hiveloom credential

Stores the provider API keys that agents use for inference. Hiveloom never accepts a secret as a CLI flag — every value is read from an environment variable, a file, or stdin.

Synopsis

hiveloom credential [GLOBAL FLAGS] <COMMAND>

Global flags

Subcommands

Storing a credential

The value comes from one of three sources:

Examples

From an env var (most common):

export ANTHROPIC_API_KEY="sk-ant-..."
hiveloom credential set --name anthropic-default --from-env ANTHROPIC_API_KEY
unset ANTHROPIC_API_KEY        # don't leave it in your shell history

From a file (e.g. piped from a secret manager):

op read "op://Engineering/anthropic/api-key" > /tmp/anth.key
hiveloom credential set --name anthropic-default --from-file /tmp/anth.key
shred -u /tmp/anth.key

From stdin:

echo "sk-ant-..." | hiveloom credential set --name anthropic-default

List, rotate, remove

hiveloom credential list                # names only
hiveloom credential rotate --name anthropic-default --from-env ANTHROPIC_API_KEY
hiveloom credential remove --name anthropic-default

Provider model-id formats

When you use the credential from an agent, the model ID format is provider-specific:

See Store an LLM credential for the guided walkthrough.

Storage

Credentials are encrypted at rest with the per-instance master key under <data-dir>/master.key. Plaintext only exists in memory at request time and is scrubbed from logs. They never leave the tenant container.