diff --git a/cmd/collectors/storagegrid/rest/client.go b/cmd/collectors/storagegrid/rest/client.go
index b725ae7b4..00a495ba8 100644
--- a/cmd/collectors/storagegrid/rest/client.go
+++ b/cmd/collectors/storagegrid/rest/client.go
@@ -26,18 +26,17 @@ const (
 )
 
 type Client struct {
-	client   *http.Client
-	request  *http.Request
-	buffer   *bytes.Buffer
-	Logger   *logging.Logger
-	baseURL  string
-	Cluster  Cluster
-	username string
-	token    string
-	Timeout  time.Duration
-	logRest  bool // used to log Rest request/response
-	APIPath  string
-	auth     *auth.Credentials
+	client  *http.Client
+	request *http.Request
+	buffer  *bytes.Buffer
+	Logger  *logging.Logger
+	baseURL string
+	Cluster Cluster
+	token   string
+	Timeout time.Duration
+	logRest bool // used to log Rest request/response
+	APIPath string
+	auth    *auth.Credentials
 }
 
 type Cluster struct {
@@ -338,13 +337,13 @@ func (c *Client) fetchTokenWithAuthRetry() error {
 		if err != nil {
 			return fmt.Errorf("failed to create auth URL err: %w", err)
 		}
-		password, err := c.auth.Password()
+		pollerAuth, err := c.auth.GetPollerAuth()
 		if err != nil {
 			return err
 		}
 		authB := authBody{
-			Username: c.username,
-			Password: password,
+			Username: pollerAuth.Username,
+			Password: pollerAuth.Password,
 		}
 		postBody, err := json.Marshal(authB)
 		if err != nil {
diff --git a/cmd/tools/rest/client.go b/cmd/tools/rest/client.go
index cf69c2d07..aa737db0c 100644
--- a/cmd/tools/rest/client.go
+++ b/cmd/tools/rest/client.go
@@ -31,16 +31,15 @@ const (
 )
 
 type Client struct {
-	client   *http.Client
-	request  *http.Request
-	buffer   *bytes.Buffer
-	Logger   *logging.Logger
-	baseURL  string
-	cluster  Cluster
-	username string
-	Timeout  time.Duration
-	logRest  bool // used to log Rest request/response
-	auth     *auth.Credentials
+	client  *http.Client
+	request *http.Request
+	buffer  *bytes.Buffer
+	Logger  *logging.Logger
+	baseURL string
+	cluster Cluster
+	Timeout time.Duration
+	logRest bool // used to log Rest request/response
+	auth    *auth.Credentials
 }
 
 type Cluster struct {
@@ -81,13 +80,6 @@ func New(poller *conf.Poller, timeout time.Duration, auth *auth.Credentials) (*C
 	if err != nil {
 		return nil, err
 	}
-	pollerAuth, err := auth.GetPollerAuth()
-	if err != nil {
-		return nil, err
-	}
-	if !pollerAuth.IsCert {
-		client.username = pollerAuth.Username
-	}
 	transport.DialContext = (&net.Dialer{Timeout: DefaultDialerTimeout}).DialContext
 	httpclient = &http.Client{Transport: transport, Timeout: timeout}
 	client.client = httpclient
@@ -135,12 +127,12 @@ func (c *Client) GetRest(request string) ([]byte, error) {
 		return nil, err
 	}
 	c.request.Header.Set("accept", "application/json")
-	if c.username != "" {
-		password, err2 := c.auth.Password()
-		if err2 != nil {
-			return nil, err2
-		}
-		c.request.SetBasicAuth(c.username, password)
+	pollerAuth, err := c.auth.GetPollerAuth()
+	if err != nil {
+		return nil, err
+	}
+	if pollerAuth.Username != "" {
+		c.request.SetBasicAuth(pollerAuth.Username, pollerAuth.Password)
 	}
 	// ensure that we can change body dynamically
 	c.request.GetBody = func() (io.ReadCloser, error) {
@@ -232,11 +224,11 @@ func (c *Client) invokeWithAuthRetry() ([]byte, error) {
 				}
 				if pollerAuth.HasCredentialScript {
 					c.auth.Expire()
-					password, err2 := c.auth.Password()
+					pollerAuth2, err2 := c.auth.GetPollerAuth()
 					if err2 != nil {
 						return nil, err2
 					}
-					c.request.SetBasicAuth(pollerAuth.Username, password)
+					c.request.SetBasicAuth(pollerAuth2.Username, pollerAuth2.Password)
 					return doInvoke()
 				}
 			}
@@ -246,8 +238,6 @@ func (c *Client) invokeWithAuthRetry() ([]byte, error) {
 }
 
 func downloadSwagger(poller *conf.Poller, path string, url string, verbose bool) (int64, error) {
-	var restClient *Client
-
 	out, err := os.Create(path)
 	if err != nil {
 		return 0, fmt.Errorf("unable to create %s to save swagger.yaml", path)
@@ -259,23 +249,18 @@ func downloadSwagger(poller *conf.Poller, path string, url string, verbose bool)
 	}
 
 	timeout, _ := time.ParseDuration(DefaultTimeout)
-	if restClient, err = New(poller, timeout, auth.NewCredentials(poller, logging.Get())); err != nil {
-		return 0, fmt.Errorf("error creating new client %w", err)
+	credentials := auth.NewCredentials(poller, logging.Get())
+	transport, err := credentials.Transport(request)
+	if err != nil {
+		return 0, err
 	}
+	httpclient := &http.Client{Transport: transport, Timeout: timeout}
 
-	downClient := &http.Client{Transport: restClient.client.Transport, Timeout: restClient.client.Timeout}
-	if restClient.username != "" {
-		password, err2 := restClient.auth.Password()
-		if err2 != nil {
-			return 0, err2
-		}
-		request.SetBasicAuth(restClient.username, password)
-	}
 	if verbose {
 		requestOut, _ := httputil.DumpRequestOut(request, false)
-		fmt.Printf("REQUEST: %s BY: %s\n%s\n", url, restClient.username, requestOut)
+		fmt.Printf("REQUEST: %s\n%s\n", url, requestOut)
 	}
-	response, err := downClient.Do(request)
+	response, err := httpclient.Do(request)
 	if err != nil {
 		return 0, err
 	}
diff --git a/cmd/tools/rest/rest.go b/cmd/tools/rest/rest.go
index 416941e52..74e759e1d 100644
--- a/cmd/tools/rest/rest.go
+++ b/cmd/tools/rest/rest.go
@@ -319,7 +319,11 @@ func FetchForCli(client *Client, href string, records *[]any, downloadAll bool,
 		return fmt.Errorf("error making request %w", err)
 	}
 
-	*curls = append(*curls, fmt.Sprintf("curl --user %s --insecure '%s%s'", client.username, client.baseURL, href))
+	pollerAuth, err := client.auth.GetPollerAuth()
+	if err != nil {
+		return err
+	}
+	*curls = append(*curls, fmt.Sprintf("curl --user %s --insecure '%s%s'", pollerAuth.Username, client.baseURL, href))
 
 	isNonIterRestCall := false
 	value := gjson.GetBytes(getRest, "records")
diff --git a/pkg/api/ontapi/zapi/client.go b/pkg/api/ontapi/zapi/client.go
index 574568336..ba201f631 100644
--- a/pkg/api/ontapi/zapi/client.go
+++ b/pkg/api/ontapi/zapi/client.go
@@ -432,11 +432,11 @@ func (c *Client) invokeWithAuthRetry(withTimers bool) (*node.Node, time.Duration
 			// and try again
 			if errors.Is(he, errs.ErrAuthFailed) && pollerAuth.HasCredentialScript {
 				c.auth.Expire()
-				password, err := c.auth.Password()
-				if err != nil {
-					return nil, 0, 0, err
+				pollerAuth2, err2 := c.auth.GetPollerAuth()
+				if err2 != nil {
+					return nil, 0, 0, err2
 				}
-				c.request.SetBasicAuth(pollerAuth.Username, password)
+				c.request.SetBasicAuth(pollerAuth2.Username, pollerAuth2.Password)
 				c.request.Body = io.NopCloser(&buffer)
 				c.request.ContentLength = int64(buffer.Len())
 				result2, s1, s2, err3 := c.invoke(withTimers)
diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
index ae3e8801b..7549ed1e7 100644
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@@ -45,14 +45,6 @@ type Credentials struct {
 	cachedPassword string
 }
 
-func (c *Credentials) Password() (string, error) {
-	auth, err := c.GetPollerAuth()
-	if err != nil {
-		return "", err
-	}
-	return auth.Password, nil
-}
-
 // Expire will reset the credential schedule if the receiver has a CredentialsScript
 // Otherwise it will do nothing.
 // Resetting the schedule will cause the next call to Password to fetch the credentials
@@ -317,10 +309,13 @@ func handCertificateAuth(c *Credentials, poller *conf.Poller, insecureTLS bool)
 	certPath := poller.SslCert
 	keyPath := poller.SslKey
 
-	if certPath == "" {
+	if certPath == "" || keyPath == "" {
 		o := &options.Options{}
 		options.SetPathsAndHostname(o)
 		pathPrefix = path.Join(o.HomePath, "cert/", o.Hostname)
+	}
+
+	if certPath == "" {
 		certPath = pathPrefix + ".pem"
 	}
 	if keyPath == "" {