API onboarding, OAuth, and “get a key” workflows

Setup experiences people describe when “it opened the console and provisioned a token”:

• Checklists per provider: which clicks, which scopes, which env vars land where.
• Separation between assistant suggestions and human confirmation on consent screens.
• Secret storage that never pastes tokens into chat logs or screenshots by default.

The win is fewer misconfigured keys, not unsupervised account surgery.

• Skills can encode provider-specific OAuth quirks and rotate links when docs move.
• Local-first storage options for tokens—pair with OS keychains where available.
• Audit trail: who approved which scope.

1. Never grant broader OAuth scopes than the integration needs.
2. Use short-lived tokens where vendors support them; rotate on schedule.
3. Record the approval in a ticket or note—future you needs the why.
4. Test with read-only calls before enabling writes.
5. Revoke and re-issue if a token ever appears in a log or screenshot.

• Admin access to the cloud account—agents cannot invent it.
• Billing alerts on cloud projects used for experiments.

1. Dry-run the doc yourself once—fix ambiguities before automation.
2. Add screenshots or deep links only where stable.
3. Parameterize project id, region, and environment—no copy-paste drift.
4. Verify token works with a minimal API call script.
5. Archive the onboarding packet when the integration ships.

• “List scopes we are about to request and why each is needed.”
• “What is the smallest permission that still works?”
• “If consent fails, output exact next human step—no guessing.”

• Least privilege verified in the provider’s IAM UI.
• Break-glass revoke instructions tested.
• On-call knows which integration owns which project.

• Over-scoped keys “because it was easier.”
• Tokens in shell history or CI logs.
• Shared admin accounts with no individual accountability.
• Blind trust of “the agent clicked it for me”—verify scopes.