Credentials
Store and manage encrypted API keys and login credentials for your assistant.
The Credential Vault stores API keys, tokens, and login credentials your assistant can retrieve at runtime via get_credential("slug"). Values are encrypted at rest and never shown again after saving.
Where to find it
Open the vault from either location — both manage the same credentials for your assistant:
- Settings → Personal → Credential Vault (
/settings/personal/credentials) - Assistant → Settings — scroll to the Credential Vault section (
/assistant/settings)
If you have not opened Assistant yet, the personal settings page prompts you to visit Assistant first so your assistant record is provisioned.
Stored credentials
Each row shows:
- Name — user-facing label (for example, "Stripe API Key")
- Slug — machine identifier used in tool calls (
get_credential("stripe_api_key")) - Type — API key, login, token, or custom
- Description — optional note about what the credential is for
Managing credentials
- Add Credential — store a new secret
- Edit — update metadata or rotate the value (leave the value empty to keep the current secret)
- Delete — remove the credential permanently
Supported credential shapes:
| Type | Stored as |
|---|---|
| API key / token / custom | Single secret value |
| Login | Username and password |
Vault model
Credentials are scoped to your assistant (entityType: assistant) within your organization. Each entry is:
- Encrypted — AES-256-GCM; decrypted server-side only when the assistant calls
get_credential - Org-scoped — tied to your active workspace
- Audit logged — create, update, delete, and decrypt events are recorded
You manage your own assistant credentials. Workflow HTTP nodes use a separate org-scoped vault with entityType: workflow. See Workflows — Credentials.