update sdk credentials docs (#457)

* update sdk credentials docs

* address comments

Author: omar-inkeep

agents-docs/content/docs/typescript-sdk/create-mcp-servers.mdx

@@ -29,7 +29,7 @@ Vercel provides a [Next.js MCP template](https://vercel.com/templates/next.js/mo
 Vercel's template provides:
 - **Easy to deploy** staging environments
 - **Serverless deployment** for automatic scaling with Vercel Functions
-- **SSE transport** for eal-time streaming (requires Redis for state management)
+- **SSE transport** for real-time streaming (requires Redis for state management)
 - **Next.js integration** so MCPs can be added as part of existing Next.js apps
 
 #### Quick start
@@ -107,7 +107,6 @@ const composioTool = mcpTool({
   name: 'Composio Integration',
   description: 'Access popular SaaS tools via Composio',
   serverUrl: 'YOUR_COMPOSIO_MCP_URL', // From Composio dashboard
-  // Optionally: credentialReferenceId: 'your-credential-id',
 });
 ```
 

agents-docs/content/docs/typescript-sdk/credentials.mdx

@@ -6,126 +6,206 @@ icon: "LuKey"
 
 Securely store and retrieve authentication credentials for MCP servers.
 
-## Step 1: Add a credential
+## How Credential Storage Works
 
-<Snippet file="multi-agent-framework/add-a-credential.mdx" />
+**Key concepts:**
+- **Credential stores** handle the actual storage and retrieval of credential data
+- **Credential references** define how to find and use stored credentials
+- **TypeScript SDK vs Visual Builder** offer different creation methods depending on the credential type
 
-## Step 2: Retrieve the credential reference id from the URLs
+The framework uses a system that stores references to credentials and retrieves the actual credential values at runtime. When you define a credential, you're creating a reference that tells the system where and how to find the credential data. The actual credential is fetched at runtime and injected into the authorization headers for MCP tools.
 
-Once you've created a credential, you can retrieve the credential reference id from the URL. The credential reference id is the last part of the URL after `credentials/` on the page of the credential you just created.
+**Key limitations**: The TypeScript SDK can only directly create **Memory store** credentials. Nango and Keychain stores require OAuth authorization flows with user interaction, which are handled through the Visual Builder interface.
 
-## Step 3: Reference the credential when creating an MCP tool
+## Credential Store Types
 
-There are two ways to reference credentials in your MCP tools:
+The framework supports three credential store types, each suited for different authentication patterns.
 
-### Option 1: Reference by Credential ID (Recommended)
+### Memory Store
+**Common use case**: Simple API keys and bearer tokens stored in environment variables. Configured directly through the TypeScript SDK.
 
-When you create a credential through the UI, you get a credential reference ID that you can use directly:
+- Credentials retrieved from environment variables at runtime
+- Suitable for both development and production environments
+- Direct configuration via `credential()` function in TypeScript SDK
 
-```typescript
-import { mcpTool, MCPTransportType } from '@inkeep/agents-sdk';
-
-// Use the credential reference ID from the UI
-const inkeepAnalyticsTool = mcpTool({
-  id: 'inkeep-analytics',
-  name: 'inkeep_analytics',
-  description: 'Get the latest stats from the Inkeep Analytics dashboard',
-  serverUrl: 'https://analytics.inkeep.com/mcp',
-  credentialReferenceId: 'your-credential-id-from-ui', // Credential ID from Step 2
-  transport: {
-    type: MCPTransportType.streamableHttp,
-  },
-});
-```
 
-### Option 2: Define Environment-Based Credentials
+### Nango Store
+**Common use case**: OAuth tokens from OAuth2.1/PKCE flows, complex OAuth flows, integrating with external services (Slack, GitHub, Google, etc.), when extra headers are needed, etc. Credentials configured through Visual Builder.
+
+- Managed through Nango (self-hosted or cloud)
+- Supports various authentication methods: OAuth2.0, API keys, basic auth, and more
+- Can provide additional metadata headers passed to MCP servers
+- Requires OAuth setup through Visual Builder
+
+### Keychain Store  
+**Common use case**: Locally stored OAuth tokens from OAuth2.1/PKCE flows. Credentials configured through Visual Builder.
+
+- Credentials stored in native OS keychain (macOS Keychain Access, Windows Credential Manager, Linux Secret Service)
+- Mainly used locally for development with OAuth services
+- Requires OAuth setup through Visual Builder
 
-For development workflows, you can define credentials that reference environment variables:
+## Creating and Using Credentials
+
+### Basic Setup Example
 
 ```typescript
-import { mcpTool, credential, MCPTransportType } from '@inkeep/agents-sdk';
-import { CredentialStoreType } from '@inkeep/agents-core';
+import { mcpTool, credential, agent, agentGraph } from "@inkeep/agents-sdk";
+import { CredentialStoreType } from "@inkeep/agents-core";
 
-// Define a credential that pulls from environment variables
-const inkeepApiKeyCredential = credential({
-  id: 'inkeep-api-key',
-  type: CredentialStoreType.memory,
+// Step 1: Create the credential
+const stripeCredential = credential({
+  id: 'stripe-credential',
+  type: CredentialStoreType.memory, // Memory store
   credentialStoreId: 'memory-default',
   retrievalParams: {
-    key: 'INKEEP_API_KEY',
+    key: 'STRIPE_API_KEY', // STRIPE_API_KEY=your-stripe-key should be set as an environment variable (.env file)
   },
 });
 
-// Reference the credential object
-const inkeepAnalyticsTool = mcpTool({
-  id: 'inkeep-analytics',
-  name: 'inkeep_analytics',
-  description: 'Get the latest stats from the Inkeep Analytics dashboard',
-  serverUrl: 'https://analytics.inkeep.com/mcp',
-  credentialReference: inkeepApiKeyCredential, // Reference to credential object
-  transport: {
-    type: MCPTransportType.streamableHttp,
-  },
+// Step 2: Use credential in MCP tool
+const stripeTool = mcpTool({
+  id: 'stripe-tool',
+  name: 'Stripe Tool',
+  description: 'Access Stripe payment services',
+  serverUrl: 'https://mcp.stripe.com',
+  credential: stripeCredential, // Reference the credential
+});
+
+// Step 3: Add tool to agent
+const paymentAgent = agent({
+  id: 'payment-agent',
+  name: 'Payment Agent',
+  description: 'Handles payment processing',
+  prompt: 'You handle payment-related requests using the Stripe service.',
+  tools: () => [stripeTool],
 });
 ```
 
-## Best Practices
+## Configuration Options
 
-### Production Deployments
-- **Use credential IDs**: Always use `credentialReferenceId` with credentials created through the UI
-- **Secure storage**: Credentials are encrypted and managed centrally
-- **Team collaboration**: Credentials can be shared across team members
+### Credential Configuration
 
-### Development Workflows
-- **Environment credentials**: Use `credentialReference` with environment-based credentials
-- **Local development**: Define credentials in your `environments/*.env.ts` files
-- **CI/CD integration**: Environment variables can be managed by your deployment pipeline
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `id` | string | Yes | Unique identifier for the credential |
+| `type` | CredentialStoreType | Yes | Type of credential store (memory, nango, or keychain) |
+| `credentialStoreId` | string | Yes | Identifier for the specific credential store instance |
+| `retrievalParams` | object | Yes | Parameters for retrieving the credential from the store. See below for more details. |
 
-### Environment Integration
+### Retrieval Parameters by Store Type
+
+**Memory store** credentials:
+``` typescript
+retrievalParams: {
+  "key": "<environment-variable-name>", // where <environment-variable-name> is the name of the environment variable that contains the credential value
+}
+```
+
+**Nango store** credentials (created through the Visual Builder - OAuth2.1/PKCE flow or Bearer authentication flow):
+``` typescript
+// OAuth2.1/PKCE flow
+retrievalParams: {
+  "connectionId": "oauth_token_<toolId>", // where <toolId> is the id of the MCP tool the credential is associated with
+  "providerConfigKey": "oauth_token_<toolId>",
+  "provider": "private-api-bearer",
+  "authMode": "API_KEY"
+}
+
+// Bearer authentication 
+retrievalParams: {
+  "connectionId": "<id-given-to-bearer-api-key>", // where <id-given-to-bearer-api-key> is the id given to the bearer api key created in through the Visual Builder
+  "providerConfigKey": "<id-given-to-bearer-api-key>",
+  "provider": "private-api-bearer",
+  "authMode": "API_KEY"
+}
+```
+
+**Keychain store** credentials (created through the Visual Builder - OAuth2.1/PKCE flow):
+``` typescript
+retrievalParams: {
+  "key": "oauth_token_<toolId>" // where <toolId> is the id of the MCP tool the credential is associated with
+}
+```
+
+### Environment-aware Credentials
 
 You can also define credentials in your environment files:
 
-```typescript
-// environments/development.env.ts
-import { registerEnvironmentSettings } from '@inkeep/agents-sdk';
-import { CredentialStoreType } from '@inkeep/agents-core';
-
-export const development = registerEnvironmentSettings({
-  credentials: {
-    'openai-dev': {
-      id: 'openai-dev',
-      type: CredentialStoreType.memory,
-      credentialStoreId: 'memory-default',
-      retrievalParams: {
-        key: 'OPENAI_API_KEY_DEV',
+<Tabs>
+  <Tab title="Environment File">
+    ```bash title=".env"
+    STRIPE_API_KEY_DEV=sk-stripe-dev-key...
+    STRIPE_API_KEY_PROD=sk-stripe-prod-key...
+    ```
+  </Tab>
+
+  <Tab title="Development Config">
+    ```typescript title="environments/development.ts"
+    import { registerEnvironmentSettings } from '@inkeep/agents-sdk';
+    import { CredentialStoreType } from '@inkeep/agents-core';
+
+    export const development = registerEnvironmentSettings({
+      credentials: {
+        'stripe_api_key': {
+          id: 'stripe-api-key',
+          type: CredentialStoreType.memory,
+          credentialStoreId: 'memory-default',
+          retrievalParams: {
+            key: 'STRIPE_API_KEY_DEV',
+          },
+        }
       },
-    },
-    'inkeep-api-dev': {
-      id: 'inkeep-api-dev',
-      type: CredentialStoreType.memory,
-      credentialStoreId: 'memory-default',
-      retrievalParams: {
-        key: 'INKEEP_API_KEY_DEV',
+    });
+    ```
+  </Tab>
+
+  <Tab title="Production Config">
+    ```typescript title="environments/production.ts"
+    import { registerEnvironmentSettings } from '@inkeep/agents-sdk';
+    import { CredentialStoreType } from '@inkeep/agents-core';
+
+    export const production = registerEnvironmentSettings({
+      credentials: {
+        'stripe_api_key': {
+          id: 'stripe-api-key',
+          type: CredentialStoreType.memory,
+          credentialStoreId: 'memory-default',
+          retrievalParams: {
+            key: 'STRIPE_API_KEY_PROD',
+          },
+        }
       },
-    },
-  },
-});
-```
+    });
+    ```
+  </Tab>
+
+  <Tab title="Index File">
+    ```typescript title="environments/index.ts"
+    import { createEnvironmentSettings } from '@inkeep/agents-sdk';
+    import { development } from './development.env';
+    import { production } from './production.env';
+
+    export const envSettings = createEnvironmentSettings({
+      development,
+      production,
+    });
+    ```
+  </Tab>
+</Tabs>
 
 Then reference them in your tools:
 
-```typescript
-// tools/analytics-tool.ts
-import { mcpTool, MCPTransportType } from '@inkeep/agents-sdk';
-
-export const analyticsTool = mcpTool({
-  id: 'analytics',
-  name: 'analytics_tool',
-  description: 'Access analytics data',
-  serverUrl: 'https://analytics.example.com/mcp',
-  credentialReferenceId: 'inkeep-api-dev', // References environment credential
-  transport: {
-    type: MCPTransportType.streamableHttp,
-  },
+
+```typescript title="tools/stripe-tool.ts"
+import { mcpTool } from "@inkeep/agents-sdk";
+import { envSettings } from "../environments";
+
+export const stripeTool = mcpTool({
+  id: 'stripe-tool',
+  name: 'Stripe',
+  serverUrl: 'https://mcp.stripe.com/mcp',
+  credential: envSettings.getEnvironmentSetting('stripe_api_key'),
 });
 ```
+
+This pattern is useful if you want to keep track of different credentials for different environments. When you push your project using the [Inkeep CLI](/typescript-sdk/cli-reference#inkeep-push) `inkeep push` command with the `--env` flag, the credentials will be loaded from the appropriate environment file. For example, if you run `inkeep push --env development`, the credentials will be loaded from the `environments/development.env.ts` file.