Credential Management

Centralized management of API Key / OAuth Token / Cookie · Encryption / rotation / audit

A Credential = sensitive information used by Evose calling external services. Centralized management + field-level encryption + audit + fine-grained authorization.

Credential Types

Type	Use
API Key	SaaS API calls (OpenAI / SendGrid / internal APIs)
OAuth Token	User-authorized third-party access (Google / Feishu / DingTalk)
Cookie / Session	Sites that require a logged-in session
Custom	SAML / custom headers / multi-field combinations

Security Mechanisms

Mechanism	Description
Field-level encryption	AES-256 in DB
Decrypt on use	Decrypted only at call time, never persisted
Audit logs	Who / when / which tool / which Agent used it
Rotation support	One-click replace; smooth swap of old/new
Forced update notifications	Notified proactively on near-expiry / leak

Register a Credential

Name: openai_prod
Type: API Key
Value: sk-xxxxxxxxxxxxxxxxxxxx
Description: OpenAI production key, used by business calls
Scope: Tool [GPT call], Agent [CS Pro]

Naming convention

Suggested format: {service}_{env} e.g. openai_prod / sendgrid_dev / crm_staging. Eases auditing and rotation.

Reference in Tools

In tool config, use placeholders, never plaintext:

URL:   https://api.openai.com/v1/chat/completions
Auth:  Bearer {{credential:openai_prod}}

Usage Tracking

The credential detail page shows:

Which tools / Agents / Workflows reference it
The most recent N call records
Call source (workspace / user)

→ Look here before rotating to assess impact.

Rotation Flow

In the external service (e.g. OpenAI console), generate a new key
In the Evose credential detail → Rotate → input the new value
The system swaps gradually: new calls use the new key; in-flight old keys finish naturally
After 24 hours, confirm no errors → fully retire the old key

Credential vs API Key Management (Layer 1)

Easy to confuse:

	Credential (this page · Layer 3)	API Key Management (Org · Layer 1)
Direction	Evose calls external	External calls Evose
Examples	OpenAI Key, SendGrid Key	The Evose API Key you give the customer system
Encryption	Field-level encrypted	Same secure handling
Audit	Whose credential was used	Who called the Evose API

Anti-Patterns

Multiple Agents share one key without per-workspace separation — hard to track, hard to rate-limit
Credentials written into "test URL" of the tool — URL ends up in logs
Production key reused in dev workspace — distinguish with _prod _dev

Next Steps

Configure resource policies → Resource policy ACL
Tools referencing credentials → Workspace · Tools

Credential Management

On this page