Credential Vault

Overview

Each Identity has two encrypted storage systems:

• Passwords — website credentials (domain + username + password)
• Secrets — key-value secrets (API keys, environment variables, tokens)

Both are E2E-encrypted. The server never sees plaintext values. The CLI handles encryption and decryption transparently using your PIN-derived keys.

Passwords

Store and retrieve website credentials. Ideal for services your agent signs up for.

Create a password entry

# Auto-generate a password
ravi passwords create example.com --json

# With specific credentials
ravi passwords create example.com \
  --username "agent@in.ravi.app" \
  --password "S3cret!" \
  --notes "Created during onboarding" \
  --json

Create flags: --username, --password, --generate, --length (default: 16), --no-special, --no-digits, --exclude-chars, --notes

List passwords

ravi passwords list --json

[
  {
    "uuid": "abc-123",
    "domain": "example.com",
    "username": "agent@in.ravi.app",
    "created_dt": "2026-02-25T10:30:00Z"
  }
]

Passwords are hidden in list view for security.

Retrieve a password

ravi passwords get <uuid> --json

{
  "uuid": "abc-123",
  "domain": "example.com",
  "username": "agent@in.ravi.app",
  "password": "S3cret!",
  "notes": "Created during onboarding",
  "created_dt": "2026-02-25T10:30:00Z"
}

Update and delete

# Update a field
ravi passwords edit <uuid> --password "NewPass!" --json

# Delete an entry
ravi passwords delete <uuid> --json

Generate a password without storing

ravi passwords generate --length 24 --json

Secrets

Store key-value secrets like API keys, tokens, and environment variables.

Store a secret

ravi secrets set OPENAI_API_KEY "sk-abc123..." --json

Retrieve a secret

ravi secrets get OPENAI_API_KEY --json

{
  "uuid": "def-456",
  "key": "OPENAI_API_KEY",
  "value": "sk-abc123...",
  "notes": "",
  "created_dt": "2026-02-25T10:30:00Z"
}

List all secrets

ravi secrets list --json

Values are redacted in list view — only keys and metadata are shown.

Delete a secret

ravi secrets delete OPENAI_API_KEY --json

Passwords vs. Secrets

Use case	Store in	Example
Website login credentials	Passwords	ravi passwords create github.com
API keys and tokens	Secrets	ravi secrets set GITHUB_TOKEN "ghp_..."
Environment variables	Secrets	ravi secrets set DATABASE_URL "postgres://..."
Service accounts with username/password	Passwords	ravi passwords create aws.amazon.com --username admin

Rule of thumb: if it has a domain + username + password, use Passwords. If it’s a key-value pair, use Secrets.

Domain cleaning

When creating password entries, the CLI auto-cleans URLs to base domains:

• https://mail.google.com/inbox becomes google.com
• https://github.com/settings becomes github.com

Common recipes

Store credentials during signup

EMAIL=$(ravi get email --json | jq -r '.email')
CREDS=$(ravi passwords create example.com --username "$EMAIL" --json)
PASSWORD=$(echo "$CREDS" | jq -r '.password')
# Use $PASSWORD to fill the signup form

Retrieve credentials for login

ENTRY=$(ravi passwords list --json | jq -r '.[] | select(.domain == "example.com")')
UUID=$(echo "$ENTRY" | jq -r '.uuid')
CREDS=$(ravi passwords get "$UUID" --json)
USERNAME=$(echo "$CREDS" | jq -r '.username')
PASSWORD=$(echo "$CREDS" | jq -r '.password')

Use a stored API key

API_KEY=$(ravi secrets get OPENAI_API_KEY --json | jq -r '.value')
curl -H "Authorization: Bearer $API_KEY" https://api.openai.com/v1/models

Next steps

• E2E Encryption — how the zero-knowledge encryption works
• Service Signup — full workflow with credential storage