What Is an API Key?
An API key is essentially a password that lets one piece of software talk to another. When you connect your AI agent to a service like Stripe, the agent needs a way to prove it has permission to access your account. That's what the API key does.
Think of it like a hotel key card. The card itself doesn't contain your personal information -- it just proves you're authorized to enter a specific room. An API key works the same way. It tells the service "this request is coming from someone who's allowed to be here."
You've probably already used API keys without knowing it. If you've ever connected a third-party app to your email, linked your accounting software to your bank, or set up a Zapier automation, there was likely an API key involved behind the scenes.
Why Credentials Matter
Your API keys and credentials are the gateway to your business systems. A Stripe API key can access your payment data. A Google Analytics key can read your website traffic. A Salesforce credential can pull up your entire customer database.
This is why how credentials are stored and handled matters so much. A key that falls into the wrong hands could expose sensitive business data or allow unauthorized actions.
Never share your API keys in emails, chat messages, or public documents. Treat them like passwords -- because that's essentially what they are.
Types of Credentials
Not all credentials work the same way. Here are the main types you'll encounter, explained in plain terms.
API Keys
The simplest type. You log into a service, go to their settings or developer section, and copy a long string of characters. You paste that key into Pipeworks, and you're connected.
Used by: Stripe, OpenAI, and others
Think of it as: A single password that grants access
Sign-In Authorization
Some services let you connect by signing in with your existing account -- similar to how you use "Sign in with Google" on websites. You click a button, sign into the service, grant permission, and you're done. No keys to copy or paste.
Used by: Google Analytics, Google Ads
Think of it as: Letting Pipeworks sign in as you, with your permission
Application Passwords
Some services use a combination of your username and a special password generated specifically for third-party access. This is different from your regular login password -- it's a separate credential that can be revoked without changing your main password.
Used by: WordPress, Elementor, Fluent Forms
Think of it as: A separate guest password for your account
Access Tokens
Similar to API keys, but often more specific. An access token might only work for certain actions or expire after a set time period. Some services require you to generate these from your account settings.
Used by: Calendly and others
Think of it as: A temporary or limited-use key
Key Pairs
Some services require two pieces of information to connect -- like an account ID plus a secret key, or a public key plus a private key. Both pieces are needed; one without the other won't work.
Used by: Google Search, n8n
Think of it as: A lock that needs two keys turned at the same time
How Pipeworks Protects Your Credentials
Understanding what credentials are is important. Understanding how they're protected is essential.
Encryption at Rest
The moment you enter a credential into Pipeworks, it's encrypted using bank-grade encryption. The original value is never stored in plain text. Even if someone gained access to the database, they'd see only scrambled data.
Isolated Environments
Each integration runs in its own separate environment. Your Stripe credentials are never in the same space as your Google Analytics credentials. This isolation means a problem with one integration can never expose credentials from another.
Credentials in Transit
When your integration needs to connect to a service, your credentials are decrypted only for the brief moment they're needed, then immediately cleaned up. They're passed through a secure channel and never appear in logs or error messages.
You'll never see your credentials displayed in Pipeworks after you've entered them. Once they're saved, they're encrypted and hidden -- even from you. If you need to update them, you enter new ones rather than viewing the old ones.
Common Questions
What happens if I regenerate my API key?
If you generate a new key in the service (like Stripe), your old key stops working. You'll need to update the key in Pipeworks with the new one. Your integration will show as disconnected until you do.
Can my AI agent see my credentials?
No. Your AI agent never sees the raw credentials. It sends requests through Pipeworks, which handles the authentication behind the scenes. The agent knows it can call tools, but it never has direct access to your keys or passwords.
What if I want to stop access?
You can disconnect an integration at any time. This immediately stops the agent from being able to use that service. You can also revoke the API key directly in the service's settings as an extra precaution.
Should I use test keys first?
If the service offers test or sandbox mode (Stripe does, for example), absolutely. Connect with test credentials first, try out the tools, and switch to live credentials once you're comfortable.
Many services offer separate test and live API keys. Starting with test keys is a great way to explore what your AI agent can do without any risk to real data.
Getting Started
When you connect your first integration, Pipeworks will tell you exactly what type of credential is needed and where to find it. Most setups take under five minutes.