Credential.
Any piece of evidence a user, service, or device presents to prove an identity claim — a password, passkey, hardware token, API key, certificate, OTP, or biometric assertion.
Credential is the term that unifies passwords, passkeys, certificates, API keys, and OAuth tokens — they are all evidence a verifier checks. The casual conflation of "credentials" with "username and password" is one reason teams underestimate the scope of credential security; a complete credential inventory in a modern CIAM deployment typically includes 5-10 distinct credential types per user, plus a comparable set for service accounts.
The distinction between credentials and tokens matters operationally. Credentials are enrolled once and revoked rarely; tokens are minted per session and rotate frequently. Compromise of a credential is a long-tail incident (re-enroll the user); compromise of a token is a short-tail incident (wait for expiration, or revoke the issuing session).
Common questions
What is the difference between a credential and a token?
Is a password a credential?
What is a credential in OAuth?
Related terms
In the guides
Multi-Factor Authentication (MFA): A 2026 Practitioner's Guide
How to roll out MFA in CIAM in 2026: factor selection, adoption, recovery design, anti-patterns, and where SMS OTP no longer meets the standard.
Passkeys Explained: How Synced Credentials Replace Passwords
Passkeys are the user-facing brand for synced WebAuthn credentials. A practical explanation of how they work, sync, recovery, and the deployment patterns that make adoption real.