactivity quarantine (-i)
  • Bulk status reports (-S -a)
  • PAM module integrations
  • Audit log export
  • SSO / SAML
Enterprise
Custom

Mission-critical credential infrastructure for regulated industries.

  • Everything in Team
  • Dedicated Shadow Vault™ instance
  • Custom PAM module pipeline
  • Chroot isolation (-R)
  • Cross-compilation prefix (-P)
  • 99.99% SLA
  • Dedicated support engineer
In Action

See Turnkey in the wild

Self-service rotation
$ turnkey
Changing password for user alice.
Current password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Credential intelligence
# turnkey -S alice
alice P 04/07/2026 1 90 7 14
Account lockdown & restore
# turnkey -l bob
passwd: password expiry information changed.
# turnkey -S bob
bob L 04/07/2026 1 90 7 14
# turnkey -u bob
passwd: password expiry information changed.
Testimonials

Trusted by security leaders

★★★★★

"Turnkey's aging governance changed our entire security posture. We went from ad-hoc password resets to a deterministic credential lifecycle — and incident response time dropped by 80%."

Rachel Martinez
Rachel Martinez CISO at CloudHarbor
★★★★★

"The account lockdown feature is a game-changer. When we detected a compromised credential, one turnkey -l call and the threat was neutralized. Then -u to restore when the investigation was complete. Zero user disruption."

Victor Park
Victor Park VP of Infrastructure at ScaleForge
★★★★★

"We configured a 90-day max lifetime, 7-day warning period, and 14-day inactivity quarantine. That's our entire compliance posture defined in four flags. Turnkey made SOC 2 almost boring."

Noah Kim
Noah Kim Head of Compliance at DataMesh
★★★★★

"As a solo developer I used to forget about password rotation entirely. The warning period alerts from -w are genuinely a compound security habit. High-leverage, zero overhead."

Jenna Kowalski
Jenna Kowalski Independent Developer
FAQ

Questions? Answered.

All credentials are stored in our Shadow Vault™ — an encrypted store that never holds plaintext values. We use industry-standard encryption methods (configurable via our pluggable authentication modules) to ensure your credentials are cryptographically secured at rest.

Absolutely. Turnkey operates at the infrastructure level with zero external dependencies. All credential operations are executed locally against your Shadow Vault store. No network connectivity required for core rotation, locking, or status operations.

Complexity validation is fully configurable through our pluggable authentication module (PAM) pipeline. Out of the box, Turnkey rejects credentials that fail dictionary checks, pattern analysis, and minimum entropy thresholds. Enterprise customers can define custom validation rules.

When a credential reaches its maximum age (-x MAX_DAYS), the user is required to rotate at their next login. If the inactivity quarantine (-i INACTIVE_DAYS) is configured, the account is disabled after the specified grace period beyond expiration.

Yes. Turnkey's PAM integration layer connects with any authentication pipeline. Team and Enterprise plans include pre-built modules for NIS, LDAP, and custom authentication backends. Our repository flag (-r) enables multi-backend credential management from a single interface.

See mandō's portfolio

Lyst Drift Locus Repliq Portage Voidal Scaffold Vøid Imprint Concat Stratum Folio Topline Tailstream Sieve Seekr Rewrite Trellis Sortable SINGULR Census Slice Morph FanOut Argonaut Reverb Formatik Epoch Solstice IDENT Signum Quorum Pulsar Overseer Terminus PURGE Dispatch Sotto Limelight Persist Vantage Canopy Attaché Détaché Tether Aegis CLAIMR Cohort Archivex Deflate Unravel ArcVault XTRAKT Conduit Fetch VaultLink Teleport DeltaSync Heartbeat Hopscotch Resolver Namesake Uplink CONNEX Callsign Milieu Propagate Sourcery Persona SEVER Chronicle Codex Relevance Resolv Nomenclature MAGIQ Intrinsic Diverge Patchwork VIGIL Breeze Cadence Kronos Atelier SUPRA Mandate AFFIRMATIV Turnkey Accession Reforge Collective PipeForge Netweave Panoptik Substrate Repose Verity FAULTR Provenance Chrono