Credential Requests
When an agent needs a credential it doesn’t have — a 401 on a service, a missing API key — it should never ask the human to paste the secret into chat. Instead it creates a credential request: the human receives a token-gated fill URL, enters the secret on Anima’s page, and the secret goes straight into the vault. The agent polls the request and receives only a reference (plus a masked preview like****1234 to confirm which secret arrived), then uses it via the broker or autofill.
Create a request
--wait on the CLI polls until the request leaves PENDING.
Track and manage
- Status —
credentialRequestStatus(requestId)returnsPENDING | FULFILLED | EXPIRED | DECLINED | CANCELLED, thecredentialIdonce fulfilled, and the masked preview. Never the secret. - List —
credentialRequestListenumerates the org’s requests (agents see only their own). In the console, Vault → Requests shows every ask with its reason, lets you copy a pending fill URL to forward to the right person, and cancel stale requests. - Cancel —
credentialRequestCancel(requestId)invalidates the fill URL immediately.
brokered reveal policy: the human who typed the secret is the last person who ever sees it.