Multi-Account

Multi-Account

A single agent can use credentials from multiple teams. One agent authenticates once and uses the X-TAP-Team header to switch between teams.

Use Case

A developer has a personal team with their own API keys (OpenAI, GitHub) and works at a company that manages production credentials (Slack, Twitter). Without multi-account, they’d need two separate agents. With multi-account, one agent accesses both.

How It Works

  • Home team — the team where the agent was created. Default when no X-TAP-Team header is sent.
  • Linked team — a team that has invited the agent in. Access credentials by adding X-TAP-Team: <team-id> to requests.
  • Role scope — the linking admin can restrict the agent to a specific role, limiting which credentials it can access.

Setup

  1. Create an agent in the home team (dashboard → Agents)
  2. Company admin links the agent into their team (dashboard → Agent Links), optionally scoped to a role
  3. Agent uses cross-team credentials by adding X-TAP-Team header to requests
# Home team credential (no extra header)
curl -X POST $PROXY_URL/forward \
  -H "X-TAP-Key: $AGENT_KEY" \
  -H "X-TAP-Credential: openai" \
  -H "X-TAP-Target: https://api.openai.com/v1/models"
 
# Linked team credential (add X-TAP-Team)
curl -X POST $PROXY_URL/forward \
  -H "X-TAP-Key: $AGENT_KEY" \
  -H "X-TAP-Team: <company-team-id>" \
  -H "X-TAP-Credential: slack" \
  -H "X-TAP-Target: https://slack.com/api/conversations.list"

Security Model

  • No credential visibility. Linked agents use credentials through the proxy but never see values.
  • Role scoping. If the link specifies a role, the agent only accesses credentials in that role.
  • Each team controls its own links. The linking team creates and removes links. The home team has no control over what’s exposed.
  • Policies still apply. The linked team’s policies govern approval behavior for linked agents.
  • Audit trail is team-scoped. Requests using a team’s credentials are logged in that team’s audit trail.

The X-TAP-Team Header

HeaderRequiredDescription
X-TAP-TeamNoTeam ID to resolve credentials against. Defaults to agent’s home team

Agents can discover available teams via GET /agent/services.

Self-Hosted & CLIOAuth 1.0a Signer