Skip to main content

Credential Provisioning

Provision scoped credentials directly from vendor APIs, then automatically wrap them as governed passports.

Functions

provision(provider, request)

Create a new credential via a vendor API.

provisionAndCreatePassport(vault, provider, request, actor)

Provision a credential and immediately store it as a passport in the vault.

rotateCredential(vault, provider, passportId, actor)

Rotate an existing credential: provision a new one, update the passport, revoke the old key at the source.

revokeAtSource(provider, credentialId)

Revoke a credential directly at the vendor API.

listProviderKeys(provider)

List existing credentials from the vendor.

validateProviderAuth(provider)

Verify that stored admin credentials for a provider are valid.

getProviderCapabilities(provider)

Check what operations a provider supports (create, rotate, revoke, list).

Supported Providers

ProviderCapabilities
OpenAIProviderCreate, rotate, revoke, list
AWSProviderCreate, rotate, revoke, list
GoogleCloudProviderCreate, rotate, revoke, list
AzureEntraProviderCreate, rotate, revoke
GitHubProviderCreate, revoke, list
TwilioProviderCreate, rotate, revoke
SendGridProviderCreate, revoke, list
AnthropicProviderCreate, rotate, revoke, list
Admin credentials for each provider are stored via idw auth bootstrap <provider>.