> ## Documentation Index
> Fetch the complete documentation index at: https://aivault.moldable.sh/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Credentials

> Manage provider credentials that bind secrets to auth strategies.

Credentials bind a provider to a vault secret and an auth strategy. For registry-backed providers, credentials are auto-provisioned when you create a matching secret. Manual credential creation is only needed for custom/non-registry providers or per-tenant host overrides.

## create

Create a credential manually.

```bash theme={null}
# Minimal (header auth)
aivault credential create my-api \
  --provider my-api \
  --secret-ref vault:secret:<secret-id> \
  --auth header \
  --host api.example.com

# With custom header template
aivault credential create my-api \
  --provider my-api \
  --secret-ref vault:secret:<secret-id> \
  --auth header \
  --header-name x-api-key \
  --value-template "{{secret}}" \
  --host api.example.com

# Query auth
aivault credential create my-api \
  --provider my-api \
  --secret-ref vault:secret:<secret-id> \
  --auth query \
  --query-param api_key \
  --host api.example.com

# Per-tenant host override (Shopify)
aivault credential create my-shopify \
  --provider shopify \
  --secret-ref vault:secret:<secret-id> \
  --host my-store.myshopify.com

# Multi-header auth
aivault credential create my-datadog \
  --provider my-datadog \
  --secret-ref vault:secret:<secret-id> \
  --auth multi-header \
  --auth-header "DD-API-KEY={{api_key}}" \
  --auth-header "DD-APPLICATION-KEY={{app_key}}" \
  --host api.datadoghq.com

# OAuth2
aivault credential create my-spotify \
  --provider spotify \
  --secret-ref vault:secret:<secret-id> \
  --auth oauth2 \
  --grant-type refresh_token \
  --token-endpoint https://accounts.spotify.com/api/token \
  --host api.spotify.com

# AWS SigV4
aivault credential create my-bedrock \
  --provider aws-bedrock \
  --secret-ref vault:secret:<secret-id> \
  --auth aws-sigv4 \
  --aws-service bedrock-runtime \
  --aws-region us-east-1 \
  --host bedrock-runtime.us-east-1.amazonaws.com

# Workspace-scoped
aivault credential create my-api-staging \
  --provider my-api \
  --secret-ref vault:secret:<secret-id> \
  --auth header \
  --host api-staging.example.com \
  --workspace-id staging

# Postgres policy ceiling
aivault credential create app-db \
  --provider postgres \
  --secret-ref vault:secret:<secret-id> \
  --host db.example.com:5432 \
  --workspace-id staging \
  --max-policy-mode read-only
```

`--max-policy-mode` is currently supported for Postgres credentials. It accepts `read-only`,
`write`, or `admin`; omitted values default to `read-only`, and the installed provider must also
support the requested mode before a capability can run.

### When to create credentials manually

* **Custom providers** not in the built-in registry
* **Per-tenant hosts** (e.g. `my-store.myshopify.com`)
* **Multiple accounts** for the same provider
* **Workspace/group-scoped** credential overrides

For registry-backed providers, you typically only need `aivault secrets create` — the credential is auto-provisioned. If you do create a credential manually for a registry provider, you don't need to specify `--auth` (it's inherited from the registry).

## list

List configured credentials.

```bash theme={null}
aivault credential list
aivault credential list -v   # full JSON detail
```

## delete

Delete a credential.

```bash theme={null}
aivault credential delete <id>
```

Next: [Capabilities](/cli/capabilities)
