Application credentials allow users to generate their own OpenStack credentials suitable for applications to authenticate to the Identity service, without exposing their main credentials.

Application credentials can be easily revoked or rotated with little or no application downtime, or can even have an automatic expiry time.

To manage application credentials on the command line, you'll need recent versions of the python-openstackclient and python-keystoneclient packages and your main credentials loaded.

The simplest example for creating an application credential is to just pass a name:

$ openstack application credential create mydemo
| Field        | Value                                   |
| description  | None                                    |
| expires_at   | None                                    |
| id           | 0cfa2baa33f546b7bec27f1b7461a1c5        |
| name         | mydemo                                  |
| project_id   | 6d23beae28fc41958a2ba5d5d68eb87f        |
| roles        | Member                                  |
| secret       | ErqiQo4wvf0CxajMkPd66cKmVVoZ93KogQDwBYJ |
| unrestricted | False                                   |

If you wanted to use this new application credential to run OpenStack CLI commands, your environment would require:


It is recommended that you unset all other OS_* environment variables as these can cause problems.

For more details about application credentials, or for information about how to use application credentials in the python-keystoneclient API, see OpenStack's Application Credentials user guide.