Paste cookies (Netscape / JSON) and/or headers (KV pairs or JSON) that your browser already carries for a target origin. The submesh stores them scoped to that origin and pipes them through on every POST /api/submesh/call to matching coords. Values live in memory only; never logged, only 8-char hashes retained for provenance. Same trust boundary as an autofilled Submit Payment: user-triggered, local-side, and the credential the target already accepted IS the credential.