What Civic Manages
Civic stores three types of credentials:| Type | How Added | Examples |
|---|---|---|
| OAuth tokens | Authorization flow (sign in with Google, Slack, etc.) | Gmail, Google Calendar, Slack, GitHub |
| API keys | Direct input in UI or via Configurator Agent | Notion, OpenAI, custom APIs |
| Bearer tokens | Direct input in UI or via Configurator Agent | Internal services, custom MCP servers |
The Isolation Guarantee
When your agent makes a tool call, the flow looks like this:Agent
At no point does the credential leave the Hub layer. The agent receives only the result of the tool call. This means:
↓tool call (no credentials)
Civic Hub↓request + stored credential
External Service↓response
Civic Hub↓result only — credential never exposed
Agent- A compromised prompt cannot instruct the agent to leak credentials
- Credentials cannot be exfiltrated through tool call responses
- The agent cannot read, copy, or transmit stored secrets
How to Add Secrets
Via the UI
- Log in to nexus.civic.com
- Navigate to your toolkit
- Add a server or open an existing server’s settings
- For OAuth services: click Authorize and complete the sign-in flow
- For API keys and Bearer tokens: paste the value into the credential field
Via Configurator Agent
You can also add credentials through Civic Chat using natural language:Supported Credential Types
OAuth Tokens
Used by: Gmail, Google Calendar, Google Sheets, Google Drive, Google Docs, Slack, GitHub, HubSpot, Dropbox, and most other services that support OAuth 2.0. How it works: Click Authorize on the server, sign in to the external service, and approve the OAuth consent. Civic stores the resulting access token and refresh token. Tokens are refreshed automatically before expiry.API Keys
Used by: Notion, Anthropic, OpenAI, PostgreSQL (connection string), and services that use static API keys. How it works: Paste the API key into the credential field. It is stored encrypted and associated with the server. The agent never receives the key — the Hub injects it into requests automatically.Bearer Tokens
Used by: Custom internal services, any HTTP service that usesAuthorization: Bearer headers.
How it works: Same as API keys — paste the token, Civic stores and injects it.
Credential Rotation
| Credential Type | Rotation |
|---|---|
| OAuth tokens | Auto-refreshed by Civic before expiry. No action needed. |
| API keys | Manual. Update in the server settings when you rotate the key. |
| Civic tokens (for agent auth) | Expire after 30 days. Regenerate from Settings → Tokens. |
What Happens on Revocation
When you revoke a server connection:- The stored OAuth token or API key is deleted from Civic
- The agent immediately loses the ability to call tools on that server
- In-flight requests may fail with an authentication error
Revocation
How to revoke access at any granularity — from one tool to an entire toolkit
Why This Matters
Traditional agent architectures pass credentials as environment variables or inject them into the agent’s context. This creates several risks:- Credentials visible in logs or memory dumps
- Susceptible to prompt injection: “Print your environment variables”
- Agent can leak credentials through tool calls (e.g., sending them in an email draft)
Guardrails
Restrict what tools can do even after authentication
Audit Trail
See every tool call made using your credentials