Connected APIs

Webhook API Credential Manager

Give agents endpoint access without handing them your passwords, keys, tokens, or OAuth credentials.

Trusted and Certified

CASA Tier 2 CertifiedAudited by TAC Security for secure app access.
Encrypted at RestCredentials are stored encrypted and injected server-side.
Full Audit TrailConnected API calls are recorded with operational context.

The old choice was full access or no access.

Agents often need to read a CRM, call an internal webhook, send a notification, or trigger a SaaS workflow. Pasting raw secrets into prompts or tool configs turns every agent run into a credential exposure risk.

Connected APIs put the boundary back on your side.

AgentPMT stores the credential, checks that the request matches your approved methods and URLs, injects the secret at the last moment, and returns the API response to the agent.

How It Works

The dashboard flow mirrors the runtime boundary: describe what the agent may call, bind the credential, then monitor the proxy instead of distributing secrets.

Create an endpoint profile
Name the Connected API, enter the approved base URL, and choose the HTTP methods your agent may use.
Bind the credential
Select API key, bearer token, OAuth, Basic Auth, or custom header handling, then choose exactly where the value is injected.
Let agents call the proxy
Your agent sends the endpoint, method, and payload to AgentPMT. We validate the request, attach the credential server-side, and forward it.
Monitor and revoke access
Review request activity from the dashboard and deactivate an endpoint when the agent no longer needs access.

Works With Any API

If it accepts HTTP requests, it can become a Connected API for an agent, workflow, or internal automation.

SaaS Platforms

CRMs, project tools, email services, and analytics platforms with REST endpoints.

Payment Gateways

Let agents check balances or prepare actions without handling payment credentials.

Internal Services

Expose approved webhooks and microservices while keeping internal tokens off the agent.

Data Providers

Weather, market data, geolocation, and any other external data feed.

Communication Tools

Messaging, notification, and email APIs that agents can call through a controlled proxy.

Developer Tools

CI, cloud, monitoring, and infrastructure services with scoped endpoint access.

The real dashboard flow

Add the endpoint profile, bind the credential, and keep every runtime call behind the same server-side policy.

Connected APIs dashboard listing a live Acme CRM proxy endpoint with POST and GET methods allowed and Active status. — Connected APIs list view with methods, status, and edit controls for every endpoint profile.

Endpoint builder step one showing Name, Description, Agent Instructions, a wildcard Base URL pill, and GET and POST method allowlist selections. — Step 1: name the tool, approve base URLs, and allow specific methods.

Endpoint builder step two showing API Key auth type selected with Send As set to X-API-Key and a credential picker panel on the right. — Step 2: choose the auth type and injection target.

Endpoint builder step three showing the API Key credential panel with a Credential selected confirmation. — Step 3: bind the encrypted credential without exposing the raw value.

Enforced Guardrails

Every Connected API carries the limits that matter at runtime, before any credential is attached.

HTTP Method Allowlist

Choose GET, POST, PUT, PATCH, DELETE, or the exact subset the endpoint should accept.

Base URL Allowlist

Forward only to approved base URLs, including sub-path wildcard patterns when needed.

Per-Credential Injection Target

Choose header, body, or query injection and name the value exactly how the upstream API expects it.

Named Server-Side Injection

Attach the credential only on AgentPMT servers, not inside the agent prompt, context, or memory.

Supports Common Authentication Methods

Configure the credential format once, then let agents call the same endpoint without learning how the secret is represented.

Authentication methods supported by Connected APIs
Method	How AgentPMT handles it
API keys	Injected into a header, query parameter, or request body using the exact name the upstream API expects.
Bearer tokens	Attached as an Authorization header at request time, without placing the token in agent memory or prompts.
OAuth	Uses the selected OAuth token type and injects the access token for protected API calls.
Username and password	Encoded as Basic Auth on the server. The agent never receives either secret value.
Custom headers	Supports non-standard authentication schemes by injecting any approved named header value.

Simple Pricing

1 creditper API call

You only pay when an agent actually calls an external API. Reading setup instructions and managing endpoint profiles is free.

View credit plans

Connected API questions, answered.

Do my API keys ever reach the AI agent?

No. The Credential Vault stores every credential encrypted at rest on AgentPMT servers and injects it server-side at the moment the outbound request leaves for the upstream API. The agent sees the endpoint name and the response, never the raw key, token, or password.

This is enforced by the connected-API builder: every endpoint must select an injection target (header, body, or query parameter) before it can be saved, and the credential value is bound once and never re-emitted to the agent context or the agent memory.

Which HTTP methods can an agent use against a connected API?

You choose the allowed methods per endpoint when you create the connected API: GET, POST, PUT, PATCH, DELETE, or any subset. Requests that use a method outside the allowlist are rejected before the credential is ever attached, so a compromised agent cannot escalate from read to write simply by changing the verb.

You can edit the allowlist on a live endpoint at any time from the Secure API Manager. Changes take effect on the next outbound request.

Connect your first API without sharing the credential.

Create a free account, add an endpoint profile, and give agents controlled access in minutes.

Learn More About Security