API Keys
Some services use API keys instead of OAuth. These are static credentials you generate in the service’s dashboard and provide to Toolcog.
When API Keys Are Used
API keys are common for:
- AI services — OpenAI, Anthropic, Cohere
- Infrastructure — SendGrid, Twilio, Cloudflare
- Analytics — Mixpanel, Amplitude
- Some payment processors — Stripe (supports both OAuth and API keys)
If a service gives you a secret key like sk-... or api_..., it uses API key authentication.
Adding API Keys
When AI encounters a service that needs an API key:
- AI requests the key — Provides a link to add credentials
- You enter the key — In a secure form on toolcog.com
- Key is encrypted — Stored in your vault
- AI continues — With authenticated access
Manual Addition
You can also add API keys proactively:
- Go to your Toolcog dashboard
- Navigate to Credentials
- Select the API and security scheme
- Enter your API key
- Save
The key is encrypted immediately and never stored in plaintext.
API Key Storage
Like OAuth tokens, API keys are protected with envelope encryption: session → derived KEK → vault DEK → encrypted key. Even Toolcog cannot read your API keys—the encryption keys derive from your session, which only you possess.
Security Considerations
Key Scope
Many services support scoped API keys:
- Read-only keys — Can only read data
- Write keys — Can create and modify
- Admin keys — Full account access
Use the narrowest scope that accomplishes your task.
Key Rotation
Rotate API keys periodically:
- Generate a new key in the service’s dashboard
- Update the key in Toolcog
- Revoke the old key in the service’s dashboard
This limits exposure if a key is compromised.
Service-Side Controls
Most services provide additional controls:
- IP allowlists — Restrict key usage to specific IPs
- Rate limits — Limit requests per time period
- Audit logs — Track key usage
Configure these in the service’s dashboard for defense in depth.
API Key vs OAuth
| Aspect | API Keys | OAuth |
|---|
| User interaction | Enter key once | Authorize via browser |
| Scope control | Service-defined | Per-operation |
| Refresh | Manual rotation | Automatic |
| Revocation | In service dashboard | In service dashboard |
| Multi-account | One key per account | One auth per account |
OAuth is preferred when available because it:
- Provides automatic token refresh
- Allows granular scope control
- Enables easy revocation
API keys are simpler but require more manual management.
Best Practices
Use Dedicated Keys
Create API keys specifically for Toolcog:
- Label them clearly: “Toolcog Production”
- Don’t share keys with other applications
- Makes auditing and rotation easier
Monitor Usage
Check your service’s dashboard for:
- Unexpected request patterns
- Usage from unexpected locations
- Failed authentication attempts
Have a Rotation Plan
Know how to rotate keys:
- Where to generate new keys
- Where keys are used (Toolcog, other apps)
- How to update without downtime
- When to revoke old keys
Next Steps
