Example requests
Ask your coding agent which service you want to use. It can wire up the app, credential, and actions that need it.“Connect our HubSpot account so our SDR agent can read and update deals.”
“Set up Slack so the team can message the data analyst agent and schedule regular reports.”
“Read the Pylon documentation, create a custom API integration, and add actions that match the endpoints our support agent needs.”
Apps vs credentials
An app is a service Keystroke can connect to: Granola, Google Workspace, Slack, Salesforce, Snowflake, and the rest of the integration catalog. A credential is one connected account for that app: an API key, OAuth connection, or managed connection instance. A single app can have several credentials, for example one organization-wide Hubspot connection and a project-level Hubspot connection with additional Hubspot permissions.| Term | What it means |
|---|---|
| App | A connectable external service shown in the Apps page and integration catalog |
| Credential | One connected account or secret for an app |
| Credential instance | The stored credential record at an organization, project, or user scope |
| Gateway app | A messaging surface, like Slack, for messaging agents directly in third-party tools |
| MCP server | A third-party’s MCP server that you attach to an agent with defineMcp() |
“Integration” is synonymous with “app”. An app is the user-facing thing you connect, and credential is the runtime binding your code consumes.
Connect apps and credentials
Keystroke supports several connection paths, depending on what you’re building.| Connection type | Use it for | How it works |
|---|---|---|
| Built-in OAuth apps | Apps like Google Workspace, GitHub, Gong, Snowflake, and other catalog integrations | Keystroke creates a managed app credential. In the hosted cloud, most of these run through Keystroke’s platform MCP layer. |
| Built-in API key apps | Apps that need a static secret, such as Exa | Store an API key credential with the CLI or web app. |
| Gateway apps | External channels where people talk to agents, such as Slack | Connect the app, then bind a channel to an agent. See external channels. |
| Custom credentials | Your own API keys or internal services | Define a credential and declare it on actions. |
| Custom MCP servers | Connect to any third-party MCP server and enable agents to use its available tools | Attach a defineMcp() tool to an agent, optionally backed by a credential. |
Credential scopes
Every credential instance is available at one of three scopes:| Scope | Use it when |
|---|---|
| Organization | The whole organization should share one connection or API key |
| Project | A specific project(s) gets its own connection or secret |
| User | The action should run as the user who connected the app |
- An explicit selection, if one was provided.
- A pinned scope from
.scope("organization"),.scope("project"), or.scope("user"). - The project default.
- The organization default.
- Throw a missing-credentials error.
.scope("user"). See using credentials in code.
Cloud and local credentials
Credentials live in the platform: they’re scoped to your organization, project, or user, and materialized on demand when a deployed project runs. Deploying does not upload.env or local secrets, so connect credentials against your cloud project with the web app or CLI.
keystroke dev / keystroke start, it uses a separate local credential store; CLI commands with --local write there.
How code consumes credentials
Credentials are declared on actions, not on agents or workflows directly. An action lists the credentials it needs:Platform API keys
App credentials are different from Keystroke platform API keys. Platform API keys authenticate your own systems to Keystroke’s platform API and are managed under Settings → API keys or withkeystroke api-key. App credentials authenticate Keystroke runs to third-party apps.
Next steps
Connect and manage apps
Use the web app and CLI to connect, scope, rotate, and revoke credentials.
Built-in integrations
Use catalog apps and their generated actions.
Using credentials in code
Declare credentials on actions and control resolution with scopes.
Custom apps and MCP
Add your own credentials, app wrappers, and MCP servers.