Credentials
Credentials store OAuth tokens and service API keys for integrations — things like GitHub Personal Access Tokens, Jira API keys, Slack Bot Tokens, and other service credentials used by MCP servers or workflow integrations.
Like LLM keys, credentials are project-scoped — shared across the whole project and managed by admins. See the three credential scopes for how Credentials, LLM Keys, and Platform API Keys differ.
What Credentials Are For
| Use Case | Example Credential |
|---|---|
| MCP server authentication | GitHub PAT for the GitHub MCP server |
| HTTP node integrations | Slack Bot Token for posting to a webhook |
| External API calls | SendGrid API key for email sending |
| Cloud provider APIs | AWS access key for S3 operations |
Not for: LLM API keys (those go in Settings → Keys & Secrets under Project LLM Keys, also project-scoped)
Managing Credentials
Access: Settings → Keys & Secrets tab → Project Credentials section.
Or: From any resource that needs credentials (e.g., MCP Hub prompts you to add a credential when connecting a server).
Adding a Credential
- Click Add Credential.
- Fill in:
- Name: Descriptive label:
GitHub Work Token,Slack Bot - #alerts-channel - Type: Token / OAuth / API Key / Basic Auth / Custom
- Value: The secret value (encrypted on save)
- Description: What this credential is for and where it's used
- Name: Descriptive label:
- Click Save.
Access Control
Only project admins can add, view, or delete credentials. Editors and Readers cannot manage credentials.
However, credentials are used automatically by the resources they're assigned to — editors can run workflows that use credentials without needing to see the credential values.
Credential Encryption
Credentials are encrypted at rest (same as LLM keys):
- Stored securely in the TARX database
- The actual value is never returned by the API after creation
- Decrypted in-memory only when needed by the resource using them
OAuth Credentials
For services requiring OAuth (like GitHub Apps, Google Workspace), TARX supports OAuth flow:
- Click Add Credential → select OAuth.
- Choose the OAuth provider (GitHub, Google, Slack, etc.).
- TARX redirects you to the provider's OAuth flow.
- Authorize the requested scopes.
- TARX receives the access token and refresh token.
- Tokens are stored encrypted and auto-refreshed when they expire.
When to Use Credentials vs. System Prompt
Some integrations can be configured either via credentials or by putting the API key directly in an agent's system prompt.
| Method | Security | Maintainability | Recommended |
|---|---|---|---|
| Credentials | High — encrypted, not visible | Easy — update credential once | ✅ Production |
| System prompt | Low — visible to all editors | Hard — must update each agent | ❌ Development only |
Always use credentials for production. System prompt API keys are for quick prototyping only — they're visible to all project editors.