Credential Setup Guides

Standard API Key

Select Standard API Key in the dashboard, give it a name, and paste the secret. TAP injects it into Authorization: Bearer by default.

Mercury

app.mercury.com/settings/tokens → Create API Token → Copy

Wise

wise.com/settings/api-tokens → Add new token → Full access → Copy

GitHub

github.com/settings/tokens → Generate new token (fine-grained) → Select repos and permissions → Copy

Slack

api.slack.com/apps → Create New App → OAuth & Permissions → Add scopes → Install to Workspace → Copy Bot User OAuth Token (xoxb-...)

Stripe

dashboard.stripe.com/apikeys → Reveal test/live secret key → Copy

OpenAI

platform.openai.com/api-keys → Create new secret key → Copy

Anthropic

console.anthropic.com/settings/keys → Create Key → Copy

Vercel

vercel.com/account/tokens → Create → Copy

Notion

notion.so/my-integrations → New integration → Copy Internal Integration Secret. Then share the relevant pages/databases with the integration.

SendGrid

app.sendgrid.com/settings/api_keys → Create API Key → Full Access or Restricted → Copy

Twilio

console.twilio.com → Account Info → Copy Auth Token. Use AccountSID:AuthToken as the secret value.

Cloudflare

dash.cloudflare.com/profile/api-tokens → Create Token → Copy

Custom

For APIs that authenticate with a non-standard header, or that require more than one secret, select Custom in the dashboard.

Non-standard auth headers

If the API uses a header other than Authorization: Bearer (e.g. X-Linear-Token), select Custom, enter the secret value, and add it under Custom Auth Headers in the advanced section:

X-Linear-Token: {value}

TAP treats that header as a valid auth position and injects the secret automatically.

Multi-secret APIs (Datadog, and others)

Some APIs require two or more independent secrets in different headers. Select Custom, enable the Multi-secret option, and paste field_name=value pairs — one per line. Then reference each field in Custom Auth Headers using {value.field_name}.

Datadog

Datadog needs an API key (DD-API-KEY) and an Application key (DD-APPLICATION-KEY).

1. Get your keys at app.datadoghq.com/organization-settings/api-keys and app.datadoghq.com/personal-settings/application-keys
2. In the TAP dashboard → Credentials → + Add Credential → select Custom
3. Enable the Multi-secret option and paste:

   api_key=<your-datadog-api-key>
   app_key=<your-datadog-application-key>
4. Under Custom Auth Headers, add:

   DD-API-KEY: {value.api_key}
   DD-APPLICATION-KEY: {value.app_key}
5. Save — TAP injects both headers automatically on every request

AWS (SigV4)

AWS APIs use SigV4 signing. TAP signs every request automatically — no pre-signing needed.

1. console.aws.amazon.com/iam → Users → Select user → Security credentials → Create access key → Copy Access Key ID and Secret Access Key
2. In the TAP dashboard → + Add Credential → select AWS
3. Enter your Access Key ID and Secret Access Key
4. Region and Service are auto-detected from the target URL. You can override them if needed.
5. Save — TAP signs requests with SigV4 automatically

OAuth 2.0 Client Credentials

For machine-to-machine APIs that use the OAuth 2.0 client credentials grant (Azure Resource Manager, Salesforce, Box, Okta, and others). TAP exchanges the credentials for a Bearer token on every request — the agent never sees the secret or the token.

Credential JSON

In the TAP dashboard → + Add Credential → OAuth 2.0 Client Credentials, enter:

Azure Resource Manager

1. portal.azure.com → Azure Active Directory → App registrations → New registration → name it → Register
2. Copy the Application (client) ID and Directory (tenant) ID
3. Certificates & secrets → New client secret → copy the value immediately
4. Subscriptions → your subscription → Access control (IAM) → Add role assignment → assign Reader (or higher) to the app
5. In TAP, enter:
   • token_url: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
   • scope: https://management.azure.com/.default

Salesforce

1. Setup → App Manager → New Connected App → enable OAuth → add scopes → Save
2. Copy Consumer Key (client_id) and Consumer Secret (client_secret)
3. token_url: https://login.salesforce.com/services/oauth2/token

Google (OAuth 2.0)

For Gmail, Calendar, Drive, Sheets, and any Google API — including the Admin SDK (Directory, Reports) for Workspace administration and the full Google Cloud Platform surface (Service Usage, IAM, Compute, …).

TAP handles the OAuth 2.0 flow for you.

1. In the TAP dashboard, click + Add Credential and select Google
2. Check the permissions this credential should have. Gmail, Calendar, Drive, and Sheets are pre-selected; Contacts, Tasks, Workspace Admin (manage users, groups, and org units), Admin Reports (read-only audit/usage logs), and Google Cloud (full GCP API access) are opt-in
3. Click Connect Google Account
4. Sign in with the Google account you want the agent to access and grant permission

TAP stores the refresh token and handles token refresh automatically. Only the permissions you checked appear on Google’s consent screen — and the credential is permanently limited to them, so create separate credentials for separate jobs.

Keep all permissions checked on Google’s consent screen. Google lets you uncheck individual permissions during consent, but a credential missing some of its requested permissions would fail in confusing ways later — so TAP rejects partial grants and asks you to retry. If you don’t want a permission, deselect it in the TAP dashboard instead, before connecting.

Workspace Admin scopes only work if the connecting Google account holds an admin role, and they can manage your entire Workspace. Put them in a dedicated credential (separate from day-to-day Gmail/Drive) and consider requiring passkey approval in its policy. The same goes for Google Cloud — it grants whatever GCP IAM lets the connecting account do, project-wide.

Advanced: You can also paste a refresh token manually using the collapsible option in the credential form.

Twitter / X (OAuth 1.0a)

Twitter’s API uses OAuth 1.0a. TAP’s built-in OAuth signer handles per-request HMAC-SHA1 signing automatically.

Step 1: Create a Twitter Developer App

1. Go to the Twitter Developer Portal
2. Create a new Project and App (or use an existing one)
3. Under User authentication settings, enable OAuth 1.0a with the access level your agent needs (Read, Read+Write, or Read+Write+DM)

Step 2: Get your credentials

In the Developer Portal, go to your app’s Keys and Tokens tab and collect:

• Consumer Key (API Key)
• Consumer Secret (API Key Secret)
• Access Token
• Access Token Secret

If you change your app’s permissions, regenerate the access token.

Step 3: Add to TAP

1. In the TAP dashboard, click + Add Credential and select Twitter / X
2. Enter all four values in the labeled fields
3. Click Create

Telegram (Personal Account)

Lets agents read and send messages as a real Telegram user. The dashboard walks you through the setup — no scripts needed.

Step 1: Get API credentials

1. Go to my.telegram.org/apps and log in with your phone number
2. Create a new application (or use an existing one)
3. Note the API ID (a number) and API Hash (a hex string)

Step 2: Open the Telegram wizard in TAP

In the TAP dashboard, click + Add Credential and select Telegram. A dedicated 3-step modal opens:

1. Credentials — enter a credential name, optional description, your API ID and API Hash, then click Next
2. Phone — enter the phone number registered to your Telegram account and click Send code; Telegram will send a code to your Telegram app
3. Verify — enter the verification code. If your account has Two-Factor Authentication enabled, a password field appears — enter your 2FA password and click Connect

TAP generates and stores the session automatically.