How API key security works in external APIs
This guide explains how External APIs stores and uses your API keys when your agent connects to an external service.
How keys are stored
API keys added through External APIs are stored in an encrypted vault. They are encrypted at rest in the database. The AI agent never receives the real key directly at any point.
How keys are used during a conversation
When the agent needs to call an external service, the platform generates a short-lived temporary key. The agent uses this temporary key - not your real key - to write and execute the integration code.
When the code runs, the platform replaces the temporary key with the real key through a secure background process. This substitution happens outside the AI's context - the agent has no visibility into it and no access to the real key.
The temporary key expires shortly after use. If it is exposed during a conversation, it cannot be used to access the real credentials.
What the agent can access
The agent has access to the temporary key only. It never has access to the real API key stored in the vault.