Credentials
Credentials service API reference
Messages
SecretReference
Describes where a secret can be retrieved at runtime. The URI scheme indicates the backing store (e.g., vault://, file://, env://, gcp-sm://), while the optional hints map lets resolvers capture metadata such as encoding format ("base64", "json") without persisting the raw secret in the database.
| Field | Type | Description |
|---|---|---|
uri | string | |
hints | ....v1.SecretReference.HintsEntry |
SecretReference.HintsEntry
| Field | Type | Description |
|---|---|---|
key | string | |
value | string |
EndpointAuthentication
Top-level authentication payload that GoodMem persists (typically JSON-encoded)
alongside model registrations. kind selects which credential configuration
is active, and the corresponding message is stored in the config oneof.
| Field | Type | Description |
|---|---|---|
kind | goodmem.v1.CredentialKind | |
api_key | goodmem.v1.ApiKeyAuth | |
gcp_adc | goodmem.v1.GcpAdcAuth | Additional providers will be added as new fields in this oneof. |
labels | ...ointAuthentication.LabelsEntry | Optional annotations (e.g., "owner=vertex"). |
EndpointAuthentication.LabelsEntry
| Field | Type | Description |
|---|---|---|
key | string | |
value | string |
ApiKeyAuth
Configuration for classic API-key authentication. The server resolves the
secret either from an inline value (when GoodMem is the custodian) or via a
reference to an external secrets store. Once materialized, the server injects
the credential into the outbound request using header_name (defaults to
"Authorization" when omitted) and prepends the prefix string before the raw
secret. Typical examples are "Authorization: Bearer <token>" or
"x-api-key: abc123".
| Field | Type | Description |
|---|---|---|
inline_secret | string | Stored directly in GoodMem (e.g., encrypted column/Secrets Manager mirror). |
secret_ref | goodmem.v1.SecretReference | Pointer to an external secret store. |
header_name | string | NOTE: These routing hints are advisory. Until the transport layer is wired to honor them, GoodMem will continue to default to "Authorization" and no prefix. They exist to keep the schema forward-compatible as we expand provider support. Desired HTTP header (e.g., "Authorization", "x-api-key"). |
prefix | string | Optional string prepended to the secret (e.g., "Bearer "). |
GcpAdcAuth
Configuration for Google Application Default Credentials (ADC). Most callers rely on the default scope ("https://www.googleapis.com/auth/cloud-platform"), but the repeated field allows org-specific additions. The quota project lets operators bill requests to a specific Google Cloud project via GoogleCredentials#createWithQuotaProject.
| Field | Type | Description |
|---|---|---|
scopes | string | OPTIONAL additional OAuth scopes; empty list falls back to ["https://www.googleapis.com/auth/cloud-platform"] |
quota_project_id | string | OPTIONAL billing project passed to GoogleCredentials#createWithQuotaProject; empty means "use ADC default" |
Enums
CredentialKind
Enumerates credential strategies GoodMem understands when connecting to upstream LLM, embedder, or reranker providers. New providers can be appended without disturbing existing numeric values.
| Name | Value | Description |
|---|---|---|
CREDENTIAL_KIND_UNSPECIFIED | 0 | |
CREDENTIAL_KIND_API_KEY | 1 | |
CREDENTIAL_KIND_GCP_ADC | 2 | Future extensions (OAuth, AWS IAM, etc.) will add new enum members here. |