How do I handle API Access Tokens securely with the Toolkit class so that LLMs are not exposed to any credentials?
I want to create a selection of tools that make API requests to to microsoft GraphAPI. Since this concerns private data, it is crucial that credentials are not exposed.
So far, examples load access tokens from environment variables, but I cannot do this as there are user-specific access tokens that expire quickly and tokens must be refreshed. Hence access tokens must be stored in backend variables
Looking at the example documentation for CustomAPI Toolkit class, it does seem like the actual tool is exposed to the header value in make_request.
What is the safest way to create a toolkit with tools that can make authenticated API calls?
I’m considering initialising a client - rather than passing around access tokens - but haven’t found any examples for that.
Hi @Iris, thank you for reaching out and supporting Agno. I’ve shared this with the team, we’re working through all queries one by one and will get back to you soon. If it’s urgent, please let us know. We appreciate your patience!
hey, for this you should create a custom toolkit that handles authentication internally, or add an optional token param in your toolkit class so you can generate the access token externally and pass it into your tools.