# Configure an API key
API keys provide key-based authentication for services that require direct key access with secure storage capabilities. An API key is a unique identifier used to authenticate and authorize access to a resource, enabling your agent to access external services without embedding sensitive credentials directly in your application code.
**Topics**
+ [
# Add API key
](identity-add-api-key.md)
+ [
# Update API key
](identity-update-api-key.md)
+ [
# Delete API key
](identity-delete-api-key.md)
# Add API key
API keys provide key-based authentication for services that require direct key access with secure storage capabilities. An API key is a unique identifier used to authenticate and authorize access to a resource, enabling your agent to access external services without embedding sensitive credentials directly in your application code.
**To add an API key**
1. Open the [AgentCore Identity](https://console.aws.amazon.com/bedrock-agentcore/identity) console.
1. In the **Outbound Auth** section, choose **Add OAuth client / API key** , then choose **Add API key**.
1. For **Name** , you can either use the auto-generated name or enter your own descriptive name to help you identify this API key in your account. Use alphanumeric characters, hyphens, and underscores only, with a maximum length of 50 characters.
1. For **API key** , enter the key value provided by your external service. AgentCore Identity securely stores this value and makes it available to your agent at runtime.
1. Choose **Add**.
After creating the API key, AgentCore Identity provides an ARN that you can reference in your agent code to access the stored key without exposing sensitive information in your application. You can find this ARN in the properties page of the API key (Choose the API key name in the **Outbound Auth** section).
# Update API key
You can update an existing API key to replace the key value when your external service provider rotates credentials. Updating the API key ensures your agents continue to have access to the external service with the current authentication information.
**To update an API key**
1. Open the [AgentCore Identity](https://console.aws.amazon.com/bedrock-agentcore/identity) console.
1. In the **Outbound Auth** section, select the API key you want to update.
1. Choose **Edit**.
1. In the **Update API key** dialog, in **API key** , enter the updated key value provided by your external service. AgentCore Identity securely stores this new value and makes it available to your agent at runtime.
1. Choose **Update**.
The updated API key configuration takes effect immediately. Your agents will use the new API key for all subsequent requests to the external service.
# Delete API key
When you no longer need an API key, you can delete it from your account. Deleting an API key removes the stored credentials and makes them unavailable to your agents. Any invocations that reference the deleted API key will fail once it’s removed.
**To delete an API key**
1. Open the [AgentCore Identity](https://console.aws.amazon.com/bedrock-agentcore/identity) console.
1. In the **Outbound Auth** section, select the API key you want to delete.
1. Choose **Delete**.
1. In the confirmation dialog, type `Delete` to confirm the deletion.
1. Choose **Delete**.
The API key is permanently removed from your account. Any agents or applications that reference this API key’s ARN will no longer be able to access the stored credentials.