# Credentials > Learn how AgentPMT securely manages API keys, OAuth tokens, and passwords your tools need to function. Content type: documentation Source URL: https://www.agentpmt.com/docs/core-concepts/how-credentials-work Markdown URL: https://www.agentpmt.com/docs/core-concepts/how-credentials-work?format=agent-md Category: Core Concepts --- # Credentials Some tools need authentication to work -- an API key for a weather service, OAuth tokens for Google Workspace, or a password for a database. AgentPMT handles these securely through **credentials**. --- ## The Flow 1. **A tool declares what it needs** Each tool specifies a credential schema: which fields are required (API key, token, username/password, etc.) and what format they should be in. 2. **You provide the values** In your dashboard under the **Credentials** tab, you create a credential record and fill in the required fields. Secret values are masked after saving. 3. **You bind it to an Agent Group** Go to your Agent Group's settings and bind the credential to the relevant tool. This tells AgentPMT: "When this agent calls this tool using this group, use these credentials." 4. **Agent calls the tool** When your agent makes a tool call, AgentPMT automatically injects the bound credentials. The agent never sees your raw secrets. --- ## Security > TIP: Your secrets stay safe > > Credential values are encrypted at rest. Your agent never receives raw credential values -- they are injected server-side when AgentPMT runs the approved integration. - Secret fields are **masked** in the dashboard after saving - Credentials are **encrypted** in the database - Credentials are **injected server-side** -- they never pass through your agent - Each credential is **scoped to an Agent Group** -- different groups can use different credentials for the same tool --- ## When You Don't Need Credentials Many tools on AgentPMT work without any credentials. If a tool does not require external-account authentication, you just add it to your Agent Group and go. You only need to set up credentials when a tool connects to an external service that requires your own account (for example, your Google account, your Stripe account, or your custom API). --- ## Managing Credentials From your dashboard: - **Credentials tab** — Create, edit, and delete credential records - **Agent Group settings** -- Bind credentials to specific Agent Groups - **Missing credential warnings** — If your agent tries to call a tool that needs credentials you haven't provided, you'll see a warning in the chat interface with a link to set them up - [60 Second Quick Start](/docs/getting-started/quick-start) - Create your first Agent Group and bind credentials - [API To MCP Tool Conversion](/docs/agent-connections/api-to-mcp-tool-conversion) - Use credentials to expose a controlled API endpoint as a private MCP tool - [What is a Tool](/docs/core-concepts/what-is-a-tool) - Understand what tools are and how they use credentials