Request Credentials guide

Request credentials without turning your inbox into a vault.

Request Credentials is the reverse of sending a secret. The owner creates a controlled link; the recipient submits the credential; the owner reveals from the console under the configured lifecycle.

01

Choose a template

Use login credentials, API key, temporary password, client secret, SSH key, or custom templates so the recipient sees a focused request instead of a vague form.

  • login_credentials
  • api_key
  • ssh_key

02

Add a gate

Paid flows can require opening code, passphrase, or email OTP when delivery is configured. The UI should only advertise email OTP when delivery is actually active.

  • Opening code
  • Passphrase
  • Conditional email OTP

03

Recipient UX

The recipient should see only the request, gate, input area, upload control when enabled, and confirmation. They should not see owner account details or private console metadata.

  • Focused submit page
  • No owner secrets
  • Confirmation state

04

Owner-only reveal

The submission is revealed only by the owner or authorized workspace admin. Reveal moves the submission into a terminal state and must not expose content in audit or event notifications.

  • Owner/admin only
  • Terminal reveal state
  • Metadata-only audit

05

Lifecycle states

Request links move through active, disabled, expired, deleted, submitted, and revealed states. Delete removes the request and associated submissions according to the deployed cleanup behavior.

  • active
  • disabled
  • revealed

06

Testing pattern

Before using with a client, create a disposable request, test a wrong gate, submit test data, reveal as owner, disable/re-enable, delete, and verify mobile recipient UX.

  • Wrong gate
  • Submit/reveal
  • Disable and delete

FAQ

Can this guide include private links?

No. Public guides never include secret identifiers, room ids, full private URLs, fragments, filenames, or payload-derived text.

Is this a certification or audit?

No. It is product documentation for deployed boundaries. External audits, DPAs, SLAs, and certifications require separate evidence and review.

Does Shhhs recover secrets?

No. Shhhs support can help with billing and metadata-only support, but cannot decrypt or recover secret content.