Documentation Index
Fetch the complete documentation index at: https://aivault.moldable.sh/docs/llms.txt
Use this file to discover all available pages before exploring further.
Credentials bind a provider to a vault secret and an auth strategy. For registry-backed providers, credentials are auto-provisioned when you create a matching secret. Manual credential creation is only needed for custom/non-registry providers or per-tenant host overrides.
create
Create a credential manually.
# Minimal (header auth)
aivault credential create my-api \
--provider my-api \
--secret-ref vault:secret:<secret-id> \
--auth header \
--host api.example.com
# With custom header template
aivault credential create my-api \
--provider my-api \
--secret-ref vault:secret:<secret-id> \
--auth header \
--header-name x-api-key \
--value-template "{{secret}}" \
--host api.example.com
# Query auth
aivault credential create my-api \
--provider my-api \
--secret-ref vault:secret:<secret-id> \
--auth query \
--query-param api_key \
--host api.example.com
# Per-tenant host override (Shopify)
aivault credential create my-shopify \
--provider shopify \
--secret-ref vault:secret:<secret-id> \
--host my-store.myshopify.com
# Multi-header auth
aivault credential create my-datadog \
--provider my-datadog \
--secret-ref vault:secret:<secret-id> \
--auth multi-header \
--auth-header "DD-API-KEY={{api_key}}" \
--auth-header "DD-APPLICATION-KEY={{app_key}}" \
--host api.datadoghq.com
# OAuth2
aivault credential create my-spotify \
--provider spotify \
--secret-ref vault:secret:<secret-id> \
--auth oauth2 \
--grant-type refresh_token \
--token-endpoint https://accounts.spotify.com/api/token \
--host api.spotify.com
# AWS SigV4
aivault credential create my-bedrock \
--provider aws-bedrock \
--secret-ref vault:secret:<secret-id> \
--auth aws-sigv4 \
--aws-service bedrock-runtime \
--aws-region us-east-1 \
--host bedrock-runtime.us-east-1.amazonaws.com
# Workspace-scoped
aivault credential create my-api-staging \
--provider my-api \
--secret-ref vault:secret:<secret-id> \
--auth header \
--host api-staging.example.com \
--workspace-id staging
# Postgres policy ceiling
aivault credential create app-db \
--provider postgres \
--secret-ref vault:secret:<secret-id> \
--host db.example.com:5432 \
--workspace-id staging \
--max-policy-mode read-only
--max-policy-mode is currently supported for Postgres credentials. It accepts read-only,
write, or admin; omitted values default to read-only, and the installed provider must also
support the requested mode before a capability can run.
When to create credentials manually
- Custom providers not in the built-in registry
- Per-tenant hosts (e.g.
my-store.myshopify.com)
- Multiple accounts for the same provider
- Workspace/group-scoped credential overrides
For registry-backed providers, you typically only need aivault secrets create — the credential is auto-provisioned. If you do create a credential manually for a registry provider, you don’t need to specify --auth (it’s inherited from the registry).
list
List configured credentials.
aivault credential list
aivault credential list -v # full JSON detail
delete
Delete a credential.
aivault credential delete <id>