hiveloom credential

Stores the provider API keys that agents use for inference. Hiveloom never accepts a secret as a CLI flag — every value is read from an environment variable, a file, or stdin.

Synopsis

hiveloom credential [GLOBAL FLAGS] <COMMAND>

Global flags

Subcommands

Storing a credential

The value comes from one of three sources:

Examples

From an env var (most common):

export ANTHROPIC_API_KEY="sk-ant-..."
hiveloom credential set --name anthropic-default --from-env ANTHROPIC_API_KEY
unset ANTHROPIC_API_KEY        # don't leave it in your shell history

From a file (e.g. piped from a secret manager):

op read "op://Engineering/anthropic/api-key" > /tmp/anth.key
hiveloom credential set --name anthropic-default --from-file /tmp/anth.key
shred -u /tmp/anth.key

From stdin:

echo "sk-ant-..." | hiveloom credential set --name anthropic-default

List, rotate, remove

hiveloom credential list                # names only
hiveloom credential rotate --name anthropic-default --from-env ANTHROPIC_API_KEY
hiveloom credential remove --name anthropic-default

Credential names and model IDs

Hiveloom picks the HTTP client purely from the model ID: IDs starting with claude- use the credential named anthropic; everything else uses openai. For OpenRouter, Groq, Ollama, vLLM, LiteLLM, and other OpenAPI-spec-compatible upstreams, redirect the client by setting HIVELOOM_OPENAI_BASE_URL on the serve process.

Use a different model provider →

Storage

Credentials are encrypted at rest with the per-instance master key under <data-dir>/master.key. Plaintext only exists in memory at request time and is scrubbed from logs. They never leave the tenant container.