Store API keys and tokens once, use them across every agent, MCP server, skill, and channel — with rotation that propagates instantly and secrets that are never exposed.
Paste a token once. Every agent, MCP server, skill, and channel that needs it picks it up automatically. Rotate the key from one screen and every consumer updates on the next invocation — no re-binding, no config sweeps.
The Credentials Vault is the single place where Actionist stores every secret your agents need to reach the outside world. There are two kinds of objects you will find there.
Credentials
A raw secret you own and manage — an API key, personal access token, header secret, or client credentials pair. You paste the value; Actionist encrypts it. The value is never shown again after save.
Connections
An OAuth account object the backend holds after you complete an OAuth consent screen. Created by the OAuth install flow, not by typing a value. Both appear on the same Credentials Vault page.
Each card shows a color-coded key medallion, display name, status badge, binding-count pill, provider/kind slug, and relative last-updated time. Five action buttons appear on every card: Rename, Rotate, Test now, Disable / Enable, and Delete. The available actions shift with the credential’s state. Pick a state:
SendGrid — productionsendgrid · api-key6 bindings
ActiveInvalidDisabledNeeds re-auth
RenameRotateTest nowDisableDelete
RenameRotateTest nowDisableDelete
RenameRotateEnableDelete
RenameRotateDisableDelete
Active — available for new and existing bindings. All five actions are available. Delete is locked because this credential still has 6 active bindings — hover it to see the tooltip.
Invalid — the backend determined the secret is no longer valid (expired, revoked, or quota-blocked). Run Test now to see the failure reason, then Rotate with a fresh value to restore it. All bindings remain intact while you rotate.
Disabled — paused manually. Cannot be selected in new bindings, but all binding metadata is preserved. Rotate is locked: re-enable the credential first, then rotate the value. Click Enable to restore instantly.
Needs re-auth — the stored token requires re-authorization. There is no Re-authenticate button. Workaround: create a fresh credential for the same provider with Add credential, then re-bind every consumer to it. Disable or delete the stale credential once migrated.
The value field reads “Saved encrypted; never shown after save.” This is by design. To update a saved secret, use Rotate — not delete-and-recreate.
Navigate to Settings, then select the Credentials Vault tab. The toolbar at the top shows how many credentials are stored and how many active bindings are currently in use.
4 credentials stored
6 active bindings
RefreshAdd credential
SendGrid — productionsendgrid · api-key3 bindings
Active
RenameRotateTest nowDisableDelete
GitHub PAT — workgithub · token0 bindings
Disabled
RenameRotateEnableDelete
Stripe — livestripe · api-key2 bindings
Invalid
RenameRotateTest nowDisableDelete
Most users find the vault nearly empty at first. When you paste a token while installing an MCP or configuring an agent’s bot channel, Actionist saves it automatically. Use the vault to manage what has already been saved, or to add credentials you want available before you start building.
Click Add credential in the toolbar. An inline form expands with four required fields: Display name (e.g. GitHub PAT — work), Provider (lowercase identifier: github, sendgrid, slack), Kind (dropdown), and Value (password-masked). Click Save credential. The credential appears with an Active badge immediately.
Click Rename. The display name becomes an inline input. Press Enter to save or Escape to cancel. Provider tag and kind are unchanged — all bound consumers keep working.
Rotate
Rotate replaces the stored secret while keeping every binding intact. The next time any bound consumer runs, it picks up the new value automatically — no re-wiring needed.Click Rotate, paste the new secret in the New value field, and press Enter. The banner confirms: “Existing bindings keep working — they pick up the new value on next use.”
Rotation is the only way to update a saved secret. You cannot rotate a disabled credential — re-enable it first.
SendGrid — productionActive
New value
••••••••••••••••••••••••Show
Existing bindings keep working — they pick up the new value on next use.
SaveCancel
Disable and re-enable
Click Disable. The status changes to Disabled and the button becomes Enable (green). Disabled credentials cannot be selected in new bindings, but all binding metadata is preserved. Click Enable to restore — instant and reversible.
Prefer Disable over Delete for temporary pauses. Re-enabling is instant; deleting requires re-binding every consumer.
Delete
Delete is permanent and guarded by two conditions — both must be true before the button activates:
No active bindings. If any consumer is bound, the button tooltip reads “Unbind consumers first”. The message: “Can’t delete — still bound to N consumer(s). Unbind first.”
Usage data loaded. If the binding count has not fully loaded, the tooltip reads “Refresh to verify usage before deleting”. Click Refresh in the toolbar and try again.
Once active, click Delete, confirm the dialog (e.g. Delete “GitHub PAT — work”? This is permanent.), and it is done. The credential is permanently removed.
Deletion is irreversible. Any bound consumer that was not unbound first will show a StaleBindingChip: “Bound credential not found — re-bind required.” Use Disable if you are not certain.
The Delete button only activates when there are zero active bindings. Toggle the binding count below and watch the button lock or unlock — hover the locked button to see the exact tooltip text the UI shows.
Stripe — livestripe · api-key ·
3 active bindings0 active bindings
Can’t delete — still bound to 3 consumer(s). Unbind first. Go to each agent, MCP, or skill that uses this credential and clear the binding, then return here.
No active bindings — delete is available. This action is permanent and cannot be undone.
The guard is automatic. Actionist counts live bindings on every card render — you never have to remember to check.
Prefer Disable. If you are not certain you want permanent removal, Disable stops usage without losing binding metadata. Re-enable is instant.
Stale chips, not silent failures. If you delete a bound credential anyway, each consumer shows a red StaleBindingChip so the break is visible, not silent.
Clicking Test now on a credential card triggers a live probe against the provider’s API. For supported providers, the backend makes a real API call to verify the key is active and has access. For other providers, it performs structural and format validation.
200Response OK. Key is active and has the expected scopes.
valValidated 0 min ago — badge set on card.
Failure path: if the key is wrong, expired, or quota-blocked, the card shows an amber “Validation failed: {reason}” badge with the exact reason from the provider.
Success state
SendGrid — production
Validated 2 min ago
RenameRotateTest now
Failure state
Stripe — live
Validation failed: key revoked
RenameRotateTest now
Run Test now immediately after pasting a new API key — before you build anything on top of it. It catches copy-paste errors and expired keys in seconds, before a failed agent run makes the problem hard to diagnose.
When you rotate a credential in the vault, you change one encrypted value. Every agent, MCP server, skill, and channel that holds a binding picks up the new secret on their next invocation — silently, with no re-wiring. Watch the pulse propagate:
New value encrypted · SHA-256 hash updated · bindings intact
Picks up new key on next run
Resolves from vault on invocation
New value injected at connection time
Picks up new key on next run
Vault lookup at trigger time
Install MCP / configure skill
CredentialPicker appears
1–4 matches — ReuseHint banner
Select existing → reused
No match
Paste new value → created
Credential bound
Agent / MCP uses it on run
The picker filters by provider and kind. If 1–4 existing active credentials match the slot, a CredentialReuseHint banner appears with one-click reuse. Selecting an existing credential records the binding without an API call. Pasting a new value with no picker selection creates and binds a new credential in one step.
Install MCP · sendgrid-proxy✕
You already have a sendgrid credential — use it?Use this credential
CredentialPicker
SendGrid — productionActive
SendGrid — stagingActive
Picker wins. If you have a credential selected in the picker and also paste a new value into the secret field, the picker selection takes precedence — the pasted value is silently ignored. The banner explains: “A saved credential is selected. The pasted value will be ignored. To replace the bound value, rotate it from the credentials vault.”
How the vault pays off the moment a key changes — and how the delete guard keeps a live agent running.
”Rotated the SendGrid key at 9:02. All six consumers were on the new key by 9:03.”
Sam · Solo founder — after a scheduled key cycle
The same principle holds whether you are managing one workspace or twelve. Here is how the vault pays off in practice:
Omar · Agency owner
A client rotates their SendGrid key. Omar pastes the new value into the vault — one Rotate on the shared credential — and all twelve agents across that client’s workspace pick up the new key on their next run. Zero config sweeps, zero re-binding.
saves ~40 min per key cycle
Felix · Finance & Ops
Felix tries to delete an old Stripe credential. The Delete button is locked — the vault shows it still has two active bindings. He checks the bound consumers, migrates them to the new key, and only then does Delete unlock. The live reconciliation agent keeps running without interruption.
If a credential that was bound to a consumer (agent, MCP, or skill) has since been deleted or revoked, the consumer shows a red StaleBindingChip: “Bound credential not found — re-bind required.” A Clear binding button lets you remove the stale reference so you can select a fresh credential. Nothing is fixed until you actively re-bind — clearing just removes the broken pointer.
Needs re-auth
A credential in Needs re-auth status means the stored token needs to be re-authorized. The card shows the Needs re-auth badge and an explanatory note.
There is currently no Re-authenticate button on credentials in this state. The workaround: create a fresh credential for the same provider and use Rotate on any affected consumer bindings to point them at the new credential.
Agents running on a remote server — a Telegram bot or a cloud runtime you have provisioned — need to resolve vault credentials without the desktop being open. The Paired runtimes panel at the bottom of the Credentials Vault page lets you issue a one-time pairing code that grants a remote machine secure credential-resolution access.
The backend stores only a SHA-256 hash of the pairing code — the plaintext is never persisted after display.
codeShown only once. Paste it into the runtime now — once you close this it’s gone.
AM-PAIR-7f4a93e2-bf01-48cd-90c0-12e4a7f63b88
hashSHA-256 hash stored. Plaintext not persisted.
Open the Paired runtimes panel
Scroll to the bottom of the Credentials Vault page. The Paired runtimes section lists all machines paired to your account.
Pair a new runtime
Click Pair runtime. Enter a Label (e.g. VPS — Telegram bot) and an optional Host hint, then click Issue pairing code.
Copy and paste the code
The code appears once with a Copy button and the warning: “Shown only once. Paste it into the runtime now — once you close this it’s gone.” Copy immediately and paste into your runtime configuration, then click Done.
Confirm the pairing
The runtime appears with its label, host hint, Active badge, and last-seen timestamp. The badge shows Online or Offline based on live polling.
The pairing code is shown once and only once. If you close the dialog before copying it, you will need to issue a new pairing code. There is no way to retrieve the original.
Paired runtimesPair runtime
VPS — Telegram botfra1-bot-01.example.com · last seen 2 min ago
OnlineRevoke
To revoke a runtime, click Revoke on its row and confirm: “Revoke this runtime? It will lose access to your credentials immediately.” Access is cut off instantly — other runtimes and the desktop are unaffected. A revoked runtime can re-pair with a fresh code.
Add shared credentials before installing multiple MCPs
If several MCP servers share the same API key, add the credential in Settings → Credentials Vault first. The CredentialReuseHint banner surfaces it automatically in each install modal — one paste, reused everywhere.
Use accurate provider tags
The Provider field is how the picker surfaces the right credential in the right slot. Tag credentials with the lowercase service identifier: sendgrid, github, slack, stripe. A wrong or vague tag means the picker will not auto-surface it.
Rotate, never delete and recreate
When a secret changes, use Rotate. Rotation preserves every binding — all consumers pick up the new value on next invocation, with no re-binding. Deleting and recreating requires manually re-binding every consumer.
Disable for temporary pauses, delete only when certain
Disable stops a credential from being used without losing its bindings. Re-enabling is instant. Reserve Delete for credentials you are certain you will never use again — it is irreversible.
Test now immediately after saving a new key
For supported providers, the backend makes a live API call to verify the key. Running Test now right after paste catches copy-paste errors and quota issues before an agent run fails.
Needs re-auth: create fresh and re-bind
There is no re-authenticate button for Needs re-auth credentials. The workaround: create a fresh credential for the same provider with Add credential, then re-bind consumers to it. Disable or delete the stale credential once all consumers are migrated.
Encrypted at rest · Never shown after save · Scoped to your workspace.
Available on the desktop app — credentials management is not available in the web app.