Authenticate without the token touching your code
Declare auth on the stitch so callers get a capability, not a credential — the secret is read per call and never returned.
Task
You want every call to an API authenticated, without the token ever living in your application code — where most clients would have you read it into a variable and thread it through every call, into your logs, your traces, and anything you hand to an agent.
Example
One way: declare the auth on the stitch itself. Callers get a callable; the secret stays behind it.
import { , , } from 'stitchapi';
const = ({
: 'https://api.example.com',
: '/invoices/{id}',
: (('API_TOKEN')),
});
// The caller invokes and gets data — no token in sight.
const = await ({ : { : 42 } });How it works
env('API_TOKEN') is a resolver, not a value — nothing is read when you declare
the stitch. The runtime invokes it on each request, attaches the token, and
discards it; the caller receives data and never the secret. The declaration
holds a reference to where the secret lives, so it is safe to commit, diff, and
share.
Swap bearer for apiKey,
basic, or oauth2 — the
boundary is the same, and the strategies with a session refresh themselves
behind it. Because the token never crosses back to the caller, you can hand the
stitch to an agent and it can make the authenticated call
without ever holding the credential.
See also
Share one rate limit across every worker
Point the throttle at a shared store so a whole fleet draws from a single rate budget instead of N× the limit.
Let an agent call your API without handing it the key
Expose your stitches over MCP through one run_stitch tool — the agent invokes a capability and never sees the credential.