Skip to main content

Overview

The Credentials Manager enables your Utari workers to securely manage authentication for external services and integrations. Through Composio credential profiles, you can connect agents to third-party platforms, manage API keys, handle OAuth flows, and control which services your agents can access—all while maintaining security and separation of credentials.

What are Credential Profiles?

Understanding Credential Profiles

Credential profiles are secure containers for authentication information that allow your agents to connect to external services. Each profile:
  • Stores authentication (API keys, OAuth tokens, credentials)
  • Connects to specific toolkits (Slack, Google, Salesforce, etc.)
  • Can be assigned to multiple agents for shared access
  • Maintains security through encrypted storage
  • Enables selective access by controlling which agents use which profiles
Think of credential profiles as secure keychains: one profile per service, reusable across multiple agents, managed centrally for security.

Credentials Manager Capabilities

Create Profile

Set up new credential profiles for connecting to external services

Get Profiles

View all existing credential profiles and their connection status

Configure for Agent

Assign credential profiles to specific agents with selected tools

Delete Profile

Remove credential profiles that are no longer needed

Managing Credential Profiles

Creating a New Credential Profile

1

Initiate Profile Creation

Request creation of a credential profile for a specific service:
    Create a credential profile for Slack
    Set up authentication for Google Drive
    Add a credential profile for Salesforce
2

Worker Creates Profile

Your worker:
  • Creates the Composio credential profile
  • Generates an authentication link
  • Returns the link for you to complete connection
3

Complete Authentication

Click the provided authentication link to:
  • Authorize access to the service
  • Grant required permissions
  • Complete OAuth flow or enter API key
  • Confirm connection
4

Verify Connection

    Authentication successful! 
    
    Profile created: slack-profile-123
    Toolkit: Slack
    Status: Connected
    
    You can now use this profile with your agents.
5

Assign to Agents

Configure agents to use the new credential profile for accessing the service.

Viewing Existing Profiles

1

Request Profile List

Ask to see all your credential profiles:
    Show me all my credential profiles
    List my connected integrations
    What services do I have authentication for?
2

Review Profiles

Worker displays all existing profiles:
    Your Credential Profiles:
    
    1. slack-main
       Toolkit: Slack
       Status: Connected
       Created: 2024-11-15
       Used by: Marketing Agent, Support Agent
    
    2. google-workspace
       Toolkit: Google (Gmail, Drive, Calendar)
       Status: Connected
       Created: 2024-11-10
       Used by: Assistant Agent, Research Agent
    
    3. salesforce-prod
       Toolkit: Salesforce
       Status: Connected
       Created: 2024-11-01
       Used by: Sales Agent
    
    4. github-dev
       Toolkit: GitHub
       Status: Connected
       Created: 2024-10-20
       Used by: Dev Agent
3

Check Profile Details

Get more information about specific profiles:
    Show me details for the slack-main profile
    Which agents use the google-workspace profile?
    When was the salesforce-prod profile created?

Configuring Profiles for Agents

1

Select Profile and Agent

Specify which profile to assign to which agent:
    Configure the slack-main profile for my Marketing Agent
    Add the google-workspace profile to my Assistant Agent
    Set up the salesforce-prod profile for the Sales Agent
2

Select Tools

Choose which tools from the toolkit the agent can access:
    For Slack profile, enable:
    - Send message
    - Upload file
    - Get channels
    
    (Don't enable delete message or admin functions)
3

Worker Configures

Your worker:
  • Links the credential profile to the agent
  • Enables selected tools
  • Verifies connection
  • Confirms configuration
4

Test Connection

    Slack profile configured for Marketing Agent
    
    Enabled tools:
    ✓ Send message
    ✓ Upload file
    ✓ Get channels
    
    Test: Send a test message to #general

Deleting Credential Profiles

1

Identify Profile to Remove

    Delete the old-slack-profile
    Remove the salesforce-test credential profile
2

Confirm Deletion

Worker checks if profile is in use:
    Warning: slack-old is used by Marketing Agent
    
    Removing this profile will:
    - Disconnect Marketing Agent from Slack
    - Remove authentication
    - Cannot be undone
    
    Confirm deletion?
3

Worker Removes Profile

Upon confirmation:
  • Profile is deleted from Composio
  • Removed from all agent configurations
  • Authentication is revoked
  • Connection is terminated
4

Update Affected Agents

    Profile deleted successfully
    
    Affected agents:
    - Marketing Agent (no longer has Slack access)
    
    Recommendation: Configure a new profile if Slack access is still needed

Common Credential Profile Workflows

Setting Up a New Integration

1

Create Profile

    Create a credential profile for HubSpot
2

Complete Authentication

    Click authentication link → Authorize HubSpot → Grant permissions → Return to Utari
3

Configure for Agent

    Add the hubspot-main profile to my Sales Agent
    Enable tools: Get contacts, Create deals, Update opportunities
4

Test Integration

    Test by creating a sample contact in HubSpot
5

Build Workflows

    Now Sales Agent can:
    - Sync contacts from HubSpot
    - Create new deals
    - Update opportunity stages
    - Track sales activities

Managing Multiple Environments

1

Create Environment-Specific Profiles

    Create credential profiles:
    - salesforce-dev (for testing)
    - salesforce-staging (for QA)
    - salesforce-prod (for production)
2

Assign to Different Agents

    - Development Agent: Use salesforce-dev
    - QA Agent: Use salesforce-staging
    - Sales Agent: Use salesforce-prod
3

Control Access

    Ensure agents can't accidentally:
    - Test in production
    - Modify production data during development
    - Mix environment data

Team Collaboration Setup

1

Create Shared Profiles

    Create profiles for team services:
    - slack-team (team communication)
    - google-shared (shared workspace)
    - notion-team (documentation)
2

Distribute to Agents

    All agents get:
    - slack-team (for notifications)
    - notion-team (for documentation)
    
    Specific agents get:
    - google-shared (only for agents that need it)
3

Maintain Consistency

    Using shared profiles ensures:
    - Consistent access across agents
    - Centralized credential management
    - Easy updates when credentials change

Authentication Types

OAuth (Most Common)

OAuth Flow

Process:
  1. Create credential profile
  2. Click authentication link
  3. Authorize in browser
  4. Grant requested permissions
  5. Automatic token management
Platforms: Google, Slack, Salesforce, Microsoft, GitHub, LinkedIn, most SaaSBenefits:
  • Secure, browser-based
  • No passwords stored
  • Automatic token refresh
  • Granular permissions
Example:
  Create profile for Google Drive
  → Click auth link
  → "Allow Utari to access Google Drive?"
  → Grant permission
  → Connected!

API Key Authentication

API Key Flow

Process:
  1. Get API key from service
  2. Create credential profile
  3. Enter API key when prompted
  4. Validate connection
Platforms: OpenAI, Anthropic, SendGrid, Stripe, custom APIsConsiderations:
  • More manual setup
  • Keys must be kept secure
  • No automatic expiration
  • Full account access
Example:
  Create profile for OpenAI
  → Enter API key: sk-...
  → Validate
  → Connected!

Username/Password Authentication

Credentials Flow

Process:
  1. Create credential profile
  2. Enter username and password
  3. May require 2FA
  4. Credentials stored securely
Platforms: Legacy systems, databases, internal toolsConsiderations:
  • Less secure than OAuth
  • Manual updates needed
  • May require periodic re-auth
Example:
  Create profile for internal database
  → Enter username: admin
  → Enter password: [secure]
  → Connected!

Credential Profile Best Practices

One Profile Per Service

Create separate profiles for each service/platform rather than reusing credentials

Descriptive Naming

Use clear, descriptive names: “slack-marketing” instead of “profile-1”

Environment Separation

Maintain separate profiles for dev, staging, and production environments

Least Privilege

Only grant the minimum permissions necessary for each agent’s tasks

Regular Audits

Periodically review which profiles exist and which agents use them

Remove Unused

Delete profiles that are no longer needed to reduce security surface

Document Purpose

Keep notes on why each profile exists and which workflows use it

Secure Credentials

Never share credential profiles or authentication links publicly

Profile Naming Conventions

slack-marketing
slack-support
google-personal
google-team
salesforce-sales
salesforce-marketing

Naming Best Practices

slack-customer-supportslack1Clear names help identify purpose at a glance
salesforce-prod-sales-teamsfContext prevents confusion when multiple profiles exist
✅ All profiles use format: service-environment-purpose❌ Mix of formats: slack_dev, prodGoogle, salesforce-marketingConsistency aids organization and discovery
google-drive-backupsgoogle/drive (backups)!Use hyphens or underscores, avoid spaces and symbols

Security Considerations

Credential Security

Critical Security Practices:
  • Never share authentication links publicly
  • Don’t include credentials in prompts or instructions
  • Use separate profiles for different security levels
  • Regularly rotate API keys and tokens
  • Review granted permissions periodically
  • Delete unused profiles immediately
  • Monitor agent access patterns
  • Use OAuth over API keys when possible

Access Control

1

Principle of Least Privilege

    Only grant the minimum permissions needed:
    
    ✅ Marketing Agent: Send Slack messages
    ❌ Marketing Agent: Delete channels, manage users
    
    ✅ Research Agent: Read Google Sheets
    ❌ Research Agent: Delete files, manage permissions
2

Separate Production and Testing

    Development Agent → test-profile (safe to experiment)
    Production Agent → prod-profile (restricted access)
    
    Never use production credentials in development agents
3

Regular Permission Reviews

    Monthly audit:
    - Which profiles exist?
    - Which agents use each profile?
    - Are permissions still appropriate?
    - Any unused profiles to delete?

Credential Rotation

1

Identify Rotation Need

Rotate credentials when:
  • Regular schedule (quarterly, annually)
  • Team member leaves
  • Suspected compromise
  • Service recommends rotation
2

Create New Profile

    Create new profile: slack-main-v2
    Authenticate with new credentials
3

Update Agent Configurations

    Switch agents from slack-main to slack-main-v2
    Test all functionality
4

Delete Old Profile

    Once verified working:
    Delete slack-main profile
    Revoke old credentials at service

Troubleshooting

Verify:
  • Authentication was completed successfully
  • Required permissions were granted
  • Account credentials are still valid
  • Service hasn’t revoked access
  • Try re-authenticating the profile
  • Check service-side connection settings
Check:
  • Profile is configured for the agent
  • Required tools are enabled
  • Profile is connected and authenticated
  • Agent has correct profile assigned
  • Permissions on service allow the action
Ensure:
  • Profile is not in use by active agents
  • Remove profile from all agent configurations first
  • Wait a moment and try again
  • Check if you have deletion permissions
Organize:
  • Use clear, descriptive naming
  • Document which profile is for what
  • Delete unused duplicate profiles
  • Standardize on one profile per use case
  • Consider environment-specific naming
Solutions:
  • Re-authenticate the profile
  • Create new profile if re-auth fails
  • Check service account status
  • Verify permissions weren’t revoked
  • Some services require periodic re-authorization

Advanced Credential Management

Multi-Account Management

1

Create Profiles for Each Account

    For multiple Slack workspaces:
    - slack-company-a
    - slack-company-b
    - slack-company-c
2

Assign to Dedicated Agents

    Company A Agent → slack-company-a
    Company B Agent → slack-company-b
    Company C Agent → slack-company-c
    
    Prevents cross-posting to wrong workspace
3

Use Template Variables

    Create reusable workflows:
    "Post to {{company_workspace}} Slack"
    
    Each agent substitutes its company value

Credential Profile Templates

Profiles to create:
- google-analytics (tracking)
- mailchimp-marketing (email)
- hubspot-marketing (automation)
- twitter-brand (social)
- linkedin-company (professional)

Configure all for Marketing Agent

Summary

You’ve successfully learned how to:
Create credential profiles for external services
View and manage all existing credential profiles
Configure credential profiles for specific agents with selected tools
Delete credential profiles when no longer needed
Understand different authentication types (OAuth, API Key, Credentials)
Apply security best practices for credential management
Organize profiles with clear naming conventions
Troubleshoot common credential and authentication issues
The Credentials Manager provides secure, centralized authentication management for all your external integrations. By properly managing credential profiles, you maintain security while enabling your agents to access the services they need to automate workflows and complete tasks.

Next Steps

MCP Server Search

Discover services to create credential profiles for

Agent Configuration

Configure agents to use credential profiles

Integrations Guide

Learn about available integrations

Security Best Practices

Advanced security guidance