Recommendations for best performance

This topic describes recommendations for determining the number of accounts and implementing best caching options to optimize Credential Provider (CP) performance.


These recommendation are relevant for all CPs, namely Credential Provider, Central Credential Provider, and Application Server Credential Provider.

General recommendations

  • We recommend that queries be as specific as possible to improve performance; include as many parameters as you can. Always include the Safe name in a query; including the Safe name in the query reduces the number of Safes that the CP must scan in the Vault.

  • We recommend referring to the following resources, to ensure that you are using supported, compatible CyberArk components:

  • To consume the CP Application Password SDKs, always use dynamic links (rather than static links) . This will avoid the need to rebuild your application when an SDK upgrade is required. For more SDK best practices, see Application Password SDKs - best practices.

Credential Provider capacity

For optimal performance, use the following guidelines:

  • To reduce the load on the Vault / Privilege Cloud, always configure a caching mechanism.

  • Keep the total number of Safes accessed by the CP to a minimum.

  • Keep the number of accounts stored in each Safe to a minimum.

  • PAM - Self-Hosted:

    • When using the CP cache mechanism, the total number of accounts that the CP fetches from the Vault should not exceed 10,000.

      Fetching more than 10,000 accounts increases memory consumption. You might experience some degradation in performance of the CP.

      A CP should not have permission to fetch more than 50,000 accounts from the Vault. Exceeding this limit will cause memory consumption issues and might cause the CP to become unstable.

    • The number of CPs per Vault should not exceed 6,000.

  • Privilege Cloud: Limit the number of applications retrieving secrets from each CP to 500 applications.

Dual accounts

For highly critical applications, we recommend using dual accounts. Dual accounts ensure that there is always a valid credential available to an application, regardless of the password rotation requirements. This is especially recommended for high-load and highly critical applications. Dual accounts are supported with all CP solutions.


For optimal performance, configure each CP as follows:



Refresh the provider configuration settings every 24 hour


Accept up to 40 concurrent requests from the SDK


Utilize a cache file and memory cache


Refresh the cache every 25 minutes


Expire the cache after 1 year


Wait 3001 seconds before executing a password change. (We recommend that you wait more than 2 cache refresh intervals before executing a password change; if CacheRefreshInterval=1500, wait (1500*2) + 1 seconds.)

For more information about how to configure this parameter, see Credential Provider (CP) configuration files.

A password change block must be implemented on the application side to protect against account lockouts during a change.


Reduce the load on the Vault in the event of a failed password change



See Privileged Account Management in the Privileged Access Security online help.