API key connectors

Connectors with authType: "api_key" accept one or more secrets entered on the Connectors page. They cover services that don't offer OAuth or where OAuth isn't needed (Twilio, Sentry, Vercel, Cloudflare, Supabase, Shopify, Mercury, and others).

How storage works

Secrets are encrypted at rest by the platform's secrets service and held against a connection record scoped to one org. The runtime decrypts a key only when an agent invokes one of the connector's declared operations, and only inside the request that performs the call.

The encrypted value is never returned to the client, never logged, and never exposed to agents — they receive a connectionId, not the underlying credential.

Adding a key

1. Open /[orgSlug]/connectors.
2. Pick the connector. The page shows the fields the connector requires (e.g. account SID + auth token for Twilio).
3. Paste the values. The platform validates by calling a low-impact read operation before saving.

Rotating

To rotate, edit the connection and replace the value. Save triggers the same validation call. Existing sessions pick up the new key on their next tool invocation; in-flight calls finish on the previous credential.

If the upstream supports key versioning, rotate at the upstream first, then update the connection. If not, the brief overlap window is the safest order: paste the new key, save, then revoke the old key at the provider.

Removing

Deleting a connection wipes the stored credential. Agents that still reference the connector receive a tool error on their next call and surface the reconnect prompt.

Audit

Every key add, edit, and removal is recorded in the org audit log alongside the actor and timestamp. Tool calls that use a connection are logged through normal tool-call paths.