Credential Management
OneQuery is most useful when it replaces scattered credentials with named source access.
Credential Rules
Section titled “Credential Rules”- Create provider credentials dedicated to OneQuery when possible.
- Use read-only database roles and provider tokens for agent-facing sources.
- Scope tokens to the projects, repositories, accounts, or datasets needed for the workflow.
- Rotate provider credentials through the source configuration path.
- Do not paste raw credentials into prompts, issue comments, docs, or test fixtures.
Source Separation
Section titled “Source Separation”Use separate OneQuery sources for separate risk levels:
| Source identifier | Purpose |
|---|---|
postgres://warehouse_staging | Lower-risk test or staging analytics. |
postgres://warehouse_prod | Production warehouse access. |
github://github_main | Main repository access. |
sentry://sentry_web_prod | Production web error evidence. |
Do not reuse a source identifier for a different environment after an agent has been instructed to use it.
Rotation Pattern
Section titled “Rotation Pattern”- Create the replacement credential at the provider.
- Update the OneQuery source configuration.
- Test a minimal command.
- Revoke the previous provider credential.
- Review recent audit history for unexpected failures.