Documentation — Keygent

Overview

Keygent is a multi-tenant credential management platform that lets agencies and AI builders securely store and manage API credentials for multiple clients. Your AI agents can interact with 21+ services on behalf of specific clients — without ever seeing raw credentials.

21+ Integrations

Slack, Notion, GitHub, HubSpot, Stripe, Supabase, Airtable, Linear, Shopify, and more.

Multi-Tenant

Manage 10, 50, or 100 clients. Each has isolated connections, team members, and usage metrics.

AI-Ready

MCP endpoints for Cursor, Claude, GPT, and custom agents. Policy-enforced on every request.

Key Concepts

Clients

Each client is a separate tenant (e.g., "acme-corp", "startup-xyz"). They have their own connections, credentials, and team members.

Connections

A link between a client and an app. When connected, credentials are encrypted. Agents use them without seeing raw tokens.

Portal Tokens

Secure, expiring tokens for client portal access. Share a portal link so clients can manage their own connections.

Agent Keys

Hashed, expiring API keys for AI agents to call MCP tools. Create from admin dashboard and rotate regularly.

Architecture

Keygent sits between your AI agents and client tools. Your agents authenticate with an Agent Key, specify a Client ID, and Keygent handles credential decryption, API calls, and audit logging.

Agent → Keygent (validates key, decrypts credentials) → Client's Slack/GitHub/etc.

Data Flow

Admin creates client — via dashboard or CLI
Client gets portal link — connects their apps (OAuth or token)
Agent calls MCP tool — Keygent decrypts, calls API, logs action

Admin Dashboard

Your control center at /admin/dashboard. Authenticate with your Admin Key.

Action	Description
View Clients	See all clients and their connection status
Create Link	Generate portal token for a client (30-day expiry)
Manage Policies	Set allowed resources per app per client
View Usage	See API calls per client, per app
Manage Webhooks	Configure incoming webhooks from apps

Client Portals

Each client has a portal at /portal/{client_id}?t={token}. Share this link with clients so they can manage their own connections.

Portal Features

Connect apps via OAuth (Slack, GitHub, Notion) or API tokens
Test connections with one click
View audit logs of all actions
Invite team members with role-based access
See usage metrics and health status
Rotate portal tokens for security

CLI

Manage Keygent from the terminal. Script onboarding flows and automate client setup.

npm install -g keygent-cli

Commands

keygent login                              # Authenticate
keygent clients list                        # List all clients
keygent clients create --name "Acme" --id acme-corp
keygent policy set --client acme-corp --app slack --resources "#general,#marketing"
keygent portal generate --client acme-corp  # Generate portal link
keygent connections list --client acme-corp # View connections

Tip

Add --json to any command for machine-readable output. Pipe to jq for scripting.

Connecting Apps

Each app requires different credentials. OAuth is available for Slack, GitHub, and Notion.

App	Credential	Where to Get It
Slack	Bot Token (`xoxb-`)	api.slack.com/apps → OAuth & Permissions
GitHub	Personal Access Token (`ghp_`)	Settings → Developer Settings → PAT
Notion	Integration Token (`secret_`)	notion.so/my-integrations
HubSpot	Private App Token	Settings → Integrations → Private Apps
Stripe	Secret Key (`sk_`)	dashboard.stripe.com/apikeys
Supabase	Project URL + Service Key	Project Settings → API

MCP Tools

AI agents call these endpoints with an Agent Key and Client ID.

Headers:
X-Agent-Key: your_agent_key
X-Client-ID: acme-corp

Endpoint	Description
`GET /mcp/tools`	List available tools for client
`GET /mcp/manifest`	Full tool schema (no auth required)
`POST /mcp/slack/send-message`	Send Slack message
`POST /mcp/github/create-issue`	Create GitHub issue
`POST /mcp/notion/query-database`	Query Notion database
`POST /mcp/hubspot/create-contact`	Create HubSpot contact

How it works

Keygent validates the agent key, checks client policies, decrypts credentials, calls the API, and logs the action. The agent never sees the raw token.

AI Platform Integrations

Cursor

Add to ~/.cursor/mcp.json:

{
  "mcpServers": {
    "keygent": {
      "url": "https://app.keygent.one",
      "headers": {
        "X-Agent-Key": "your_agent_key",
        "X-Client-ID": "your_client_id"
      }
    }
  }
}

Claude / OpenAI

Use function calling with the tool schemas from /mcp/manifest. See the endpoint for full OpenAPI spec.

Security

AES-256-GCM encryption — All credentials encrypted at rest
Tenant-bound AAD — Encryption tied to clientId:app, preventing cross-tenant access
Hashed keys — Agent keys and portal tokens stored as SHA-256 hashes
Expiring access — Tokens expire automatically
Audit logging — Every action logged with timestamp
Health checks — Automated 6-hour checks with email alerts

Credential	Storage
Admin Key	Environment variable
Agent Keys	Database (hashed only)
Encryption Keys	Environment variable (versioned)
Client Credentials	Database (AES-256-GCM encrypted)

FAQ

How do I add a new client?

Use the CLI: keygent clients create --name "Acme Corp" --id acme-corp. Or use the admin API.

What OAuth providers are supported?

Slack, GitHub, and Notion. Other apps use API tokens. We're adding more OAuth providers over time.

What does the health status mean?

Healthy: Working. Unhealthy: Last test failed. Expiring Soon: Credential expires within 7 days. Health checks run every 6 hours.

Can clients manage their own connections?

Yes. Share their portal link. They can connect apps, view logs, invite team members, and rotate tokens.

How do I set up policies?

Use the admin dashboard Policy tab or CLI: keygent policy set --client acme-corp --app slack --resources "#general"

What happens if a portal token expires?

The link stops working but connections remain intact. Generate a new token from the admin dashboard or CLI.