Store keys, tokens, and other sensitive information centrally instead of hard-coding them in your code or tools. Reference credentials across multiple agents and update them in one place—changes take effect immediately for all resources that use them.
AgentRun credentials fall into two categories:
-
Credentials for accessing AgentRun services: Used to access resources within the AgentRun platform, including agents, sandboxes such as BrowserTool and CodeInterpreter, model administration such as model proxy and load balancing, and tool services.
-
Credentials for accessing third-party services: Used by agents or tools to access external services during task execution, such as large language model (LLM) and cloud service API credentials.
The following sections cover credential creation, management, and usage.
Quick start: Configure a credential for a large language model
Create a credential for a third-party large language model (LLM) such as OpenAI, and reference it in the model configuration.
Step 1: Create a model service credential
-
Log on to the AgentRun console. In the left-side navigation pane, choose .
-
On the Credential Management page, set the credential category to Credentials for accessing third-party services and click Add Third-Party Service Credential.
-
Configure the following parameters:
-
For Service Type, select Model Service.
-
Service Provider: Select a large language model provider, such as
OpenAI. -
Credential Name: Enter a descriptive name, such as
my-llm-key. The name must start with a letter or underscore, can contain letters, digits, underscores, and hyphens, and must be 1 to 64 characters in length. -
API Key: Enter the
API keyfrom your provider.
-
-
Click Add Credential.
Step 2: Reference the credential in the model configuration
-
In the left-side navigation pane, choose , and then click Add Model.
-
In the Credential Configuration section, select Use Existing Credential. From the drop-down list, select the credential you just created, such as
my-llm-key. -
Click Create Model.
After you complete these steps, AgentRun automatically uses the credential for authentication when agents interact with the model.
Detailed credential types
Credentials for accessing AgentRun services
Call internal AgentRun service APIs, such as those for agent management, sandbox execution, and model administration. On the credential details page, you can view all attached resources.
API Key
Scenarios: The most common authentication method, suitable for API clients that support fixed token authentication.
Core configuration
-
Request Header Name: The name of the request header field that stores the API key. Common values are
AuthorizationorX-Api-Key. -
API Key: The specific value of the API key.
Note
Enter only the raw key, such assk-xxxxxxxxxxxx. Do not include any prefix, such asBearer
JWT (JSON Web Token)
Scenarios: Suitable for systems that use JSON Web Token (JWT) for identity verification. AgentRun verifies JWT signatures in incoming requests by using a JSON Web Key Set (JWKS), which can be configured statically or retrieved dynamically from a URL.
1. JWKS JSON
Suitable when the public key rarely changes. Configure the JWKS content directly in AgentRun.
Core configuration: In the text box, enter the complete JWKS JSON-formatted data. This is typically a JSON object that contains a keys array.
2. JWKS URL
Suitable for standard protocols such as OpenID Connect (OIDC) Discovery, where public keys may be rotated periodically. AgentRun retrieves the latest public key set from the URL you provide.
Core configuration
-
JWKS Endpoint URL: The endpoint of the remote service that provides the JWKS. The URL typically ends with
/.well-known/jwks.json. AgentRun periodically refreshes the public key from this endpoint to verify JWT signatures. To ensure security, the endpoint must use the HTTPS protocol.
Basic authentication
Scenarios: Suitable for legacy systems or internal staging environments that only support Basic authentication.
Core configuration:
-
Username: The username required for Basic authentication.
-
Password: The password required for Basic authentication.
Security warning
Basic authentication uses only Base64 encoding during transmission. If you do not use HTTPS, the username and password can be easily exposed. Because it provides low security, do not use it in a production environment.
Use the following request header format to authenticate with the remote service: Authorization: Basic <base64(username:password)>.
Credentials for accessing third-party services
Used by AgentRun agents and tools to access external third-party services during task execution.
Scenarios: Used when agents call a third-party LLM service, such as OpenAI or Anthropic, or an open-source model deployed on the FunModel platform.
Core configuration:
-
Service Provider: Select the corresponding large language model provider.
-
API Key: The API key provided by the provider.
Scenarios: Used for tool calls to general-purpose third-party APIs.
Core configuration: Configure the value of the API key. The key is encrypted for storage and is decrypted only when an agent calls the tool.
Scenarios: Used to call APIs of major cloud service providers, such as Alibaba Cloud, AWS, and Tencent Cloud. AgentRun automatically handles the request signing process based on each provider's specifications.
Core configuration
-
Cloud Service Provider: Select the corresponding cloud service provider.
-
Access Key ID (AK): The AccessKey ID provided by the cloud service provider.
-
Secret Access Key (SK): The secret AccessKey provided by the cloud service provider.
-
Account ID: (Optional) An additional identity required by some cloud service providers.
Key advantage: Automatic signing
You only need to provide the AK and SK. AgentRun automatically handles the complex signature algorithm based on the target cloud provider's specifications. For enhanced security, we recommend that you attach the AK/SK credential to a RAM user with least privilege permissions.
Scenarios: Suitable for third-party APIs that require authentication through non-standard or multiple custom request headers.
Scenarios: Configure key-value pairs to add as request headers for third-party service requests.
Manage credentials
On the credential management page, you can perform the following operations:
-
Enable/Disable: Toggle the Enable Status switch to control credential validity. Disabled credentials cause calls to fail with a 401 error. Use this to temporarily revoke access or respond to security events.
-
Edit: Update credential configuration, such as replacing an API key.
-
Delete: Permanently remove a credential. This operation is irreversible. Ensure that no running services depend on the credential before you delete it.
Troubleshooting and FAQ
Q: After I update a FunModel credential, why do AgentRun calls fail?
A: Credentials are not automatically synced between AgentRun and the FunModel platform. When you update a credential in FunModel, you must also update the corresponding credential on the AgentRun Credential Management page. Schedule credential changes with enough time to complete synchronization on both platforms.
Q: Remote retrieval of a JWT is failing. How can I troubleshoot this issue?
A: You can check your remote retrieval configuration by performing the following steps:
-
Check the JWKS URL: Ensure that the URL is accessible from the Internet and uses the HTTPS protocol.
-
Simulate a request: Use a tool such as Postman to manually call the JWKS URL with your configured request method, request headers, and request body. Confirm that the API returns data in the JWKS JSON format.
-
View service logs: If the problem persists, contact the platform administrator to view the AgentRun service logs and determine the specific reason why retrieving the token from the remote service failed.
Q: Why is an API call returning a 401 Unauthorized or 403 Forbidden error?
A: This error usually indicates that authentication failed. You can check the following items:
-
Check whether your credentials have been disabled in AgentRun.
-
Verify that the credential information in your API request, such as the header name and value, exactly matches the configuration in AgentRun. Pay close attention to details such as spaces and prefixes.
-
If the credential is dynamic, such as a JWT, confirm that it has not expired.