Opidocs
GuidesAssistant guides

Use stored credentials in assistant actions

Let the assistant call APIs securely using credentials you've saved.

Advanced · ~10 min · Prerequisites: a stored credential

What you'll do

Save an API key or token to your credential store, reference it by slug in assistant instructions, and verify that it's used without ever appearing in the conversation.

Store a credential

Go to Settings → Credentials to open the credential store. Click Add credential, give it a slug (for example, github-pat), paste the secret value, and save.

The slug is the name you'll use to reference this credential in instructions and trigger responses. The secret value is encrypted at rest and is never returned to the UI after saving. See Credentials for supported credential types and rotation guidance.

Never paste API keys or tokens directly into the chat composer. The conversation transcript is stored and may appear in logs. Use the credential store instead — it keeps secrets out of plaintext.

Reference it by slug

In any assistant instruction — an action, a trigger response, or a scheduled task — reference a stored credential by its slug in double braces:

"Call the internal reporting API at https://api.internal/report using the key stored as reporting-api-key. Return the JSON summary."

The assistant substitutes the secret value at execution time. The slug appears in your instruction; the actual key never does.

If the slug doesn't exist or has been revoked, the action fails with a credential_not_found error rather than falling back to asking you for the key.

Keep it safe

A few practices that matter:

  • Use a dedicated key per integration. If one credential is compromised, you can rotate just that one without touching others.
  • Set the minimum required scope. A read-only key is safer than a full-access key if the action only reads data.
  • Rotate credentials on a schedule. Update the value in Settings → Credentials without changing the slug — existing instructions keep working after the update.
  • Check who can use it. Credentials are personal by default. Shared workspace credentials (if your plan supports them) require explicit sharing.

Audit usage

Every time the assistant uses a stored credential, the run log records the slug name and the action it powered — not the secret value. Open Settings → Credentials, click a credential row, and view Recent usage to see which actions called it and when.

If you see unexpected usage, rotate the credential immediately and review the run logs for the affected actions.

Try this next

Work with files & produce outputs

Analyze uploaded files and export the assistant's work as downloadable files.

Credentials

Credential types, rotation, and workspace sharing.

React to events with triggers

Run work automatically when something happens in a connected app.

Work with the assistant inside a Space

Scope the assistant to an Organizational Space for space-aware search and edits.

On this page

What you'll doStore a credentialReference it by slugKeep it safeAudit usageTry this next