---
layout: docs
page_title: SSH secrets engine
description: >-
  Securely access machines via the SSH protocol using the SSH secrets engine plugin. It supports signed SSH certificates and one-time password modes.
---

# SSH secrets engine

The Vault SSH secrets engine provides secure authentication and authorization
for access to machines via the SSH protocol. The Vault SSH secrets engine helps
manage access to machine infrastructure, providing several ways to issue SSH
credentials.

The Vault SSH secrets engine supports the following modes. Each mode is
individually documented on its own page.

- [Signed SSH Certificates](/vault/docs/secrets/ssh/signed-ssh-certificates)
- [One-time SSH Passwords](/vault/docs/secrets/ssh/one-time-ssh-passwords)

All guides assume a basic familiarity with the SSH protocol.

## Removal of dynamic keys feature

Per [Vault 1.12's deprecation notice page](/vault/docs/v1.12.x/deprecation),
the dynamic keys functionality of this engine has been removed in Vault 1.13.

## API

The SSH secrets engine has a full HTTP API. Please see the
[SSH secrets engine API](/vault/api-docs/secret/ssh) for more
details.