AGNT Connect

All authentication credentials and third-party integrations in one place. Connect manages API certificates for JWT signing, OAuth flows for Google and Microsoft, and provider credentials for LLM and service integrations. If your agent needs to authenticate with anything — or anything needs to authenticate with your agent — it goes through Connect.

Why AGNT Connect

Credential management is the least interesting part of building an AI product and the most dangerous to get wrong. Leaked API keys, expired certificates, broken OAuth flows — these are the things that bring systems down at 2am.

AGNT Connect centralizes all of it. RSA certificates for API authentication are generated and rotated through a single API. OAuth tokens for Google and Microsoft are managed through standard flows with automatic refresh. LLM provider credentials are stored encrypted and exposed only as masked summaries. You never build credential storage, rotation, or OAuth callback handling. It's done.

Quick Start

Create an API certificate and set up provider credentials:

bash

# Create an RSA certificate for JWT signing
curl -X POST https://api.agnt.ai/certificates \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production API Key",
    "algorithm": "RS256",
    "expiresAt": "2027-03-01T00:00:00.000Z",
    "metadata": {
      "environment": "production",
      "team": "backend"
    }
  }'

# Configure LLM provider credentials
curl -X PUT https://api.agnt.ai/credentials \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "openaiApiKey": "sk-...",
    "anthropicApiKey": "sk-ant-..."
  }'

# Initiate Google OAuth
open "https://api.agnt.ai/auth/google"

Core Concepts

Certificates

Certificates are RSA key pairs used for JWT-based API authentication. When you create a certificate, AGNT generates the key pair and returns the private key once. The public key is available at a public endpoint for JWT verification by third parties.

Certificate lifecycle:

Create: Generate a new RSA key pair. The private key is returned in the response — store it immediately.
Active: The certificate is valid and can be used for signing.
Revoke: Mark the certificate as revoked. It can no longer be used for signing but still exists in the system.
Delete: Permanently remove a revoked certificate. Only revoked certificates can be deleted.

Each certificate has a kid (Key ID) used in JWT headers to identify which key signed the token. This supports key rotation — you can have multiple active certificates and rotate without downtime.

Provider Credentials

Provider credentials store API keys for LLM providers (OpenAI, Anthropic, etc.) and other third-party services. Credentials are stored encrypted and never returned in full. When you fetch credentials, you get a masked summary: hasOpenaiApiKey: true, openaiApiKeyLast4: "ab12".

This design is intentional. Your credentials are write-only secrets. You can update them, you can verify they exist, but you can't read them back. This eliminates an entire category of credential leakage.

OAuth Flows

Connect handles OAuth for Google and Microsoft. The flow is standard:

Redirect the user to GET /auth/google or GET /auth/microsoft.
The user authorizes access in the provider's UI.
The provider redirects back with an authorization code.
Exchange the code via POST /auth/exchange.
AGNT stores the tokens and handles refresh automatically.

Once connected, OAuth tokens are used transparently by other AGNT services — Calendar uses them for Google Calendar and Microsoft Graph API access, for example. You don't manage token refresh or expiry.

OAuth Tokens

OAuth tokens are the stored credentials from completed OAuth flows. You can query them by identifier (user) and resource (the service they authenticate with). Tokens are refreshed automatically when they expire — you never need to re-authorize unless the user revokes access.

API Reference

Endpoints

Method	Path	Description
`GET`	`/certificates`	List certificates
`POST`	`/certificates`	Create certificate
`GET`	`/certificates/active`	Get active certificate
`GET`	`/certificates/public/:kid`	Get public key (no auth)
`GET`	`/certificates/:certificateId`	Get certificate
`POST`	`/certificates/:certificateId/revoke`	Revoke certificate
`DELETE`	`/certificates/:certificateId`	Delete certificate (revoked only)
`GET`	`/credentials`	List provider credentials (masked)
`PUT`	`/credentials`	Update provider credentials
`GET`	`/oauth-tokens`	Get OAuth tokens
`GET`	`/auth/google`	Initiate Google OAuth
`GET`	`/auth/microsoft`	Initiate Microsoft OAuth
`POST`	`/auth/exchange`	Exchange OAuth code for tokens

Certificate Object

json

{
  "id": "cert_abc123",
  "account": "acct_xyz789",
  "kid": "kid_a1b2c3",
  "name": "Production API Key",
  "publicKey": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhki...\n-----END PUBLIC KEY-----",
  "algorithm": "RS256",
  "status": "active",
  "expiresAt": "2027-03-01T00:00:00.000Z",
  "metadata": {
    "environment": "production",
    "team": "backend"
  },
  "createdAt": "2026-03-01T10:00:00.000Z",
  "updatedAt": "2026-03-01T10:00:00.000Z"
}

Field	Type	Description
`id`	string	Unique certificate identifier
`account`	string	Account this certificate belongs to
`kid`	string	Key ID used in JWT headers
`name`	string	Human-readable name
`publicKey`	string	PEM-encoded RSA public key
`algorithm`	string	Signing algorithm (`RS256`)
`status`	string	`active` or `revoked`
`expiresAt`	string	ISO 8601 expiration timestamp
`metadata`	object	Arbitrary key-value metadata
`createdAt`	string	ISO 8601 timestamp
`updatedAt`	string	ISO 8601 timestamp

Create Certificate

POST https://api.agnt.ai/certificates

Field	Type	Required	Description
`name`	string	Yes	Human-readable name
`algorithm`	string	No	Signing algorithm (default: `RS256`)
`expiresAt`	string	No	ISO 8601 expiration timestamp
`metadata`	object	No	Arbitrary key-value metadata

bash

curl -X POST https://api.agnt.ai/certificates \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production API Key",
    "algorithm": "RS256",
    "expiresAt": "2027-03-01T00:00:00.000Z",
    "metadata": {
      "environment": "production",
      "team": "backend"
    }
  }'

json

{
  "id": "cert_abc123",
  "account": "acct_xyz789",
  "kid": "kid_a1b2c3",
  "name": "Production API Key",
  "publicKey": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhki...\n-----END PUBLIC KEY-----",
  "privateKey": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgk...\n-----END PRIVATE KEY-----",
  "algorithm": "RS256",
  "status": "active",
  "expiresAt": "2027-03-01T00:00:00.000Z",
  "metadata": {
    "environment": "production",
    "team": "backend"
  },
  "createdAt": "2026-03-01T10:00:00.000Z",
  "updatedAt": "2026-03-01T10:00:00.000Z"
}

The privateKey field is only returned on creation. Store it securely in your secrets manager. It is never returned again.

List Certificates

GET https://api.agnt.ai/certificates

bash

curl https://api.agnt.ai/certificates \
  -H "Authorization: Bearer $TOKEN"

json

{
  "data": [
    {
      "id": "cert_abc123",
      "kid": "kid_a1b2c3",
      "name": "Production API Key",
      "algorithm": "RS256",
      "status": "active",
      "expiresAt": "2027-03-01T00:00:00.000Z",
      "metadata": {
        "environment": "production",
        "team": "backend"
      },
      "createdAt": "2026-03-01T10:00:00.000Z"
    }
  ]
}

Get Active Certificate

GET https://api.agnt.ai/certificates/active

Returns the currently active certificate. If multiple certificates are active, returns the most recently created one.

bash

curl https://api.agnt.ai/certificates/active \
  -H "Authorization: Bearer $TOKEN"

Get Public Key

GET https://api.agnt.ai/certificates/public/:kid

Public endpoint. No authentication required. Use this to verify JWTs signed with AGNT certificates. Third-party services call this endpoint to validate tokens.

bash

curl https://api.agnt.ai/certificates/public/kid_a1b2c3

json

{
  "kid": "kid_a1b2c3",
  "publicKey": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhki...\n-----END PUBLIC KEY-----",
  "algorithm": "RS256"
}

Get Certificate

GET https://api.agnt.ai/certificates/:certificateId

bash

curl https://api.agnt.ai/certificates/cert_abc123 \
  -H "Authorization: Bearer $TOKEN"

Returns the certificate object (without private key).

Revoke Certificate

POST https://api.agnt.ai/certificates/:certificateId/revoke

Marks the certificate as revoked. Tokens signed with this certificate will no longer be accepted. This is immediate and irreversible.

bash

curl -X POST https://api.agnt.ai/certificates/cert_abc123/revoke \
  -H "Authorization: Bearer $TOKEN"

json

{
  "id": "cert_abc123",
  "status": "revoked",
  "updatedAt": "2026-03-01T12:00:00.000Z"
}

Delete Certificate

DELETE https://api.agnt.ai/certificates/:certificateId

Permanently deletes a certificate. Only revoked certificates can be deleted. Attempting to delete an active certificate returns 400 Bad Request.

bash

curl -X DELETE https://api.agnt.ai/certificates/cert_abc123 \
  -H "Authorization: Bearer $TOKEN"

Provider Credentials (Masked)

GET https://api.agnt.ai/credentials

Returns a masked summary of stored credentials. Never returns actual secrets.

bash

curl https://api.agnt.ai/credentials \
  -H "Authorization: Bearer $TOKEN"

json

{
  "hasOpenaiApiKey": true,
  "openaiApiKeyLast4": "ab12",
  "hasAnthropicApiKey": true,
  "anthropicApiKeyLast4": "cd34",
  "hasGoogleApiKey": false,
  "googleApiKeyLast4": null
}

Update Provider Credentials

PUT https://api.agnt.ai/credentials

Updates one or more provider credentials. Send only the fields you want to update.

bash

curl -X PUT https://api.agnt.ai/credentials \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "openaiApiKey": "sk-new-key-here...",
    "anthropicApiKey": "sk-ant-new-key..."
  }'

json

{
  "hasOpenaiApiKey": true,
  "openaiApiKeyLast4": "re..",
  "hasAnthropicApiKey": true,
  "anthropicApiKeyLast4": "ey..",
  "updatedAt": "2026-03-01T10:05:00.000Z"
}

Get OAuth Tokens

GET https://api.agnt.ai/oauth-tokens

Parameter	Type	Description
`identifierId`	string	Required. User or identity to fetch tokens for
`resource`	string	Required. Service resource (e.g., `google`, `microsoft`)

bash

curl "https://api.agnt.ai/oauth-tokens?identifierId=user_456&resource=google" \
  -H "Authorization: Bearer $TOKEN"

json

{
  "data": [
    {
      "id": "oat_001",
      "identifierId": "user_456",
      "resource": "google",
      "scopes": ["calendar.readonly", "calendar.events"],
      "status": "active",
      "expiresAt": "2026-03-01T11:00:00.000Z",
      "createdAt": "2026-02-28T10:00:00.000Z"
    }
  ]
}

Initiate Google OAuth

GET https://api.agnt.ai/auth/google

Redirects the user to Google's authorization page. After the user grants access, Google redirects back with an authorization code.

bash

# Redirect your user to this URL:
# https://api.agnt.ai/auth/google
#
# After authorization, the user is redirected to your callback URL
# with an authorization code.

Initiate Microsoft OAuth

GET https://api.agnt.ai/auth/microsoft

Redirects the user to Microsoft's authorization page. Same flow as Google.

bash

# Redirect your user to this URL:
# https://api.agnt.ai/auth/microsoft

Exchange OAuth Code

POST https://api.agnt.ai/auth/exchange

Exchanges an authorization code from Google or Microsoft for stored OAuth tokens.

Field	Type	Required	Description
`code`	string	Yes	Authorization code from OAuth callback
`provider`	string	Yes	`google` or `microsoft`
`redirectUri`	string	Yes	The redirect URI used in the authorization request

bash

curl -X POST https://api.agnt.ai/auth/exchange \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "code": "4/0AX4XfWh...",
    "provider": "google",
    "redirectUri": "https://your-app.com/oauth/callback"
  }'

json

{
  "success": true,
  "provider": "google",
  "scopes": ["calendar.readonly", "calendar.events"],
  "expiresAt": "2026-03-01T11:00:00.000Z"
}

For Coding Agents

If you're an AI coding agent integrating with AGNT Connect, here's what matters:

Store the private key on creation. POST /certificates returns the private key exactly once. If you lose it, you create a new certificate. There is no recovery endpoint.
Use kid in JWT headers. When signing JWTs with an AGNT certificate, include the kid in the JWT header. Verification endpoints use this to look up the correct public key.
Rotate certificates without downtime. Create the new certificate first, update your signing logic to use the new key, then revoke the old one. Both certificates are valid simultaneously during the transition.
Credentials are write-only. Don't try to read back API keys. The GET /credentials endpoint returns masked summaries. If you need to verify a key works, make a test call to the provider directly.
OAuth tokens refresh automatically. Once a user completes the OAuth flow, you don't manage token refresh. AGNT handles it. Query GET /oauth-tokens to check status, but don't build refresh logic.
Public key endpoint is unauthenticated. GET /certificates/public/:kid requires no auth. This is intentional — it's designed for third parties verifying your JWTs. Treat it as a public JWKS-style endpoint.

For Product Teams

AGNT Connect is the credential management layer for your platform. Here's how to think about it:

Certificates replace API keys. Instead of long-lived API key strings, AGNT uses RSA certificates with explicit expiration. This is more secure and gives you key rotation built in. No more "who has the API key" problems.

OAuth is a redirect, not a feature. Connecting Google or Microsoft accounts is a single redirect. The user authorizes, the code is exchanged, and tokens are stored automatically. You don't build OAuth callback handlers, token storage, or refresh logic. It's two API calls.

Provider credentials are invisible. Your team stores OpenAI, Anthropic, or other API keys once. From that point, AGNT uses them transparently for AI operations. Nobody can read them back. The masked view (hasKey: true, last4: "ab12") gives enough info for debugging without exposure.

Revocation is instant. If a certificate is compromised, revoke it with one call. All tokens signed with that certificate are immediately invalid. No waiting for expiry, no cache invalidation delays.

Audit-friendly by design. Every certificate has metadata, creation timestamps, and status history. You can tag certificates by environment and team. When security asks "which keys are active in production," you can answer with a single API call.