Controls which environment variables (API keys, tokens) are visible to which tool domains.
By default, all agent .env variables are available to all tools ("legacy mode"). When you add a credentials block to an agent's IDENTITY.md frontmatter, only explicitly granted keys are available ("strict mode").
credentials:
grants:
<grant-name>:
keys: [ENV_KEY_1, ENV_KEY_2] # Required: env var names from .env
tools: [web, shell] # Required: tool domains that receive these keys
approval: required # Optional: withheld until user approves (future)---
name: Billing Agent
credentials:
grants:
braintree-read:
keys: [BRAINTREE_MERCHANT_ID, BRAINTREE_PUBLIC_KEY]
tools: [web]
email:
keys: [POSTMARK_SERVER_TOKEN]
tools: [web]
sensitive:
keys: [WIRE_ACCOUNT_NUMBER]
tools: [web]
approval: required
---In this example:
webtools receiveBRAINTREE_MERCHANT_ID,BRAINTREE_PUBLIC_KEY, andPOSTMARK_SERVER_TOKENWIRE_ACCOUNT_NUMBERrequires explicit approval before being passed to toolsshelltools receive no credentials (not granted)BRAINTREE_PRIVATE_KEYis never exposed (not in any grant)
Valid tool domain names: memory, workspace, web, shell, tasks, introspection, models, a2a, scratchpad
Agents without a credentials block continue to work exactly as before — all .env values are available to all tool domains.
Generate a starting credentials block from an existing .env:
mastersof-ai credentials migrate <agent-name>This outputs a YAML block granting all keys to web. Edit to split by sensitivity level.
- Agent
.envis loaded byloadAgentEnv()(dotenvx decryption) - Frontmatter
credentialsis parsed byAgentFrontmatterSchema CredentialStoreis created with env vars + credentials config- Each tool domain calls
store.resolveFlat(domain)to get its scoped env - Shell tools use
store.toFlatEnv()(filtered separately bybuildShellEnv())
When a logger is available (serve mode), credential resolution events are logged:
- Domain, grant names matched, and keys returned
- Category:
tool, event:credentials.resolved