Skip to main content

Server-Side Credential Use

The strongest way for an agent to use a secret is to never hold it at all. With server-side use, the agent asks Anima to make the outbound HTTPS call; Anima decrypts the credential, injects it into the request on the server, and returns only the upstream response. The plaintext never reaches the agent’s host, its context, or its logs.
Compare this with anima vault exec / anima vault proxy, which inject locally: there the secret reaches your machine’s process (but still never the LLM). Server-side use removes even that.

Configure the credential

A credential is only broker-usable for hosts you bind it to. Fail-closed: with no allowed hosts, every call is refused.
For api_key credentials you can also set authHeader (default Authorization) and authScheme (default Bearer ; empty for raw-key headers like x-api-key). login credentials use their URIs as the allowlist; oauth_token credentials have their own allowedHosts and are always created with the brokered reveal policy. Changing the allowlist later requires org-admin (master) access — an agent that could broaden it could redirect the secret to a host it controls.

Make a brokered call

The response carries status, headers, body (size-capped, truncated flag), with any occurrence of the credential scrubbed. Any Authorization header the caller supplies is discarded and replaced with the real credential.

Guardrails

  • Host allowlist + SSRF guard — https-only, exact host match, DNS-resolved and pinned, private/link-local/metadata ranges blocked, no redirect following.
  • Access control — the caller needs to own the credential or hold a USE-level share. Scoped API keys need the vault:use scope. Brokered POST/PUT/PATCH/DELETE calls run under the agent’s write vault policy.
  • Rate limits — per-credential limits from the stored rateLimit config, with a conservative default so no credential can be fired unbounded.
  • Audit — every call is recorded as broker_use (method, host, status — never the secret); refused calls are recorded as broker_use_denied with the reason, so a probing agent is visible in the access log.

When to use which mechanism

MechanismSecret reachesBest for
Server-side use (vault use)Nothing outside AnimaHTTP APIs, strongest isolation
Browser autofill (extension)The web page’s formLogins on websites
vault exec / vault proxyA local process you spawnCLIs, SDKs, non-HTTP tools
All three keep the secret out of the model’s context. See Vault for the full model.