Credential Setup

Credential Setup Guides

This page walks through how to obtain the credentials you need for each service type supported by TAP.

Standard API Key

Most APIs use a single API key. Select Standard API Key in the TAP dashboard, enter a name and description, and paste the key.

If the API expects its secret in a header other than Authorization, choose Custom instead and configure Custom Auth Headers in the advanced section. For example:

DD-API-KEY: {value}

TAP will then treat that header as a valid auth position for the credential.

OpenAI

platform.openai.com/api-keys → Create new secret key → Copy

Anthropic

console.anthropic.com/settings/keys → Create Key → Copy

GitHub

github.com/settings/tokens → Generate new token (fine-grained) → Select repos and permissions → Copy

Stripe

dashboard.stripe.com/apikeys → Reveal test/live secret key → Copy

Mercury

app.mercury.com/settings/tokens → Create API Token → Copy

Wise

wise.com/settings/api-tokens → Add new token → Full access → Copy

AWS

console.aws.amazon.com/iam → Users → Select user → Security credentials → Create access key → Copy the Access Key ID and Secret Access Key (paste both, separated by :, as the secret value)

Vercel

vercel.com/account/tokens → Create → Copy

Notion

notion.so/my-integrations → New integration → Copy Internal Integration Secret. Then share the relevant pages/databases with the integration.

Slack

api.slack.com/apps → Create New App → OAuth & Permissions → Add scopes → Install to Workspace → Copy Bot User OAuth Token (xoxb-...)

SendGrid

app.sendgrid.com/settings/api_keys → Create API Key → Full Access or Restricted → Copy

Twilio

console.twilio.com → Account Info → Copy Auth Token. Use AccountSID:AuthToken as the secret value.

Datadog

Datadog is a good example of a multi-value API. It needs both:

  • a Datadog API key
  • a Datadog application key

Model this in TAP as two credentials, not one:

  1. Create datadog-api as a Custom credential
  2. In Custom Auth Headers, enter:
DD-API-KEY: {value}
  1. Paste the Datadog API key as the secret value
  2. Create datadog-app as another Custom credential
  3. In Custom Auth Headers, enter:
DD-APPLICATION-KEY: {value}
  1. Paste the Datadog application key as the secret value

When calling Datadog, reference both credentials in placeholder mode:

curl -X POST "$TAP_PROXY_URL/forward" \
  -H "X-TAP-Key: $TAP_AGENT_KEY" \
  -H "X-TAP-Target: https://api.datadoghq.com/api/v1/validate" \
  -H "DD-API-KEY: <CREDENTIAL:datadog-api>" \
  -H "DD-APPLICATION-KEY: <CREDENTIAL:datadog-app>"

This same pattern works for other APIs that require multiple independent secrets in different auth headers.

Twitter / X (OAuth 1.0a)

Twitter’s API uses OAuth 1.0a, which requires four credential values. TAP’s built-in OAuth signer handles the per-request HMAC-SHA1 signing automatically.

Step 1: Create a Twitter Developer App

  1. Go to the Twitter Developer Portal
  2. Create a new Project and App (or use an existing one)
  3. Under User authentication settings, enable OAuth 1.0a with the access level your agent needs (Read, Read+Write, or Read+Write+DM)

Step 2: Get your credentials

In the Developer Portal, go to your app’s Keys and Tokens tab:

  1. Consumer Key (also called “API Key”) — under Consumer Keys, click Regenerate if needed
  2. Consumer Secret (also called “API Key Secret”) — shown alongside the Consumer Key
  3. Access Token — under Authentication Tokens, generate an access token
  4. Access Token Secret — shown alongside the Access Token

Make sure the access token has the right permissions. If you change your app’s permissions, you must regenerate the access token.

Step 3: Add to TAP

  1. In the TAP dashboard, click + Add Credential and select Twitter / X
  2. Enter all four values in the labeled fields
  3. Click Create

TAP stores all four values encrypted and the OAuth signer signs each request automatically.

Google Workspace (OAuth 2.0)

Google Workspace APIs (Gmail, Calendar, Drive, Sheets) use OAuth 2.0. TAP handles the entire OAuth flow for you.

  1. In the TAP dashboard, click + Add Credential and select Google Workspace
  2. Click Connect Google Account
  3. Sign in with the Google account you want the agent to access and grant permission

That’s it. TAP stores the refresh token and handles token refresh automatically.

Advanced: You can also paste a refresh token manually using the collapsible option in the credential form.

Telegram (Personal Account)

TAP can proxy requests to a user’s personal Telegram account through a Telegram client sidecar (built on Telethon or TDLib). This lets agents read messages, send messages, and interact with Telegram as a real user.

Using Claude Code? Run /setup-telegram for a guided walkthrough.

Step 1: Get API credentials from Telegram

  1. Go to my.telegram.org/apps
  2. Log in with your phone number
  3. Create a new application (or use an existing one)
  4. Note the API ID (a number) and API Hash (a hex string)

Step 2: Generate a session string

Run this one-liner (requires Python 3.8+):

pip install telethon -q && python3 -c "
from telethon.sync import TelegramClient; from telethon.sessions import StringSession
c = TelegramClient(StringSession(), int(input('API ID: ')), input('API Hash: '))
c.start(); print('\nSession string:\n' + c.session.save())
"

It will prompt for your API ID, API Hash, phone number, and verification code. Copy the session string it prints at the end.

Keep this session string safe — anyone with it can access your Telegram account.

Step 3: Add to TAP

  1. In the TAP dashboard, click + Add Credential and select Telegram
  2. Enter the API ID, API Hash, and Session String
  3. Click Create

TAP stores all values encrypted and passes them to the Telegram client sidecar for authentication.

QuickstartHow It Works