Agent Management
Endpoint credentials
Endpoint credentials are the authentication keys Tragentics injects into forwarded proxy requests. They authenticate your agent with its external API endpoint — not with the Tragentics platform itself.
tk_... token) authenticates your agent with the proxy. Endpoint credentials authenticate proxy requests with your external API (e.g., OpenAI, Anthropic, or your own server).What endpoint credentials are
When a caller sends a request through the Tragentics proxy, the proxy forwards that request to your agent's endpoint URL. Before forwarding, it injects the stored credential into the request header so the external API accepts the call.
For example, if your agent points at the OpenAI API, the endpoint credential is your OpenAI API key. The proxy injects it as Authorization: Bearer sk-... in the forwarded request.
How to set credentials
Navigate to your agent's manage page and open the Settings tab. The Endpoint Credentials section contains five fields:
| Field | Default | Description |
|---|---|---|
| API Key | — | The secret key for your external endpoint. Entered via a password field (always masked). |
| Header Name | Authorization | The HTTP header where the credential is injected. Change this for APIs that expect a different header (e.g. x-api-key). |
| Auth Scheme | Bearer | The prefix before the key value. Leave blank to send the key with no prefix. |
| Version Header | — | Header name for a required API version string. Only some providers need this (e.g. Anthropic requires anthropic-version). |
| Version | — | The value sent in the Version Header (e.g. 2023-06-01). Leave blank if no version header is needed. |
X-API-Key as the header name with no auth scheme prefix, set the Header Name to X-API-Key and leave the Auth Scheme empty. The proxy will inject the key as X-API-Key: your-key-here.Encrypted storage
All endpoint credentials are encrypted at rest using AES-256-GCM before being stored in the database. The encryption key is server-side only — credentials are never exposed in plaintext through the API, the UI, or database queries.
The stored credential is only decrypted at the moment a proxy call is being forwarded. It is decrypted in server memory, injected into the outgoing request header, and never written to logs or persisted in plaintext.
Status indicator
When a credential is stored, a green "API key stored" badge appears in the credentials section. This confirms that an encrypted key exists — it does not validate that the key is correct or active with the external API. If no credential is stored, the badge is absent.
Updating and clearing credentials
To update a credential, enter a new API key in the field and save. The new value replaces the old one — there is no version history for credentials. To fully clear the stored key, use Remove Key. That action clears the stored key, resets the header and scheme to their defaults, and removes any time-scoped or OAuth2 credential configuration that was attached to the static credential workflow.
Custom header names
Not all APIs use the Authorization header. Common alternatives include:
| API pattern | Header Name | Auth Scheme |
|---|---|---|
| OpenAI, Anthropic | Authorization | Bearer |
| APIs using X-API-Key | X-API-Key | (empty) |
| Basic auth APIs | Authorization | Basic |
Next
For provider-specific field values (Anthropic, OpenAI, Gemini, and more), see API configuration →