[AVAILABLE], output below is a real run, this session, commit
651497a.Goal
Confirm, by causing each failure yourself, that a session credential is genuinely single-use and time-bounded, not just documented as such.Prerequisites
- Read Credential isolation, this guide exercises
InMemorySessionCredentialVaultdirectly, the mechanism that page describes.
Steps
This exact scenario already exists asexamples/tutorials/58-session-credentials/, reuse it
rather than writing a parallel harness. It constructs a vault directly, no gateway, no
server, and puts a real credential through four cases: happy path, expiry, reuse, and
revocation.
Verify
Real output, this session:Error.
Next steps
- Change
lifetimeMsto something longer or shorter and rerun, confirm the expiry window actually moves with it. - Call
consume()beforeissue()resolves (a nonexistent ID) and observe the error message names the ID, not a resolved credential value, matching the never-leaks guarantee in Credential isolation.
Troubleshoot
- Expiry case doesn’t reject.
lifetimeMsand thesleep()duration in the tutorial are both short (1 second, 1.1 second wait) to keep the tutorial fast, if you’ve modified either independently, they can drift out of sync. - You want this wired to a real connector, not called directly. See Add a connector with
the Connector SDK, and
examples/tutorials/59-secure-connectors/run.tsfor the full path: gateway attestation, aSessionCredentialSecureConnector, and destruction of the credential immediately after use.
Next
Add a connector with the Connector SDK
Where a connector actually receives the credential this guide issued.
Gateway attestation
What has to succeed before a session credential can even be issued.