API Reference
withCredentials
function withCredentials<S>(tool, store): Tool<S>;Defined in: credentials/with-credentials.ts:61
Wrap a Tool so {{name}} placeholders in its args are resolved from a
CredentialStore and scrubbed back out of its output.
Type Parameters
| Type Parameter | Description |
|---|---|
S extends ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>> | The Zod schema type of the tool's arguments. |
Parameters
| Parameter | Type | Description |
|---|---|---|
tool | Tool<S> | The tool to wrap. |
store | CredentialStore | The CredentialStore that resolves placeholder names. |
Returns
Tool<S>
A tool with the same shape whose execute substitutes and scrubs.
Remarks
The real secret is live only for the duration of one execute call. Both the
result content and any thrown error message are scrubbed before they reach the
loop, so an echoing command cannot leak a secret into the conversation.
Transparent when args carry no placeholders: behavior is identical to the bare tool. The wrapped tool's name, description, and schema are preserved.
Throws
Error (re-thrown, scrubbed) if the inner tool throws, or if a
referenced credential name is unknown.
Example
const store = new InMemoryCredentialStore({
secrets: { github_token: process.env.GITHUB_TOKEN ?? "" },
});
const safeFetch = withCredentials(fetchTool, store);
// The model passes { header: "Bearer {{github_token}}" }; the real token is
// spliced in for the call and scrubbed from any echoed output.See
- CredentialStore for the resolution contract.
substituteCredentialsandscrubSecrets(in./substitute) for the underlying primitives.