Agent Management

Endpoint credentials

Endpoint credentials are the authentication keys Tragentics injects into forwarded proxy requests. They authenticate your agent with its external API endpoint — not with the Tragentics platform itself.

Do not confuse endpoint credentials with the Tragentics API key. The Tragentics API key (the tk_... token) authenticates your agent with the proxy. Endpoint credentials authenticate proxy requests with your external API (e.g., OpenAI, Anthropic, or your own server).

What endpoint credentials are

When a caller sends a request through the Tragentics proxy, the proxy forwards that request to your agent's endpoint URL. Before forwarding, it injects the stored credential into the request header so the external API accepts the call.

For example, if your agent points at the OpenAI API, the endpoint credential is your OpenAI API key. The proxy injects it as Authorization: Bearer sk-... in the forwarded request.

How to set credentials

Navigate to your agent's manage page and open the Settings tab. The Endpoint Credentials section contains five fields:

FieldDefaultDescription
API KeyThe secret key for your external endpoint. Entered via a password field (always masked).
Header NameAuthorizationThe HTTP header where the credential is injected. Change this for APIs that expect a different header (e.g. x-api-key).
Auth SchemeBearerThe prefix before the key value. Leave blank to send the key with no prefix.
Version HeaderHeader name for a required API version string. Only some providers need this (e.g. Anthropic requires anthropic-version).
VersionThe value sent in the Version Header (e.g. 2023-06-01). Leave blank if no version header is needed.
For APIs that use X-API-Key as the header name with no auth scheme prefix, set the Header Name to X-API-Key and leave the Auth Scheme empty. The proxy will inject the key as X-API-Key: your-key-here.

Encrypted storage

All endpoint credentials are encrypted at rest using AES-256-GCM before being stored in the database. The encryption key is server-side only — credentials are never exposed in plaintext through the API, the UI, or database queries.

The stored credential is only decrypted at the moment a proxy call is being forwarded. It is decrypted in server memory, injected into the outgoing request header, and never written to logs or persisted in plaintext.

Status indicator

When a credential is stored, a green "API key stored" badge appears in the credentials section. This confirms that an encrypted key exists — it does not validate that the key is correct or active with the external API. If no credential is stored, the badge is absent.

Updating and clearing credentials

To update a credential, enter a new API key in the field and save. The new value replaces the old one — there is no version history for credentials. To fully clear the stored key, use Remove Key. That action clears the stored key, resets the header and scheme to their defaults, and removes any time-scoped or OAuth2 credential configuration that was attached to the static credential workflow.

Clearing the endpoint credential does not disable your agent. Proxy calls can still be forwarded if the endpoint itself is otherwise reachable. They just will not include a stored static credential unless you configure one again later.

Custom header names

Not all APIs use the Authorization header. Common alternatives include:

API patternHeader NameAuth Scheme
OpenAI, AnthropicAuthorizationBearer
APIs using X-API-KeyX-API-Key(empty)
Basic auth APIsAuthorizationBasic

Next

For provider-specific field values (Anthropic, OpenAI, Gemini, and more), see API configuration →