# How Credentials Work > Learn how AgentPMT securely manages API keys, OAuth tokens, and passwords your tools need to function. Content type: documentation Source URL: https://www.agentpmt.com/docs/core-concepts/how-credentials-work Markdown URL: https://www.agentpmt.com/docs/core-concepts/how-credentials-work?format=agent-md Category: Core Concepts --- # How Credentials Work Some tools need authentication to work -- an API key for a weather service, OAuth tokens for Google Workspace, or a password for a database. AgentPMT handles these securely through **credentials**. --- ## The Flow 1. **A tool declares what it needs** Each tool specifies a credential schema: which fields are required (API key, token, username/password, etc.) and what format they should be in. 2. **You provide the values** In your dashboard under the **Credentials** tab, you create a credential record and fill in the required fields. Secret values are masked after saving. 3. **You bind it to a budget** Go to your budget's settings and bind the credential to the relevant tool. This tells AgentPMT: "When this agent calls this tool using this budget, use these credentials." 4. **Agent calls the tool** When your agent makes a tool call, AgentPMT automatically injects the bound credentials. The agent never sees your raw secrets. --- ## Security > TIP: Your secrets stay safe > > Credential values are encrypted at rest. Your agent never receives raw credential values -- they are injected server-side when the tool call is routed to the vendor's endpoint. - Secret fields are **masked** in the dashboard after saving - Credentials are **encrypted** in the database - Credentials are **injected server-side** -- they never pass through your agent - Each credential is **scoped to a budget** -- different budgets can use different credentials for the same tool --- ## When You Don't Need Credentials Many tools on AgentPMT work without any credentials. If a tool is fully hosted by the vendor and doesn't require external authentication, you just add it to your budget and go. You only need to set up credentials when a tool connects to a third-party service that requires your own account (e.g., your Google account, your Stripe account, your custom API). --- ## Managing Credentials From your dashboard: - **Credentials tab** -- Create, edit, and delete credential records - **Budget settings** -- Bind credentials to specific budgets - **Missing credential warnings** -- If your agent tries to call a tool that needs credentials you haven't provided, you'll see a warning in the chat interface with a link to set them up - [Set Up Your First Budget](/docs/monitoring/setting-up-your-first-budget) - Learn how to create a budget and bind credentials - [What is a Tool](/docs/core-concepts/what-is-a-tool) - Understand what tools are and how they use credentials