Skip to main content

Credential Requests

When an agent needs a credential it doesn’t have — a 401 on a service, a missing API key — it should never ask the human to paste the secret into chat. Instead it creates a credential request: the human receives a token-gated fill URL, enters the secret on Anima’s page, and the secret goes straight into the vault. The agent polls the request and receives only a reference (plus a masked preview like ****1234 to confirm which secret arrived), then uses it via the broker or autofill.

Create a request

Requests expire (60–3600 s TTL, default 15 minutes). --wait on the CLI polls until the request leaves PENDING.

Track and manage

  • StatuscredentialRequestStatus(requestId) returns PENDING | FULFILLED | EXPIRED | DECLINED | CANCELLED, the credentialId once fulfilled, and the masked preview. Never the secret.
  • ListcredentialRequestList enumerates the org’s requests (agents see only their own). In the console, Vault → Requests shows every ask with its reason, lets you copy a pending fill URL to forward to the right person, and cancel stale requests.
  • CancelcredentialRequestCancel(requestId) invalidates the fill URL immediately.
Secrets submitted through a fill URL default to the brokered reveal policy: the human who typed the secret is the last person who ever sees it.