Request Credentials
Create a recipient-facing intake link where someone else submits a secret to the owner.
When to use it
Use Request Credentials when a client, vendor, contractor, or teammate needs to send a password, API key, token, SSH key, or temporary credential to you.
- The recipient sees only the intake screen
- The owner reviews submissions from the console
- The submission is revealed only by the owner or authorized workspace admin
Recipient gates
A request can require an opening code, passphrase, or email OTP when delivery support is configured. If email delivery is not configured, do not promise email verification.
- Opening code: useful for one-off handoffs
- Passphrase: useful for a known relationship
- Email OTP: only when provider delivery is active
Operational states
Requests should move through clear states: active, submitted, revealed, disabled, expired, or deleted. Deleting a request also removes associated submissions according to the retention policy.
- Disable instead of deleting when you may need audit metadata
- Delete when the intake path should no longer exist
- Expired requests should not accept new submissions