Get started
Back to Integrations

3rd party APIs

Call any external API from your app — weather, CRMs, SMS, social, AI tools, anything with an API

Overview

Your apps can call any external API — weather services, CRMs, social media platforms, AI tools, or any third-party service with an API. Describe what data you need or what action to perform, and the agent sets up the integration: the function code, the API key fields in Settings, and the test-connection wiring. All secrets are stored server-side and never bundled into your app's client-side code.

What it supports

  • Any HTTPS API — REST, GraphQL, or webhook-style endpoints
  • Standard auth schemes — bearer tokens, API key headers, basic auth, query-param keys, signed-request schemes
  • Per-endpoint key management — each integrated endpoint shows up as its own card in Settings, with the secrets it needs and a status indicator
  • Test connection — click a button to verify your key works before relying on it
  • Public endpoints — endpoints that don't need a key show up as Public with no setup required
  • Secret visibility toggle — show/hide the value of a saved key with an eye icon

Example prompts

"Show real-time weather for the user's city using
OpenWeatherMap."

"Pull the latest blog posts from my WordPress site."

"Fetch live stock prices from the Alpha Vantage API."

"Send an SMS notification via Twilio when a new order
is placed."

Adding an API key

  1. Open Settings
    • Open your app and go to the Settings tab
    • Expand the External APIs section
  2. Find the endpoint
    • Each configured endpoint appears as its own card with a status:
    • Ready (green) — all keys are set
    • N keys required (amber) — keys still need to be provided
    • Public (green) — no keys needed for this endpoint
  3. Paste your key
    • Click the endpoint to expand it and see its secret fields
    • Each field includes a hint pointing at where to get the key (e.g., "Get from openweathermap.org/api")
    • Paste the key and click Save
  4. Test the connection
    • Click Test Connection on the endpoint card
    • A successful test shows status and latency (e.g., "200 OK — 120ms")

Your API keys are encrypted at rest and only used server-side. They are never exposed in your app's frontend code.

Updating or removing a key

For keys that are already set, the endpoint card shows Update and Remove actions. Use the eye icon to toggle visibility of the saved value while you check it. Removing a key flips the endpoint's status back to N keys required until you add a new value.

Testing connections

After adding (or updating) your API keys, the Test Connection button on each endpoint runs a probe call against the third-party API using your saved key. A successful test shows the response status and latency (e.g., "200 OK — 120ms"). If the test fails, double-check the key value and confirm the external service is reachable.

How it works

  1. You describe an integration in chat (e.g., "add weather lookup using OpenWeatherMap")
  2. The agent writes a server function that calls the third-party API, plus a Settings entry for the endpoint's keys
  3. You paste your key into Settings; it's encrypted at rest and injected as an environment value at function-call time
  4. Whenever your app needs the integration, the server function reads the key, calls the API, and returns the result to the caller
  5. Keys never leave the server; the browser only ever sees the API response your function returns

Limitations

  • HTTPS only — Pentoggle won't call http:// endpoints; you'll need to use an HTTPS proxy if the upstream lacks TLS
  • Calls happen server-side — there's no way to call a third-party API from the browser using a stored key (by design — keys would leak)
  • Per-app key storage — keys live with the app that uses them. To share a key across multiple apps you re-add it in each app's Settings
  • Rate limits are the upstream's — Pentoggle doesn't override them; if you hit a rate limit, the agent should add caching or retry/backoff logic
  • No webhook receiver UI — incoming webhooks can be wired up but don't currently surface in the External APIs settings UI; check the function logs for arrivals

Troubleshooting

  • Test Connection fails with 401/403 — the saved key is wrong, expired, or doesn't have the required scope. Regenerate it on the provider's dashboard, re-paste, and test again
  • Endpoint card stuck on "N keys required" after saving — one of the fields likely had a whitespace character. Re-open the field, clear it, paste fresh, and save
  • Test passes but real calls fail — the Test Connection call only probes auth/reachability; the real call may use a different endpoint or required parameter. Check the function logs for the actual error from the upstream
  • Latency is unexpectedly high — confirm the upstream is healthy from a tool like curl or their status page; if persistent, ask the agent to add caching
  • Need to rotate a key without downtime — paste the new key, click Save, and click Test Connection; the new value takes effect on the very next function call. No restart needed