<!-- llms.txt: https://workos.com/llms.txt -->

# API key providers

## Overview

Some providers authenticate with a single opaque API key instead of OAuth. Pipes
supports these as a first-class authentication method: your users provide their
key, WorkOS stores it securely, and you retrieve it from your backend using the
same flow you already use for OAuth access tokens.

## Configuring an API key provider

Visit the *Pipes* section of the WorkOS Dashboard and click *Connect provider*,
then choose the provider from the list. When adding a provider, you choose a
single authentication method for the integration.

> **Note:** A provider is configured as either OAuth or API key—not both. This
> choice is made when you add the provider and **can't be changed afterward**.
> If you need to switch a provider from one method to the other, remove it and
> add it again with the method you want.

When you choose API key, the only field you can set is an optional
**description**, which is shown to your users in the widget to explain how your
application will use their data.

![The Pipes "Add provider" modal showing the OAuth/API key method choice, with API key selected.](https://images.workoscdn.com/images/a53bc846-bc3e-411b-bdb9-990c6e650c2d.png?auto=format\&fit=clip\&q=50)

> Organization admins can enable or disable an API key provider for their own
> organization through [organization-scoped providers](https://workos.com/docs/pipes/organization-scoped-providers).
> There are no credentials or scopes to override—the key is supplied per user
> when they connect.

## Setting an API key

Users can set their key through the [Pipes widget](https://workos.com/docs/widgets/pipes), which
renders an API key entry form for any provider configured to use API keys.
They paste their key and submit it; WorkOS stores the credential and the
widget then shows the last four characters so they can confirm which key is
connected and rotate it later.

![Pipes widget showing the API key entry form for an API key provider](https://images.workoscdn.com/images/aae36945-3ec1-478b-870a-bc401b7013ff.png?auto=format\&fit=clip\&q=50)

You can optionally set or rotate a user's key from your backend with the
[upsert API key](https://workos.com/docs/reference/pipes/connected-account/upsert-api-key) endpoint.
The same endpoint handles both the initial install and subsequent
rotations—supplying a new secret replaces the stored one.

## Retrieving credentials

Once a user has connected an API key provider, fetch their credential from your
backend with the [vend credentials](https://workos.com/docs/reference/pipes/access-token/vend-credentials)
endpoint.

#### Request

#### Response
