Skip to main content
The Credentials page allows you to temporarily grant write access to specific domains. By default, agent tabs cannot make POST/PUT/PATCH/DELETE requests except to Claude. Credential grants create time-limited exceptions.

Overview

Credential grants:
  • Allow write requests to a specific domain for a limited time
  • Auto-expire after the configured duration
  • Can be extended or revoked manually
  • Are logged with timestamp, reason, and granter
This is a key security feature. By default, agents can only read data. Write access must be explicitly granted.

How Credential Grants Work

The info card at the top explains the security model:
  1. Default behavior: Agent tabs cannot make write requests to any domain (except Claude)
  2. Grant access: You temporarily enable write access to a specific domain
  3. Time-limited: Grants expire automatically after the configured duration
  4. Auto-revocation: When the grant expires, write access is removed
This prevents agents from accidentally or maliciously modifying data on external services.

Granting New Access

Use the “Grant New Access” form to create a credential grant:

Form Fields

FieldDescriptionRequired
DomainTarget domain (e.g., github.com)Yes
DurationHow long the grant lastsYes
ReasonWhy access is needed (optional)No

Duration Options

  • 5 minutes - Quick tasks
  • 15 minutes - Short operations
  • 30 minutes - Default (recommended)
  • 1 hour - Longer tasks
  • 2 hours - Extended operations
  • 8 hours - Full work session
1

Enter the domain

Type the domain name (e.g., github.com). It will be converted to lowercase.
2

Select duration

Choose how long the grant should last. Default is 30 minutes.
3

Add a reason (optional)

Document why access is needed (e.g., “Deploy PR #123”). This helps with auditing.
4

Grant access

Click Grant Access. The grant is created immediately and appears in the table below.
Press Enter in any field to quickly grant access without clicking the button.

Active Grants Table

The table displays all currently active grants, including expired ones (until manually removed).

Table Columns

ColumnDescription
DomainThe domain that has write access
Time RemainingCountdown timer (updates every 10 seconds)
Granted AtWhen the grant was created
ReasonWhy access was granted (or - if none)
ActionsExtend or revoke buttons

Time Remaining Badges

  • Green badge: More than 5 minutes remaining
  • Orange badge: Less than 5 minutes remaining
  • Red “Expired” badge: Grant has expired
The page auto-refreshes every 10 seconds to update time remaining badges.

Managing Grants

Extending a Grant

Click the +15m button to add 15 minutes to the grant:
  • The expiration time is updated
  • The badge refreshes to show new time remaining
  • Useful if a task is taking longer than expected

Revoking a Grant

Click the trash icon to immediately revoke access:
  • The grant is deleted from storage
  • Write access to the domain is removed
  • The grant disappears from the table
Revoked grants cannot be recovered. You’ll need to create a new grant if access is needed again.

Time Formatting

Time Remaining

Displayed as:
  • Xh Ym - Hours and minutes (if > 60 minutes)
  • Xm Ys - Minutes and seconds (if < 60 minutes)
  • Xs - Seconds only (if < 1 minute)
  • Expired - Grant has expired

Granted At

Displayed as:
  • MMM DD, HH:MM AM/PM (e.g., “Jan 15, 02:30 PM”)

Empty States

No Active Grants

If you see this message:
  • No grants have been created yet
  • All grants have been revoked
  • All grants have expired and been removed
The empty state shows:
  • Key icon
  • “No Active Grants” heading
  • Explanation of how to grant access

Use Cases

Deploying Code

Domain: github.com
Duration: 30 minutes
Reason: Deploy PR #456
Grant access to GitHub so the agent can:
  • Create pull requests
  • Merge code
  • Trigger deployments

Managing Issues

Domain: linear.app
Duration: 15 minutes
Reason: Create bug report
Allow the agent to:
  • Create issues
  • Update issue status
  • Add comments

Running Tests

Domain: app.example.com
Duration: 1 hour
Reason: E2E test run
Enable the agent to:
  • Submit forms
  • Update data
  • Trigger workflows

Security Best Practices

1

Minimum necessary duration

Grant the shortest duration that allows the task to complete.
2

Always document reason

Use the Reason field to track why access was granted. This helps with auditing.
3

Revoke immediately when done

Don’t wait for expiration. Revoke grants as soon as the task is complete.
4

Monitor active grants

Check this page regularly to see what access is currently granted.
5

Investigate expired grants

If grants frequently expire before tasks complete, investigate why tasks are taking longer than expected.

Background Integration

When you grant access:
  1. The grant is saved to chrome.storage.local
  2. A message is sent to the background script: 
    chrome.runtime.sendMessage({
  type: 'GRANT_CREDENTIAL_ACCESS',
  domain: 'github.com',
  durationMinutes: 30,
  grantedBy: 'user',
  reason: 'Deploy PR #123'
})
  3. The background script starts a timer
  4. When the timer expires, the grant is automatically revoked
Grants are stored with a unique ID and expiration timestamp (milliseconds since epoch).

Technical Details

The Credentials page:
  • Loads from chrome.runtime.sendMessage (type: GET_CREDENTIAL_GRANTS)
  • Auto-refreshes every 10 seconds to update time remaining
  • Sends GRANT_CREDENTIAL_ACCESS to create grants
  • Sends REVOKE_CREDENTIAL_ACCESS to delete grants
  • Sends EXTEND_CREDENTIAL_GRANT to add time
  • All operations are confirmed via callback responses

Next Steps

Block Domains

Configure which domains agents can visit

Configure Rules

Set up governance policies for agent behavior

Build docs developers (and LLMs) love

Get started for freeTalk to us