Credentials
How APIANT stores and resolves credentials at user, connector, and tenant scopes.
When you connect APIANT to an external system, the credentials get stored so you don't have to paste them every time you build something. APIANT's credential store is called the keyvault.
Most credentials are yours alone
By default, every credential is scoped to you and one specific service. When you authorize HubSpot, your HubSpot connection is yours; another user in your APIANT system has to authorize their own. You don't share credentials with teammates.
When Claude builds an automation that talks to a service you've already authorized, it uses your stored credentials automatically — no extra setup, no re-paste.
Some credentials are shared
For services where the whole organization works against a single account (a shared CRM, a shared mailbox), APIANT supports shared connections. You opt in when the case warrants it; Claude confirms before using a shared credential in a new build.
How you set them up
How you provide a credential depends on the auth type:
- API key services — when Claude builds an integration that needs credentials it doesn't have yet, it pauses and prompts you to paste the value.
- OAuth services — Claude walks you through the OAuth flow with the vendor, including any developer-app registration if needed (see Register an OAuth app with a vendor). At the end of the flow, the credential is in the keyvault and Claude continues building.
Credentials never appear in execution logs or in anything Claude tells you. If a step fails because of bad credentials, you'll hear "the Salesforce credential is rejected", not the credential itself.
When credentials change
If a vendor token expires, gets rotated, or is revoked, the next call to that service fails. Asking Claude to fix it ("my Salesforce connection broke") walks you through re-authorizing.
See also
- Connectors — auth types per connector
- API Authentication — credential setup walked through with a real integration