🔑

API Keys & Security

How we handle API keys, security best practices, and where to get them

12 min read
Configuration

API Keys & Security

API keys are like digital passwords that let your agent talk to other services. Here's everything you need to know about getting them, using them, and keeping them secure.

The Basics

What's an API key? It's a string of letters and numbers that identifies your agent to other services. Think of it as a membership card for each service.

Why do I need them? Your agent uses API keys to access services on your behalf — like checking your GitHub repos or deploying to Vercel.

Are they secure? Yes! We encrypt all your API keys before storing them. Even our team can't see your actual keys.

Getting API Keys

🧠 Anthropic (Required)

This is the brain of your agent. You definitely need this one.

**Where to get it**: console.anthropic.com

Steps:

  • Sign up for an Anthropic account
  • Go to your API keys section
  • Click "Create Key"
  • Give it a name like "PinchKit Agent"

    • 5. Copy the key (starts with sk-ant-)

    Cost: Pay-as-you-go based on usage. Expect $10-50/month depending on how chatty you are.

    Permissions: The key gives full access to Claude API. Keep it secret!

    🐙 GitHub

    For repository management, code operations, and issue tracking.

    **Where to get it**: github.com/settings/tokens

    Steps:

  • Go to Settings → Developer settings → Personal access tokens
  • Click "Generate new token" → "Generate new token (classic)"
  • Give it a name: "PinchKit Agent"
  • Set expiration (we recommend 1 year)
  • Select scopes:

    • - repo (full repo access)

    - user:email (access email addresses)

    - workflow (update GitHub Action workflows)

  • Click "Generate token"
  • Copy immediately (you won't see it again!)

    • Cost: Free for public repos, paid plans for private repos

    Permissions: Only gives access to repos and basic profile info

    ▲ Vercel

    For deploying web applications and static sites.

    **Where to get it**: vercel.com/account/tokens

    Steps:

  • Go to Settings → Tokens
  • Click "Create"
  • Name it "PinchKit"
  • Select scope (usually "Full Account" is fine)
  • Set expiration
  • Click "Create"
  • Copy the token

    • Cost: Free tier available, paid plans for more features

    Permissions: Can deploy and manage your Vercel projects

    🚀 Render

    For cloud service management and monitoring.

    **Where to get it**: dashboard.render.com/account

    Steps:

  • Go to Account Settings
  • Scroll down to "API Keys"
  • Click "Generate New Key"
  • Give it a name: "PinchKit Agent"
  • Copy the key

    • Cost: Free tier available, pay for resources you use

    Permissions: Can manage your Render services

    ⛓️ EVM Wallet Setup

    For Ethereum blockchain interactions. This one's different — instead of an API key, you'll provide a private key or seed phrase.

    Options:

    1. Private Key: Export from MetaMask or another wallet

    2. Seed Phrase: Your 12/24 word recovery phrase

    3. New Wallet: Generate a fresh wallet just for your agent

    Steps for MetaMask private key:

  • Open MetaMask
  • Click the account menu → Account details
  • Click "Export Private Key"
  • Enter your password

    • 5. Copy the private key (starts with 0x)

    Security note: Only use a wallet you're comfortable with. Consider creating a separate wallet just for your agent.

    🌐 Namecheap

    For domain registration and DNS management.

    **Where to get it**: ap.www.namecheap.com/settings/tools/apiaccess/

    Steps:

  • Log into your Namecheap account
  • Go to Profile → Tools → API Access
  • Enable API access

    • 4. Whitelist your IP address (or use 0.0.0.0/0 for any IP)

  • Note down your API key and username

    • Cost: Free with domain purchases

    Permissions: Can manage your domains and DNS

    📊 Polymarket

    For prediction market trading.

    Currently: Polymarket doesn't have a public API yet, but we're ready for when they do!

    What you'll need: Polymarket account and API access (when available)

    Security Best Practices

    Principle of Least Privilege

    Only give plugins the permissions they actually need:

    - GitHub: Don't give admin access if you only need to read repos

    - Vercel: Scope to specific teams if possible

    - Crypto wallets: Use a separate wallet with limited funds

    API Key Hygiene

    Do:

  • Use descriptive names for your keys ("PinchKit Agent")
  • Set expiration dates where possible
  • Revoke old/unused keys
  • Monitor usage in service dashboards

    • Don't:

  • Share your keys with anyone
  • Use personal keys for production services
  • Keep expired keys around
  • Use keys with more permissions than needed

    • How We Protect Your Keys

    Encryption at rest: All API keys are encrypted using AES-256 before being stored in our database.

    Encryption in transit: Keys are sent over secure HTTPS connections only.

    Zero-knowledge: Our team cannot see your actual API keys, even if we wanted to.

    Secure deletion: When you remove a key, it's completely purged from our systems.

    Audit logs: We log when keys are used (but not the keys themselves).

    Managing Your Keys

    Adding Keys to Your Agent

    During setup: Add keys when creating your agent in the onboarding flow.

    After setup:

  • Go to your agent dashboard
  • Click "Settings"
  • Find "API Keys" section
  • Click "Add Key"
  • Select the service and paste your key
  • Click "Save"

    • Updating Keys

    If you need to change a key:

  • Get the new key from the service
  • Go to agent settings
  • Find the key you want to update
  • Click "Edit"
  • Paste the new key
  • Save changes

    • Your agent will start using the new key immediately.

    Revoking Keys

    If a key gets compromised:

    1. Immediately revoke it in the original service

  • Remove it from your PinchKit settings
  • Generate a new key
  • Add the new key to your agent

    • Troubleshooting API Keys

    "Invalid API key" errors

    Check:

  • Key copied correctly (no extra spaces)
  • Key hasn't expired
  • Permissions are correct
  • Service is working (check status pages)

    • Permissions errors

    GitHub: Make sure you selected the right scopes when creating the token

    Vercel: Verify the key has access to the team/projects you need

    Others: Check service documentation for required permissions

    Keys not being accepted

    **Format issues**: Some keys have specific formats (GitHub starts with ghp_, Anthropic with sk-ant-)

    Whitelist issues: Some services (like Namecheap) require IP whitelisting

    Account issues: Make sure your account with the service is in good standing

    Cost Management

    Monitoring Usage

    Most services provide usage dashboards:

    - **Anthropic**: console.anthropic.com → Usage

    - GitHub: Settings → Billing

    - Vercel: Dashboard → Usage

    - Others: Check their billing/usage sections

    Setting Limits

    Anthropic: Set monthly spending limits in your account

    Others: Many services have usage alerts you can enable

    Optimizing Costs

    For Anthropic:

  • Your agent only uses Claude when you interact with it
  • Complex requests cost more than simple ones
  • Consider your usage patterns when setting budgets

    • For others:

  • Most plugins only cost when you use them
  • GitHub/Vercel have generous free tiers
  • Monitor your usage to avoid surprises

    • What's Next?

    Now that you've got your keys sorted:

    - Install some plugins to make your agent useful

    - Try customizing your agent's personality

    - Check out our troubleshooting guide if you run into issues

    Your keys are secure, your agent is powerful, and you're ready to automate all the things! 🔐✨

    Was this helpful?

    Related Guides

    🧩Plugins

    Plugins 101

    Learn about plugins, how to install them, and how they work

    10 min
    🔧Advanced

    When Things Go Wrong

    Common issues, fixes, and how to get help when you need it

    12 min