What happens to my credentials?
Your API keys are encrypted in the Secure Vault. We never see them — only a secure reference.
Written By pvdyck
Last updated 18 days ago
How it works
💡 Note:TL;DR: Safe, Encrypted, and InvisibleYour API keys (like OpenAI) are stored in an encrypted Secure Vault. During an agent run, we simply pass a reference to the vault. The platform, the Builder, and the execution engine never see or have access to your actual plaintext keys.
When you connect an API like OpenAI, your key is stored in the Secure Vault with encryption at rest and in transit. During execution, the vault injects your credential into the API call — we never see your actual key.
How credentials are used:
- Your Key (sk-...) → Secure Vault (Encrypted at rest)
- Injection happens at execution time only
- API Provider receives the authenticated request
The resolution chain
Credentials resolve through a 3-tier priority system: your keys first, then Builder keys, then platform defaults. Each node resolves independently, and credentials are isolated per agent. See the Credentials System Deep Dive for the full resolution flow, per-node examples, and isolation model.
BYOK (Bring Your Own Keys)
When you provide your own API keys, you're using BYOK mode:
Security guarantees
The Secure Vault provides:
Malicious workflows can't steal API keys because:
- The execution sandbox has no access to raw credentials
- Only encrypted references are stored
- Per-agent isolation prevents cross-contamination
Bottom line
Your API keys stay yours. We built the system so we couldn't access them even if we wanted to.