Platform
Platform Overview Maps Memory Shadow Mode Widget Governance Actions
Developers
Overview Catalog Guardrails Dry Run Idempotency Credentials Audit Trail API Reference
Company
About Blog Contact Book a Demo
Runtime — Credentials

Your agent never
touches secrets.

Credentials for every provider are stored encrypted in the Cerebral vault. When your agent calls an action, the credential is resolved at execution time and injected directly into the provider call. Your agent code never sees an API key, OAuth token, or password. Ever.

No secrets in your agent.
No secrets in your logs.
No secrets in your code.
API Docs → Get API Access
How it works

Stored once.
Resolved at execution time.

You add credentials for a provider once — through the Cerebral dashboard or API. They're encrypted and stored in the vault. From that point, your agent just calls verbs. Credential resolution happens at the runtime layer, invisibly, on every action call.

action call — no credentials in payload
# Your agent calls an action
# No API key. No token. No secret.
POST /v1/runtime/actions/run
X-API-Key: sk_live_...
{
  "verb": "shopify:create_order",
  "args": {
    "customer_id": "cust_abc",
    "line_items": [...]
  }
}
# Runtime resolves credentials internally
# Injects Shopify API key at call time
# Provider never sees your agent code
# Response
{
  "success": true,
  "order_id": "gid://shopify/Order/5678",
  "credential_source": "vault"
}
Encrypted at rest
All credentials are encrypted before storage. The vault uses KMS-backed encryption. Keys are never stored in plaintext anywhere in the system.
Never logged
Credentials are masked before any audit log entry is written. Your audit trail records what action ran and what arguments were passed — without ever capturing the secret that authorized it.
Tenant-scoped resolution
Credentials are resolved from your tenant scope. Your Shopify credential never resolves on another tenant's execution. Isolation is enforced at the vault layer, not application logic.
OAuth tokens refreshed automatically
OAuth integrations have their tokens refreshed transparently before expiry. Your agent never fails with a 401 because a token expired mid-workflow.
Security posture

Your agent code is
not a credential surface.

Most agent implementations have secrets in environment variables, in code, in LLM context, or in logs. Every one of those is a potential exposure. Cerebral credential management removes the entire category.

Without Cerebral
API keys in environment variables
Secrets passed into LLM context
Keys visible in agent code and logs
Token refresh logic you have to build
No isolation between tenants
With Cerebral
Credentials stored in encrypted vault
Agent code never sees secrets
Masked before audit log is written
OAuth tokens refreshed automatically
Tenant-scoped at vault layer
Supported credential types
API Key / Secret Key
OAuth 2.0 (auto-refresh)
Bearer token
Basic auth (user/pass)
Custom header credentials
Webhook signing secrets

Secrets in the vault.
Not in your agent.

Add your credentials once. Every action call resolves them automatically. Your agent code stays clean. Get API access and remove secrets from your attack surface.

API Docs → ← Back to Developers