Skip to main content
TripleBits Apprentice - Software for Agents

Menu

Sign In Register

Credentials, Secrets, And Accounts

Handle Apprentice provider keys, OAuth accounts, integration tokens, webhook URLs, MCP secrets, and per-agent overrides safely.

15 views

Credentials, Secrets, And Accounts

Apprentice connects to providers, integrations, and MCP servers through credentials you configure.

Treat all provider keys, OAuth accounts, integration tokens, webhook URLs, and MCP secrets as sensitive.

Credential Surfaces

Credentials can appear in:

  • AI provider settings.
  • Provider accounts.
  • External Communications integrations.
  • MCP Library secrets.
  • Per-agent MCP secret overrides.
  • Webhook authorization headers.
  • Local runtime API keys, if enabled.

Do not paste credentials into agent prompts, chats, memory, knowledge files, or docs.

Provider Accounts

Provider accounts authenticate model access.

Use separate accounts or keys when:

  • You want clean billing boundaries.
  • Test agents should not use production credentials.
  • Different agents need different provider accounts.
  • You want easy revocation for one workflow.

If an agent's provider account changes, provider conversation continuity can be retired so future runs do not mix account context.

Integration Credentials

Integrations are configured globally in Settings > External Communications.

Credentials are stored through the available credential store. If the app reports a credential issue, edit the integration and update credentials before relying on the channel.

Use dedicated service accounts when possible.

For WhatsApp, use a dedicated number when possible because linked-device automation carries account risk.

MCP Secrets

MCP server secrets are configured globally in the MCP Library.

Agent bindings can use the global default secret or override a secret for that specific agent.

Use per-agent overrides for:

  • Read-only tokens.
  • Test versus production environments.
  • Separate customer or project scopes.
  • Least-privilege service accounts.

Webhooks

Webhook URLs and Authorization headers are credentials.

Keep separate endpoints for testing and production. Rotate webhook secrets if they are exposed.

Practical Safety Checklist

Before enabling an agent:

  • Confirm credentials are stored in settings, not prompts.
  • Use the least-privilege account available.
  • Use a dedicated service account when practical.
  • Avoid sharing one production token across unrelated agents.
  • Review per-agent MCP secret overrides.
  • Test with a low-risk prompt first.

Troubleshooting

If a provider fails, re-test the provider account in AI Integration.

If an integration reports a credential issue, update it in External Communications.

If MCP tools fail due to auth, check MCP Library secrets and per-agent overrides.

If a credential was exposed, rotate it in the external service and update Apprentice.

Next Step

After credentials are safe, review permissions and guardrails for the agent that will use them.