A credential object securely stores authentication details from your AI provider for use by Oracle Database. Select AI profiles, vector indexes, and agent tools refer to the credential later by credential_name; the secret values are stored in Oracle Database and are not passed again when the profile or tool runs.

A credential is created in the connected user’s schema by DBMS_CLOUD.CREATE_CREDENTIAL. Create credentials while connected as the database user that will own and use them. Before creating credentials, make sure the user has the required Select AI package privileges. If the credential will be used to call an external AI provider, the database user also needs network access to that provider endpoint.

Every credential object must include credential_name and the fields required by the target provider. The library accepts the following credential keys: credential_name, username, password, user_ocid, tenancy_ocid, private_key, fingerprint, and comments.

The following table shows AI providers and corresponding credential object formats.

AI provider and expected credential format

AI provider

Credential format

Anthropic

 
{
    "credential_name": "ANTHROPIC_CRED",
    "username": "anthropic",
    "password": "sk-ant-xxx",
}

AWS Bedrock

 
{
    "credential_name": "AWS_BEDROCK_CRED",
    "username": "<aws_access_key_id>",
    "password": "<aws_secret_access_key>",
}

Azure OpenAI

 
{
    "credential_name": "AZURE_OPENAI_CRED",
    "username": "azure",
    "password": "<azure_openai_api_key>",
}

Cohere

 
{
    "credential_name": "COHERE_CRED",
    "username": "cohere",
    "password": "<cohere_api_key>",
}

Google

 
{
    "credential_name": "GOOGLE_CRED",
    "username": "google",
    "password": "<google_api_key>",
}

HuggingFace

 
{
    "credential_name": "HUGGINGFACE_CRED",
    "username": "hf",
    "password": "hf_xxx",
}

OCI Gen AI

 
{
    "credential_name": "OCI_GENAI_CRED",
    "user_ocid": "<user_ocid>",
    "tenancy_ocid": "<tenancy_ocid>",
    "private_key": "<private_key_contents>",
    "fingerprint": "<fingerprint>",
}

OpenAI

 
{
    "credential_name": "OPENAI_CRED",
    "username": "openai",
    "password": "sk-xxx",
}

1. Create credential

In this example, we create a credential object to authenticate to OCI Gen AI service provider:

Pass replace=True when you want to recreate an existing credential with the same name. Without replace=True, creating a credential that already exists raises a database error.

1.1. Sync API

import os

import oci
import select_ai

user = os.getenv("SELECT_AI_USER")
password = os.getenv("SELECT_AI_PASSWORD")
dsn = os.getenv("SELECT_AI_DB_CONNECT_STRING")

select_ai.connect(user=user, password=password, dsn=dsn)

# Default config file and profile
default_config = oci.config.from_file()
oci.config.validate_config(default_config)
with open(default_config["key_file"]) as fp:
    key_contents = fp.read()
credential = {
    "credential_name": "my_oci_ai_profile_key",
    "user_ocid": default_config["user"],
    "tenancy_ocid": default_config["tenancy"],
    "private_key": key_contents,
    "fingerprint": default_config["fingerprint"],
}
select_ai.create_credential(credential=credential, replace=True)
print("Created credential: ", credential["credential_name"])

output:

Created credential:  my_oci_ai_profile_key

1.2. Async API

import asyncio
import os

import oci
import select_ai

user = os.getenv("SELECT_AI_USER")
password = os.getenv("SELECT_AI_PASSWORD")
dsn = os.getenv("SELECT_AI_DB_CONNECT_STRING")


async def main():
    await select_ai.async_connect(user=user, password=password, dsn=dsn)
    default_config = oci.config.from_file()
    oci.config.validate_config(default_config)
    with open(default_config["key_file"]) as fp:
        key_contents = fp.read()
    credential = {
        "credential_name": "my_oci_ai_profile_key",
        "user_ocid": default_config["user"],
        "tenancy_ocid": default_config["tenancy"],
        "private_key": key_contents,
        "fingerprint": default_config["fingerprint"],
    }
    await select_ai.async_create_credential(
        credential=credential, replace=True
    )
    print("Created credential: ", credential["credential_name"])


asyncio.run(main())

output:

Created credential:  my_oci_ai_profile_key

2. Delete credential

Use select_ai.delete_credential(...) to drop a credential that is no longer needed. Pass force=True when cleanup should succeed even if the credential does not exist.

2.1. Sync API


import select_ai

user = os.getenv("SELECT_AI_USER")
password = os.getenv("SELECT_AI_PASSWORD")
dsn = os.getenv("SELECT_AI_DB_CONNECT_STRING")

select_ai.connect(user=user, password=password, dsn=dsn)
select_ai.delete_credential(
    credential_name="my_oci_ai_profile_key", force=True
)
print("Deleted credential: my_oci_ai_profile_key")

output:

Deleted credential: my_oci_ai_profile_key

2.2. Async API

import asyncio
import os

import select_ai

user = os.getenv("SELECT_AI_USER")
password = os.getenv("SELECT_AI_PASSWORD")
dsn = os.getenv("SELECT_AI_DB_CONNECT_STRING")


async def main():
    await select_ai.async_connect(user=user, password=password, dsn=dsn)
    await select_ai.async_delete_credential(
        credential_name="my_oci_ai_profile_key", force=True
    )
    print("Deleted credential: my_oci_ai_profile_key")


asyncio.run(main())

output:

Deleted credential: my_oci_ai_profile_key