Manage Credentials

Your Toolcog dashboard shows all the services you’ve connected. You can view connection status, revoke access, reconnect expired tokens, and manage multiple accounts.

Viewing Connections

Navigate to Credentials in your Toolcog dashboard to see:

• Connected services — Which APIs you’ve authorized
• Authentication type — OAuth or API key
• Connection date — When you authorized
• Status — Active, expired, or needs attention

Connections are grouped by API for easy navigation.

Connection Status

Active

The credential is valid and working. AI can use this service without any action from you.

Expired

OAuth tokens have expired and couldn’t be refreshed automatically. This happens when:

• The refresh token expired (some services expire refresh tokens)
• You revoked access on the service’s side
• The service invalidated all tokens

Resolution: Click “Reconnect” to re-authorize.

Needs Attention

Something requires your action:

• Additional scopes needed
• Service requires re-authentication
• API key rotation recommended

Resolution: Follow the prompts to resolve.

Revoking Access

To disconnect a service:

1. Find the connection in your Credentials list
2. Click the menu (three dots)
3. Select “Revoke”
4. Confirm the action

This:

• Removes the credential from your vault
• Optionally revokes on the service side (for OAuth)
• Prevents future AI access to that service

You can always reconnect later.

Note: Revoking individual credentials is different from revoking sessions. See Vault Linking for how session revocation affects vault access.

Reconnecting

If a connection expires or you need to update it:

1. Find the connection in your Credentials list
2. Click “Reconnect”
3. Complete the authorization flow
4. New credentials replace the old ones

For OAuth, this gets fresh tokens. For API keys, you enter the new key.

Multiple Accounts

You can connect multiple accounts for the same service:

When This Is Useful

• Work and personal GitHub accounts
• Multiple AWS accounts (production, staging)
• Different Google Workspace organizations
• Separate Stripe accounts per project

How It Works

Each account is a separate credential in your vault. When AI makes an API call, it uses the credential associated with the current context (catalog, operation, etc.).

Managing Multiple Accounts

In your Credentials list, multiple accounts for the same service appear as separate entries. Each shows:

• Account identifier (email, username, etc.)
• When connected
• Last used

Credential Rotation

For security, rotate credentials periodically:

OAuth Tokens

OAuth tokens refresh automatically. For manual rotation:

1. Revoke the current connection
2. Reconnect to get fresh tokens

API Keys

API key rotation requires action on both sides:

1. Generate a new key in the service’s dashboard
2. Update the key in Toolcog (Credentials → Edit)
3. Verify the new key works
4. Revoke the old key in the service’s dashboard

Audit Trail

Toolcog maintains an audit trail of:

• When connections were created
• When credentials were used
• Which operations were called
• Success and failure status

Access your audit log from the dashboard to review activity.

Security Recommendations

Review Periodically

Check your connections monthly:

• Remove services you no longer use
• Verify active connections are expected
• Check for any “needs attention” status

Principle of Least Privilege

Connect only what you need:

• Don’t authorize services “just in case”
• Use minimal scopes when possible
• Revoke access when a project ends

Watch for Anomalies

In your audit log, look for:

• Unexpected services being used
• Unusual patterns of API calls
• Failed authentication attempts

Next Steps

• Authorization Flow — How AI securely connects to APIs
• Zero-Knowledge Credential Protection — How credentials are encrypted
• Audit Trail — Monitoring API activity