Dynamic claims now support custom environment variables

May 2, 2026

Custom environment variables on Agent Proxy and Aembit CLI can now feed into OIDC and JWT-SVID dynamic claims, gated by an explicit allowlist.

What’s new:

• AEMBIT_ENV_VAR_ALLOWLIST: A new environment variable that defines which custom variables Agent Proxy and Aembit CLI may capture for use in dynamic claims. By default, Agent Proxy and Aembit CLI capture no custom variables.
• Always-available Kubernetes variables: K8S_POD_NAME, K8S_NAMESPACE, and KUBERNETES_PROVIDER_ID are now usable in dynamic claims regardless of the allowlist.

For setup instructions, see Configure custom environment variables for Agent Proxy. For the dynamic claims expression syntax, see OIDC and JWT-SVID dynamic claims.

Tags:

• Enhancement
• Credential Provider

← Back to changelog