Overview
Hive includes a credential store for API keys, OAuth tokens, and multi-key secrets. The store is intentionally separate from tool logic:- The store keeps and resolves credential values
- Tools define how those values are injected (headers, params, payloads)
Core Concepts
CredentialStore: main API for save/load/refresh/resolveCredentialObject: credential record that can contain multiple keysCredentialStorage: backend interface (encrypted files, env vars, vault, composite)CredentialProvider: lifecycle integration for refresh and validation
Quick Start
Template Resolution
Use credential templates in request definitions:{{credential_id}}resolves the default key{{credential_id.key_name}}resolves a specific key
Storage Backends
Encrypted File Storage (recommended)
Use encrypted local storage for production-like local environments:- Path default:
~/.hive/credentials - Encryption key via
HIVE_CREDENTIAL_KEY
EnvVar Storage
Use existing environment variables as read-only credentials for compatibility.Composite Storage
Layer storages with fallback behavior, for example encrypted files as primary and env vars as fallback.HashiCorp Vault
Use Vault storage for enterprise secret management.OAuth2 and Auto-Refresh
Credentials can be linked to providers for refresh/validation:- Save tokens with
provider_id - Enable
auto_refresh - Call
store.get(...)and let provider logic refresh when needed
Best Practices
- Use encrypted storage outside test environments
- Keep provider-specific refresh logic in providers, not tool code
- Never commit credential values into repositories
- Add tests for token expiry and refresh paths