> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mira-app.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# API Tokens & Security

> How MIRA stores credentials and what you can do to audit and rotate them.

All API keys and secrets in MIRA are encrypted using Electron's **`safeStorage`** API and stored in `credentials.json` inside MIRA's application data directory. They are never written in plain text to `mira.db` or any config file. `safeStorage` uses OS-provided encryption under the hood (macOS Keychain Services, Windows DPAPI, Linux libsecret) but the data itself lives in `credentials.json`, not in the OS keychain UI apps.

<Snippet file="keychain-note.mdx" />

## How credentials are stored

| Credential type                         | Where configured                         | How stored                                                       |
| --------------------------------------- | ---------------------------------------- | ---------------------------------------------------------------- |
| AWS Access Key / Secret / Session Token | Settings → **Bedrock / AWS** tab         | Encrypted blob in `credentials.json`                             |
| OpenAI API key (`OPENAI_API_KEY`)       | Settings → **API Tokens** tab            | Encrypted token entry in `credentials.json`, injected as env var |
| Anthropic API key (`ANTHROPIC_API_KEY`) | Settings → **API Tokens** tab            | Encrypted token entry in `credentials.json`, injected as env var |
| Ollama Base URL (`OLLAMA_BASE_URL`)     | Settings → **API Tokens** tab (optional) | Encrypted token entry in `credentials.json`, injected as env var |
| MCP server environment variables        | Settings → **MCP Servers** tab           | Encrypted per-token entry in `credentials.json`                  |

## Finding credentials.json

`credentials.json` lives in the Electron `userData` directory:

* **macOS:** `~/Library/Application Support/mira/credentials.json`
* **Windows:** `%APPDATA%\mira\credentials.json`
* **Linux:** `~/.config/mira/credentials.json`

The file contains encrypted blobs. You cannot read secret values directly from the file — they can only be decrypted by the same OS account and machine that encrypted them.

## Viewing stored API tokens

MIRA shows token labels, env var names, and when they were added in the **API Tokens** settings tab. Secret values are never displayed after saving.

## Adding a token

1. Press ⌘, → **API Tokens** tab → click **Add token** (or **Add your first token**).
2. Fill in a **Label** (e.g. `OpenAI API Key`), **Env var** (e.g. `OPENAI_API_KEY`), and **Value**.
3. Click **Save**. The engine picks up the new env var automatically on next start.

## Rotating a token

1. Press ⌘, → **API Tokens** tab.
2. Click the **trash icon** next to the existing token to delete it.
3. Click **Add token** and add the new value.
4. The engine will use the new value on next restart.

## Removing a token

1. Press ⌘, → **API Tokens** tab.
2. Click the **trash icon** next to the token. It is deleted immediately from `credentials.json`.

## AWS credentials

AWS credentials (Access Key ID, Secret, Session Token, Region) are managed separately in the **Bedrock / AWS** tab — not in API Tokens. Use the **Test Connection** button to verify them before saving.

## What MIRA does NOT store

* Conversation content
* Document content
* Eval run outputs
* Your name or email

All of the above stays in `mira.db` on your local machine only.

## Auditing outbound network calls

MIRA makes network calls only to:

* The LLM provider APIs you have configured (OpenAI, Anthropic, AWS Bedrock)
* Ollama at `http://localhost:11434` (local, no egress)
* MCP SSE servers you have added

No telemetry, crash reporting, or analytics data is sent anywhere. See [Privacy & Data](../core-concepts/privacy-and-data) for the full outbound call list.

<Note>
  Edit this page — [Open a pull
  request](https://github.com/satyendra2013/mira-app/edit/main/docs/configuration/api-tokens.mdx)
</Note>
