Primitive/credentials
[ Primitive ]

Introducing /credentials: Secure credential storage, scoping, and rotation for AI agents

Encrypted credential vault for AI agents — per-Employee scoping, automatic rotation, and audit logs on every access. The credential layer for the Company → Employee → Primitive runtime.

Dennis Zax·Published April 14, 2026·4 min read·/credentials
TL;DR
  • /credentials encrypted credential storage for AI Employees, scoped per-Employee per-service
  • Per-Employee scoping credentials are bound to one Employee; sibling Employees never read each other's secrets
  • Automatic rotation supported services (AWS, GitHub, Stripe, etc.) rotate on a configurable cadence
  • Audit-logged access every read and write generates an audit event with timestamp, Employee, and reason
  • Refresh identity call refresh_identity to rebuild scaffolding files after credential or profile changes
  • Composes with every primitive that authenticates /browser, /integrations, /cards, /kyc

Today we're launching /credentials — the encrypted credential vault for AI Employees. Every secret bound to an Employee, every access audit-logged, every rotation propagated. The credential layer that makes the rest of the Naïve runtime trustworthy.

The problem: agents need 50+ secrets, plaintext is malpractice

A single autonomous business depends on dozens of credentials. Stripe API keys, GitHub tokens, vendor portal logins, OAuth refresh tokens, SMTP passwords, browser cookies. Storing them in environment variables, dotfiles, or plaintext database rows is malpractice — the moment one Employee gets prompt-injected, the blast radius is the entire credential set.

The status quo:

  • Environment variables — works for one developer; doesn't scope per-Employee, doesn't rotate, doesn't audit.
  • General-purpose secret managers (Doppler, 1Password Connect, HashiCorp Vault) — strong, but not agent-aware. Every Employee fetches from one shared vault; isolation is a developer-side discipline.
  • DIY — encrypted blobs in your database, KMS keys, an audit table. Works in theory; in practice, every team writing it gets at least one of the three (encryption, scoping, audit) wrong.

The reason it stays hard is that secrets in an agent context need three properties at once: per-Employee scoping (to bound the blast radius), audit-on-access (so you can prove a leaked secret came from one specific run), and rotation propagation (so a compromised credential doesn't sit exposed for 90 days). Every existing tool has at most two.

Until now. With /credentials, all three are runtime guarantees.

How /credentials works

The workflow is three steps:

  1. Storestore_credential with a reference name, a payload, and an Employee ID. The payload is encrypted with envelope encryption (KMS-backed) and stored.
  2. Retrieveget_credential by reference. The runtime decrypts and returns; the access is logged with the calling Employee and a reason.
  3. Rotate — for supported services, rotation runs automatically. Manual rotation is a single call; dependent Employees receive the update in seconds.

Per-Employee scoping is the default

Most credential leaks in agent systems aren't from the vault — they're from one Employee accidentally seeing another Employee's secrets. /credentials enforces scoping at the runtime level:

# Employee A stores a credential
naive credentials store \
  --employee emp_A \
  --ref stripe_api_key \
  --value "sk_live_..." \
  --reason "Stripe Atlas integration setup"

# Employee B tries to read it
naive credentials get --ref stripe_api_key --employee emp_B
# → Error: credential not in scope (403)

Sibling Employees can't even enumerate each other's credentials — list_credentials returns only what's scoped to the calling Employee.

For credentials that genuinely need to be shared (e.g. a Company-wide brand asset CDN token), explicitly mark them as companyScoped: true. Audit logs still fire on every read, identifying which Employee accessed.

Automatic rotation, propagated to runtimes

Long-lived credentials are a security debt. /credentials supports automatic rotation for a growing list of services — AWS IAM keys, GitHub fine-grained tokens, Stripe restricted keys, Slack bot tokens, OpenAI keys, others.

naive credentials store \
  --employee emp_01HXY... \
  --ref aws_iam_key \
  --value '{"accessKeyId":"...","secretAccessKey":"..."}' \
  --service aws \
  --rotation-cadence-days 30

# 30 days later, Naïve rotates against the AWS API,
# updates the stored value, and notifies dependent runtimes.

The Employee's running session receives the rotated value within seconds via the runtime's credential subscription. No restart, no re-auth dance, no credential expiring mid-run.

Audit logs on every access

Every read of a credential generates an audit event:

{
  credentialRef: "stripe_api_key",
  employeeId: "emp_A",
  accessedAt: "2026-04-14T18:22:14Z",
  reason: "scheduled subscription billing run",
  callerSessionId: "sess_...",
}

The audit stream is queryable per-Employee, per-credential, per-time-range. For SOC 2 evidence collection, the credential audit log is the artifact most teams hand to auditors.

Refresh identity after credential changes

When credentials change in a way that affects the Employee's runtime (e.g. a new email password, a new social media account), call refresh_identity to regenerate the Employee's scaffolding files (CLAUDE.md, HEARTBEAT.md, PERSONA.md) so the new context propagates to the next loop:

naive credentials refresh-identity --employee emp_01HXY...

This is the one call that keeps the Employee's prompt context in sync with reality after a vault change.

What you can build with /credentials

Compose authenticated primitive calls without leaking secrets to model context — Pair /credentials with /browser so login credentials get pulled at session-start time, used inside the CDP context, and never appear in the agent's prompt.

Run rotating-key disciplines for production agent businesses — AWS, GitHub, Stripe, Slack — all rotate every 30 days, with dependent Employees receiving the new keys in real time.

Provide auditable evidence for SOC 2 compliance — The credential access audit log is the single artifact most enterprise customers want to see. Every read, every Employee, every reason — exportable.

Sandbox high-risk Employees with one-off credentials — Issue a one-time-use credential to a new Employee, watch the audit log, expire after the run.

Bind credentials to /kyc-verified Employees — The runtime can refuse to issue or expose a credential to an Employee that hasn't passed /kyc. Useful for credentials that imply legal authority (e.g. card issuing keys, banking API access).

Get started

Frequently Asked Questions
What is /credentials?+
/credentials is the Naïve primitive for storing, scoping, and rotating secrets used by AI Employees. It supports API keys, OAuth tokens, login credentials, certificates, and any structured secret. Every credential is encrypted at rest, scoped to one Employee, and audit-logged on access.
How does /credentials work?+
Call store_credential with a reference name, a secret payload, and an Employee ID. The secret is encrypted with envelope encryption (KMS-backed) and stored. Call get_credential by reference to retrieve. Every access is logged with the calling Employee, timestamp, and a reason field.
Can multiple Employees share a credential?+
By default, no. Credentials are scoped per-Employee. For shared credentials (e.g. a Company-wide Stripe API key), explicitly mark the credential as company-scoped and the runtime allows any Employee in the Company to read — still audit-logged, still revocable per-Employee.
Does Naïve support automatic rotation?+
Yes, for supported services. AWS access keys, GitHub tokens, Stripe restricted keys, and a growing list of others rotate automatically on a configurable cadence (default 90 days). Rotated credentials propagate to dependent Employees within seconds.
How much does /credentials cost?+
Credential storage is included in the base subscription. Rotations are billed per-rotation for managed services. See the pricing page for current rates.
What's the difference between /credentials and Doppler, 1Password, or HashiCorp Vault?+
Doppler, 1Password, and Vault are general-purpose secret managers — strong, but not agent-aware. /credentials is built around the Employee identity model: every credential binds to an Employee, audit logs reference the Employee, rotation propagates to Employee runtimes. The primitive composes directly with /browser, /integrations, and every other auth-requiring primitive.
How do I get started with /credentials?+
Run naive credentials store --employee emp_01HXY... --ref stripe_api_key --value sk_live_... and the credential is encrypted and stored. The full quickstart is at usenaive.ai/docs/getting-started/quickstart.
DZ
Dennis ZaxCTO

CTO of Naïve. Building the open-source agent runtime.

@denniszax