Server-Side Credential Use
The strongest way for an agent to use a secret is to never hold it at all. With server-side use, the agent asks Anima to make the outbound HTTPS call; Anima decrypts the credential, injects it into the request on the server, and returns only the upstream response. The plaintext never reaches the agent’s host, its context, or its logs.anima vault exec / anima vault proxy, which inject locally: there the secret reaches your machine’s process (but still never the LLM). Server-side use removes even that.
Configure the credential
A credential is only broker-usable for hosts you bind it to. Fail-closed: with no allowed hosts, every call is refused.api_key credentials you can also set authHeader (default Authorization) and authScheme (default Bearer ; empty for raw-key headers like x-api-key). login credentials use their URIs as the allowlist; oauth_token credentials have their own allowedHosts and are always created with the brokered reveal policy.
Changing the allowlist later requires org-admin (master) access — an agent that could broaden it could redirect the secret to a host it controls.
Make a brokered call
status, headers, body (size-capped, truncated flag), with any occurrence of the credential scrubbed. Any Authorization header the caller supplies is discarded and replaced with the real credential.
Guardrails
- Host allowlist + SSRF guard — https-only, exact host match, DNS-resolved and pinned, private/link-local/metadata ranges blocked, no redirect following.
- Access control — the caller needs to own the credential or hold a
USE-level share. Scoped API keys need thevault:usescope. BrokeredPOST/PUT/PATCH/DELETEcalls run under the agent’s write vault policy. - Rate limits — per-credential limits from the stored
rateLimitconfig, with a conservative default so no credential can be fired unbounded. - Audit — every call is recorded as
broker_use(method, host, status — never the secret); refused calls are recorded asbroker_use_deniedwith the reason, so a probing agent is visible in the access log.
When to use which mechanism
| Mechanism | Secret reaches | Best for |
|---|---|---|
Server-side use (vault use) | Nothing outside Anima | HTTP APIs, strongest isolation |
| Browser autofill (extension) | The web page’s form | Logins on websites |
vault exec / vault proxy | A local process you spawn | CLIs, SDKs, non-HTTP tools |
