How are credentials stored?

Credentials are stored encrypted and are only used for the specified curl calls; they are not transmitted elsewhere.

Do I need to login every time?

Not if credentials are valid. Use 'latchkey services info' to check status and renew only when needed with browser-based login if supported.

latchkey

Scanned

npx machina-cli add skill imbue-ai/latchkey/integrations --openclaw

Files (1)

SKILL.md

4.4 KB

Latchkey

Instructions

Latchkey is a CLI tool that automatically injects credentials into curl commands. Credentials (mostly API tokens) can be either manually managed or, for some services, Latchkey can open a browser login pop-up window and extract API credentials from the session.

Use this skill when the user asks you to work on their behalf with services that have HTTP APIs, like AWS, GitLab, Google Drive, Discord or others.

Usage:

Use latchkey curl instead of regular curl for supported services.
Pass through all regular curl arguments - latchkey is a transparent wrapper.
Check for latchkey services list --viable to get a list of currently usable services.
Use latchkey services info <service_name> to get information about a specific service (auth options, credentials status, API docs links, special requirements, etc.).
If necessary, get or renew credentials first. Run latchkey auth browser <service_name> to open a browser login pop-up window if supported.
Look for the newest documentation of the desired public API online. If using the browser auth command, avoid bot-only endpoints.
Do not initiate a new login if the credentials status is valid or unknown - the user might just not have the necessary permissions for the action you're trying to do.

Examples

Make an authenticated curl request

latchkey curl [curl arguments]

Creating a Slack channel

latchkey curl -X POST 'https://slack.com/api/conversations.create' \
  -H 'Content-Type: application/json' \
  -d '{"name":"my-channel"}'

(Notice that -H 'Authorization: Bearer is not present in the invocation.)

Getting Discord user info

latchkey curl 'https://discord.com/api/v10/users/@me'

Detect expired credentials and force a new login to Discord

latchkey services info discord  # Check the "credentialStatus" field - shows "invalid"
latchkey auth browser discord
latchkey curl 'https://discord.com/api/v10/users/@me'

Only do this when you notice that your previous call ended up not being authenticated (HTTP 401 or 403).

List usable services

latchkey services list --viable

Lists services that either have stored credentials or can be authenticated via a browser.

Get service-specific info

latchkey services info slack

Returns auth options, credentials status, and developer notes about the service. If browser is not present in the authOptions field, the service requires the user to directly set API credentials via latchkey auth set or latchkey auth set-nocurl before making requests.

Storing credentials

Aside from the latchkey auth browser case, it is the user's responsibility to supply credentials. The user would typically do something like this:

latchkey auth set my-gitlab-instance -H "PRIVATE-TOKEN: <token>"

When credentials cannot be expressed as static curl arguments, the user would use the set-nocurl subcommand. For example:

latchkey auth set-nocurl aws <access-key-id> <secret-access-key>

If a service doesn't appear with the --viable flag, it may still be supported; the user just hasn't provided the credentials yet. latchkey service info <service_name> can be used to see how to provide credentials for a specific service.

Notes

All curl arguments are passed through unchanged
Return code, stdout and stderr are passed back from curl
Credentials are always stored encrypted and are never transmitted anywhere beyond the endpoints specified by the actual curl calls.

Currently supported services

Latchkey currently offers varying levels of support for the following services: AWS, Calendly, Coolify, Discord, Dropbox, Figma, GitHub, GitLab, Gmail, Google Analytics, Google Calendar, Google Docs, Google Drive, Google Sheets, Linear, Mailchimp, Notion, Sentry, Slack, Stripe, Telegram, Umami, Yelp, Zoom, and more.

User-registered services

Note for humans: users can also add limited support for new services at runtime using the latchkey services register command.

Source

git clone https://github.com/imbue-ai/latchkey/blob/main/integrations/SKILL.mdView on GitHub

Overview

Latchkey is a CLI tool that injects credentials into curl commands to act on third-party APIs (Slack, Google Drive, GitHub, Discord, etc.) on the user’s behalf. Credentials can be supplied manually or retrieved via a browser login flow, and are stored encrypted. It keeps the actual curl invocation unchanged while handling authentication behind the scenes.

How This Skill Works

Latchkey provides a transparent wrapper, so you run 'latchkey curl' instead of 'curl'. It injects the appropriate credentials for the target service, supports browser-based authentication when needed, and passes through all regular curl arguments. You can inspect viable services and service-specific auth options with 'latchkey services list --viable' and 'latchkey services info <service_name>'.

When to Use It

When you need to perform HTTP API calls to services like Slack, Google Workspace, GitHub, or Discord on behalf of a user.
When credentials must be securely stored and not embedded directly in curl commands.
When a service requires you to renew or fetch credentials via a browser login flow.
When you want to preserve curl behavior and arguments while outsourcing authentication details to latchkey.
When you need quick access to service documentation and authentication options using 'latchkey services info'.

Quick Start

Step 1: Install prerequisites and latchkey: node.js, curl, and 'npm i -g latchkey'.
Step 2: Start using authenticated calls: 'latchkey curl [curl arguments]'.
Step 3: Manage credentials as needed with 'latchkey services list --viable' and 'latchkey auth browser <service>' or 'latchkey auth set'.

Best Practices

Use 'latchkey curl' for supported services to ensure credentials are automatically injected.
Do not hardcode Authorization headers; rely on latchkey to supply tokens during requests.
Regularly verify credential status with 'latchkey services info <service>' and renew if needed.
Keep a GUI-enabled environment available if you intend to use the browser-based login flow.
Trust that credentials are stored encrypted and are only sent to the endpoints you call via curl.

Example Use Cases

Creating a Slack channel with a curl request wrapped by latchkey to ensure proper authentication.
Retrieving the current Discord user profile via an authenticated latchkey curl call.
Detecting expired credentials for Discord and forcing a re-login with 'latchkey auth browser discord' before retrying a request.
Listing all usable services with 'latchkey services list --viable' to determine what you can access.
Getting service-specific auth and credential status with 'latchkey services info slack' to plan your next API call.

Frequently Asked Questions

Add this skill to your agents