Credentials

Credential Store Options

Copy page

Credential Store Options

MCP servers and external agents may require authentication for secure access. The Inkeep agent framework supports storing these credentials in three different ways:

Recommended
Nango

Nango Store

Best for: Development or Production environments with OAuth2.1/PKCE flows and complex integrations

  • Automatic token refresh for OAuth
  • Supports additional metadata headers
  • Works with complex OAuth flows (OAuth2.0/PKCE)
  • Managed service (self-hosted or cloud)
Learn More
Default

Keychain Store

Best for: Local development with OAuth services

  • Not suitable for production
  • No automatic token refresh
  • Requires manual re-authentication when tokens expire
  • Does not support additional metadata headers
Learn More

Environment Variables

Best for: Simple API keys and bearer tokens in development or production

  • Direct configuration via TypeScript SDK
  • Does not support additional metadata headers
  • Does not support OAuth2.1/PKCE flows
Learn More

Environment-aware Credentials

When you need different credentials for different environments (e.g., development vs. production), you can take advantage of environment-aware credentials. This approach allows you to:

  • Define separate credentials for each environment
  • Automatically load the correct credentials based on your deployment environment
  • Keep your development and production credentials cleanly separated
  • Easily switch between environments using the CLI's --env flag

Learn more about setting up environment-aware credentials in the dedicated guide.

Webhooks

Create webhook endpoints that allow external services to invoke your agents

Nango

Next Page

On this page

Credential Store Options
Environment-aware Credentials