All Products
Search
Document Center

Agent Identity:Manage API key credential providers

Last Updated:Jun 25, 2026

Create an API key credential provider to securely host API keys in Agent Identity. The keys are used to call Alibaba Cloud or third-party services without being stored in the agent's code. After the agent completes outbound authorization with the Agent Identity service, Agent Identity returns the API key.

Prerequisites

We recommend that you assign the Agent Identity administrator permission AliyunAgentIdentityFullAccess to the operator.

Create an API key credential provider

  1. Log on to the Agent Identity console. In the navigation pane on the left, choose Outbound > Credential Providers.

  2. On the Credential Providers page, click the API Key tab.

  3. On the API Key tab, click Create Credential Provider.

  4. On the Create Credential Provider page, configure the following information:

    1. Credential Provider Name: The name of the API key credential provider. When you use the Agent Identity SDK, pass this name to retrieve the corresponding API key.

    2. API Key: The key that the agent uses to call the MCP server or a specific API.

    3. Description (Optional): Information that describes the credential provider.

    Important

    To ensure data confidentiality and compliance, Agent Identity uses Key Management Service (KMS) to encrypt and store the API key. After you submit the key, it cannot be viewed in plaintext in the console or using an API. Agent Identity returns the plaintext API key to an agent only after the agent completes outbound authorization.

  5. Click Create Credential Provider.

Modify the API key in a credential provider

If an API key in a credential provider is incorrect or has expired, follow these steps to modify it.

  1. Log on to the Agent Identity console. In the navigation pane on the left, choose Outbound > Credential Providers.

  2. On the Credential Providers page, click the API Key tab.

  3. On the API Key tab, click the name of the target credential provider.

  4. On the credential provider details page, in the Configuration Information section, click Edit next to API Key.

  5. In the Edit API Key dialog box that appears, enter the new API key.

  6. Click OK.

Important

Modifying the API key in a credential provider may cause agents that depend on the key to function abnormally. Perform this operation with caution in a production environment.

Delete an API key credential provider

  1. Log on to the Agent Identity console. In the navigation pane on the left, choose Outbound > Credential Providers.

  2. On the Credential Providers page, click the API Key tab.

  3. On the API Key tab, find the target credential provider, and in the Actions column, click Delete Credential Provider.

  4. In the Delete Credential Provider confirmation dialog box, enter the credential provider name, and then click Delete Credential Provider.