# 6. Credential Request ## Credential Request Call **Outcome:** Client understands how to obtain each credential type; all credentials collected and stored securely in 1Password **Trigger:** Onboarding Call complete, before AI Roadmap Call **Duration:** 90 min total (15 min prep + 60 min call + 15 min post-call) ### Quick Reference | Step | Action | Time | | --------------- | -------------------------------------- | ------ | | **Pre-Call** | | | | 1 | Generate credential list from proposal | 5 min | | 2 | Create client 1Password vault | 2 min | | 3 | Send prep email | 3 min | | 4 | Pre-call setup | 5 min | | **60-min Call** | | | | 5 | Intro & agenda | 5 min | | 6 | Security overview & delivery methods | 10 min | | 7 | Walk through OAuth credentials | 20 min | | 8 | Walk through API keys & passwords | 20 min | | 9 | Wrap-up & next steps | 5 min | | **Post-Call** | | | | 10 | Send thanks email | 1 min | | 11 | Store all credentials in 1Password | 5 min | | 12 | Test all credentials in n8n | 5 min | | 13 | Send confirmation OR correction email | 5 min | **Purpose:** Walk the client step-by-step through obtaining each credential type. Testing happens AFTER the call — any issues are resolved via email with clear instructions. *** ### 1Password Vault Architecture Each client gets their own dedicated vault in 1Password. This keeps credentials organized, makes access control simple, and allows clients to optionally view their own stored credentials. #### Vault Structure ``` The Entourage AI (1Password Account) ├── Private (personal vault) ├── Shared (internal team) ├── TEAI - Internal Tools └── Client Vaults ├── NADD - Nadia's Boutique ├── CRFG - Craft Goods Co ├── MSBR - Melbourne Spark Bros └── {CODE} - {Client Name} ``` #### Naming Convention | Element | Format | Example | | ----------------- | ---------------------------- | ------------------------- | | Vault name | `{CODE} - {Client Name}` | `NADD - Nadia's Boutique` | | API credentials | `{Platform} API Key` | `Stripe API Key` | | OAuth credentials | `{Platform} OAuth` | `HubSpot OAuth` | | Service accounts | `{Platform} Service Account` | `Google Service Account` | | User/pass logins | `{Platform} Login` | `Xero Login` | #### Permission Levels | Role | Access | When to Use | | ---------------- | ---------------------------- | ------------------------------ | | **View Items** | See credentials, copy values | Client guest access (optional) | | **Edit Items** | Create, modify, delete | Team members working on client | | **Manage Vault** | Grant/revoke access | Account admins only | #### Creating a Client Vault 1. Go to **1Password.com** → **Vaults** → **New Vault** 2. Name: `{CODE} - {Client Name}` (e.g., `NADD - Nadia's Boutique`) 3. Description: `Credentials for {Client Name} automation workflows` 4. Icon: Use client's industry icon or default folder 5. Click **Create Vault** #### Adding Team Members 1. Open the vault → **People** → **Manage** 2. Add team members assigned to this client 3. Set permission to **Edit Items** (not Manage) 4. They'll see the vault on their next sync #### Optional: Client Guest Access If the client wants visibility into their stored credentials: 1. Open the vault → **People** → **Invite** 2. Enter client's email 3. Set permission to **View Items** only 4. Client receives email invitation 5. They create a free 1Password guest account 6. After accepting, they can view (not edit) their credentials **Note:** Guest accounts can only access ONE vault, which is why we use one vault per client. *** ### Full Guide #### Pre-Call Prep (15 min) **Generate Credential List (5 min)** Review the **proposal** to identify all systems that will need integration: ``` /prepare:credential-list {CODE} ``` This generates a checklist of: * Platform name * Credential type (OAuth2, API key, user/pass) * Required permissions * Delivery method recommendation **Common systems from proposals:** * Email: Gmail, Outlook * CRM: HubSpot, Salesforce, Pipedrive * Accounting: Xero, QuickBooks * Communication: Slack, Teams * File storage: Google Drive, Dropbox * Custom: Client-specific APIs **Create Client 1Password Vault (2 min)** If this is a new client, create their vault now: 1. Go to **1Password.com** → **Vaults** → **New Vault** 2. Name: `{CODE} - {Client Name}` 3. Description: `Credentials for {Client Name} automation workflows` 4. Add yourself and any team members assigned to this client 5. Permission: **Edit Items** **Skip if:** Vault already exists from a previous engagement. **Send Prep Email (3 min)** ``` /create:email {CODE} --type credential-prep ``` Send 24-48 hours before the call so client can: * Review what's needed * Identify who has admin access * Choose their preferred delivery method **Pre-Call Setup (5 min)** Open: * [ ] Client folder * [ ] Proposal (credential list) * [ ] n8n instance * [ ] 1Password vault for this client (`{CODE} - {Client Name}`) * [ ] Call recording software **Verify 1Password vault exists:** If not created in step above, create now before call. *** #### Call Structure (60 min) **Section 1: Intro & Agenda (5 min)** "Thanks for jumping on! Today I'm going to walk you through how to get all the credentials we need for your automation. I'll show you exactly where to find everything — it's like a guided tour of your platforms' settings. Should take about an hour." **Set expectations:** * This is educational — you'll see exactly what we need and why * Share your screen when we get to your platforms * I'll note everything down; you don't need to remember the steps * After the call, I'll test everything and email you confirmation **Section 2: Security Overview & Delivery Methods (10 min)** **Explain our security approach:** * "All your credentials are stored in a dedicated 1Password vault just for your company" * "No one else can access your vault — it's completely separate from other clients" * "You can optionally have view-only access to see what's stored" **Present the two delivery methods:** **Option A: OAuth Authorization (Recommended)** * You authorize our app directly in the platform * You maintain full control — revoke anytime with one click * Best for: Gmail, Slack, HubSpot, Xero, Google Drive * "Think of it like giving us a house key you can deactivate anytime" **Option B: API Keys & Passwords (for platforms without OAuth)** * You create a dedicated API key or user account * We store it securely in your 1Password vault * Best for: Stripe, custom APIs, legacy systems * "We never ask for your personal password — always a dedicated key" **If client is nervous about access:** * "You can remove our access anytime with one click" * "We only access data needed for the workflow" * "Everything is logged — you can see exactly what we do" **If client says "We can't share that":** > "I completely understand the concern. Here's how we handle security: your credentials are stored in a dedicated 1Password vault that no one else can access — it's just for your company, completely separate from every other client. Only myself and the team assigned to your project can see it. It's really important we get this credential because the platform's API requires it for the automation to work. Without it, we won't be able to connect to {Platform} and that part of the workflow won't function. Is there someone from your IT team we should loop in to discuss security requirements?" **Section 3: Walk Through OAuth Credentials (20 min)** Go through each OAuth platform one by one. The goal is to SHOW the client how to authorize, not rush through it. **For each OAuth platform (Gmail, HubSpot, Slack, etc.):** 1. **Explain what we're connecting:** "First, let's connect Gmail so we can trigger workflows from emails." 2. **Have client share their screen** 3. **Guide them to the authorization:** * "Go to {platform URL}" * "Click Settings → Integrations → API Access" * "You'll see an 'Authorize' button..." 4. **Walk through the OAuth flow:** * "Click 'Sign in with {Platform}'" * "Review the permissions — here's what each one means..." * "Click 'Allow'" 5. **Confirm success:** "Perfect, you should see a confirmation screen." 6. **Note the credential for post-call setup:** Document platform name, auth method, any notes. **Pace yourself:** Spend 3-5 minutes per platform. Don't rush — this builds trust. **Section 4: Walk Through API Keys & Passwords (20 min)** For platforms without OAuth, guide the client through creating API keys or service accounts. **For each API key platform:** 1. **Explain what we need:** "For Stripe, we need an API key. Let me show you exactly how to create one." 2. **Have client share their screen** 3. **Guide them to API settings:** * "Go to your Stripe Dashboard" * "Click Developers → API Keys" * "You'll see 'Secret Key' — that's what we need" 4. **Help them create the key:** * "Click 'Create Restricted Key'" * "Name it 'Entourage Automation'" * "Set these permissions: \[read charges, read customers, etc.]" 5. **Securely capture the key:** * Have them copy and paste into the Zoom chat (or use 1Password share link) * Immediately delete from chat after you've captured it * Or have them send via 1Password share link post-call 6. **Note for post-call:** Document platform, key name, permissions granted. **For user/password credentials (legacy systems):** * Guide them to create a dedicated "service account" user * Never ask for their personal login * Document: username, how password will be shared (1Password link) **Common platform guides to reference:** | Platform | Where to find API keys | | ---------- | ------------------------------------ | | Stripe | Dashboard → Developers → API Keys | | Xero | Developer Portal → My Apps → New App | | QuickBooks | Intuit Developer → My Apps → Keys | | Shopify | Settings → Apps → Develop Apps | | Mailchimp | Profile → Extras → API Keys | **Section 5: Wrap-Up & Next Steps (5 min)** "Excellent work! We've got everything we need. Here's what happens next:" 1. **Immediately after this call:** I'll store all credentials securely in your 1Password vault and test each connection 2. **Within 2 hours:** You'll get an email confirming everything works — or if there's an issue, I'll include exactly how to fix it 3. **AI Roadmap Call on {date}:** We'll dive deep into your processes "If any credential doesn't work, don't worry — I'll email you the exact steps to fix it. No need to jump on another call." "Any questions before we wrap?" *** #### Post-Call (15 min) **Step 0: Send Thanks Email (1 min)** Immediately after hanging up, send the `credential-thanks` email: ``` /create:email {CODE} --type credential-thanks ``` This lets the client know you're on it and sets expectations for follow-up. **Step 1: Store Credentials in 1Password (5 min)** For each credential collected during the call: 1. Open the client's vault: `{CODE} - {Client Name}` 2. Create a new item for each credential: | Credential Type | 1Password Item Type | Fields to Fill | | --------------- | ---------------------------------- | ------------------------------------------ | | API Key | **API Credential** or **Password** | Name, key value, permissions, created date | | OAuth Token | **Login** | Platform, auth method, authorized scopes | | User/Password | **Login** | Username, password, URL, notes | 3. Add notes to each item: * Permissions granted * Who created it (client contact name) * Date obtained * Any special instructions **Naming convention in 1Password:** * `{Platform} API Key` — e.g., `Stripe API Key` * `{Platform} OAuth` — e.g., `HubSpot OAuth` * `{Platform} Login` — e.g., `Xero Service Account` **Step 2: Test Credentials in n8n (5 min)** For each credential: 1. Go to n8n → Credentials → Create New 2. Select the platform 3. Paste credentials from 1Password 4. Click **Test** 5. Record result: ✅ Verified or ❌ Failed + error message **Common test failures:** | Error | Likely Cause | Fix (include in email) | | ------------------ | ------------------------ | ----------------------------------- | | 401 Unauthorized | Wrong API key or expired | Ask client to regenerate key | | 403 Forbidden | Missing permissions | Ask client to add required scopes | | Connection refused | IP whitelist blocking | Ask client to whitelist n8n IP | | Invalid token | OAuth flow incomplete | Schedule 5-min follow-up to re-auth | | Rate limited | Too many requests | Wait and retry in 15 minutes | **Step 3: Send Email (5 min)** Based on test results, send ONE of these emails: **If ALL credentials work:** Send `credential-confirmation` email **If ANY credential fails:** Send `credential-correction` email *** **Document in settings.json** ```json { "onePassword": { "vault": "{CODE} - {Client Name}", "clientGuestAccess": false }, "credentials": [ { "name": "{CODE}-Gmail-OAuth2", "type": "OAuth2", "status": "verified", "tested": "{DATE}", "deliveryMethod": "oauth", "onePasswordItem": null }, { "name": "{CODE}-HubSpot-OAuth2", "type": "OAuth2", "status": "verified", "tested": "{DATE}", "deliveryMethod": "oauth", "onePasswordItem": null }, { "name": "{CODE}-Stripe-API", "type": "API Key", "status": "verified", "tested": "{DATE}", "deliveryMethod": "1password", "onePasswordItem": "Stripe API Key" } ] } ``` **Create Call Notes** Save to: `clients/{kebab-name}/context/calls/credential-call-{DATE}.md` ```markdown # Credential Request Call - {Client Name} Date: {DATE} Attendees: ## Credentials Configured | Platform | Name | Status | Notes | |----------|------|--------|-------| | Gmail | {CODE}-Gmail-OAuth2 | ✅ Verified | | | HubSpot | {CODE}-HubSpot-OAuth2 | ✅ Verified | | ## Pending Credentials | Platform | Owner | Deadline | Blocker | |----------|-------|----------|---------| | {Platform} | {Name} | {Date} | {Reason} | ## Notes {Any issues, concerns, or follow-ups} ``` **Send Confirmation Email** ``` /create:email {CODE} --type credential-confirmation ``` *** ### Handling Pending Credentials If any credentials couldn't be configured during the call: 1. **Document the blocker** — Why couldn't we get it? (No admin access, IT approval needed, etc.) 2. **Assign an owner** — Who is responsible for getting it? 3. **Set a deadline** — When do we need it by? 4. **Send follow-up email** — `/create:email {CODE} --type credential-followup` **Escalation timeline:** * Day 3: Follow-up email * Day 5: Phone call * Day 7: Escalate to sponsor/decision-maker *** ### Handling Additional Systems (Post-Workshop) Since this SOP runs before Workshop (SOP 7) and Development (SOP 8), additional systems may be discovered later. **During Workshop (SOP 7):** If new systems are identified that weren't in the proposal: * Note them in Workshop call notes * Request credentials async via email (using credential-followup template) * Or schedule a brief 10-min follow-up call if complex OAuth **During Development (SOP 8):** Check if all required credentials are configured: * If missing: Request immediately with deadline * Update settings.json when received This is rare since sales maps major integrations during the AI Roadmap sales process. *** ### Credential Naming Convention | Platform | Naming Pattern | Example | | -------- | ----------------------- | --------------------- | | Gmail | `{CODE}-Gmail-OAuth2` | `NADD-Gmail-OAuth2` | | HubSpot | `{CODE}-HubSpot-OAuth2` | `NADD-HubSpot-OAuth2` | | Slack | `{CODE}-Slack-Bot` | `NADD-Slack-Bot` | | Xero | `{CODE}-Xero-OAuth2` | `NADD-Xero-OAuth2` | | API Key | `{CODE}-{Platform}-API` | `NADD-Stripe-API` | *** ### Email Templates #### credential-prep **When to send:** 24-48 hours before credential call **Command:** `/create:email {CODE} --type credential-prep` ``` Subject: Credential Setup Call - Quick Prep Needed Hi {Name}, Looking forward to our credential setup call on {Date/Time}! This is a 60-minute working session where I'll walk you through connecting all the systems needed for your automation. Think of it as a guided tour of your platforms' settings — I'll show you exactly where to find everything. No technical knowledge required. WHAT WE'LL CONNECT Based on your project, we'll need access to: {List from proposal - e.g.} - Gmail (for email triggers) - HubSpot (for CRM updates) - Slack (for notifications) BEFORE THE CALL Please ensure you have: - [ ] Admin access to the systems above (or have someone with access available) - [ ] 5 minutes to review this email HOW WE'LL DO IT You have two options for sharing access: **Option A: Add Us to Your Account** (Recommended) You add our service account to your platform. You keep full control and can revoke access anytime. **Option B: Secure Password Sharing** You create a dedicated user/API key and share via our encrypted 1Password vault. Most clients prefer Option A — we can discuss which works best for you on the call. SECURITY NOTE - Your credentials are stored in a dedicated 1Password vault that only your project team can access - Each client has their own separate vault — your data is never mixed with others - You can optionally have view-only access to see exactly what's stored - You can revoke access at any time Questions? Just reply. See you on {Date}! Cheers, {Your Name} AI Solutions Engineer The Entourage AI ``` *** #### credential-thanks **When to send:** Immediately after call ends (within 5 minutes) **Command:** `/create:email {CODE} --type credential-thanks` ``` Subject: Thanks {Name}! Testing Credentials Now Hi {Name}, Thanks so much for jumping on that call! Really appreciate you walking through all the systems with me. I'm now going to: 1. Store everything securely in your 1Password vault 2. Test each credential to make sure it connects properly If everything works, I'll send you a quick confirmation email. If anything needs a tweak, I'll email you the exact steps to fix it — no need for another call. You should hear back from me within the next couple of hours. Chat soon! {Your Name} AI Solutions Engineer The Entourage AI ``` *** #### credential-confirmation **When to send:** Within 2 hours of credential call, ONLY if all credentials tested successfully **Command:** `/create:email {CODE} --type credential-confirmation` ``` Subject: Credentials Configured ✅ Hi {Name}, Great session today! I've tested all the credentials and everything is working perfectly. CREDENTIALS CONFIGURED {List each credential - e.g.} ✅ Gmail - Connected via OAuth ✅ HubSpot - Connected via OAuth ✅ Stripe - API Key verified All credentials are stored securely in your dedicated 1Password vault. WHAT'S NEXT Your AI Roadmap Discovery call is on {Date}. We'll dive deep into your processes and pain points. With credentials already set up, we can hit the ground running when development starts! Questions? Reply anytime. Cheers, {Your Name} AI Solutions Engineer The Entourage AI ``` *** #### credential-correction **When to send:** Within 2 hours of credential call, when one or more credentials failed testing **Command:** `/create:email {CODE} --type credential-correction` ``` Subject: Quick Fix Needed - {Platform} Credential Hi {Name}, Thanks for your time on our credential call! I've tested everything and most credentials are working great. WORKING ✅ {List working credentials - e.g.} ✅ Gmail - Connected via OAuth ✅ HubSpot - Connected via OAuth NEEDS ATTENTION ⚠️ The {Platform} credential didn't connect successfully. Here's exactly how to fix it: ISSUE: {Brief description - e.g., "The API key doesn't have the required permissions"} HOW TO FIX: {Step-by-step instructions tailored to the specific platform and error} 1. Log in to {Platform} at {URL} 2. Go to {Settings → API Keys / Developer Settings / etc.} 3. {Specific action - e.g., "Create a new API key with the following permissions:"} - {Permission 1} - {Permission 2} 4. Copy the new key 5. Reply to this email with the new key (or share via 1Password link: {link}) WHY THIS IS NEEDED {Brief explanation - e.g., "Without the 'read_customers' permission, we can't pull customer data into your workflow."} Once I receive the updated credential, I'll test it and confirm everything's working. No need to schedule another call — just reply to this email and I'll handle the rest! Cheers, {Your Name} AI Solutions Engineer The Entourage AI ``` **Tips for writing correction emails:** * Be specific about the exact error * Provide step-by-step fix instructions with screenshots if helpful * Explain WHY the credential is needed (builds urgency) * Make it easy to reply — don't require another call *** #### credential-followup **When to send:** 3 days after call if credentials still pending **Command:** `/create:email {CODE} --type credential-followup` ``` Subject: Quick Follow-Up - Pending Credentials Hi {Name}, Just following up on the credentials we weren't able to configure during our call: STILL NEEDED ⏳ {Platform} - {What's needed} Blocker: {Reason - e.g., "Waiting on IT approval"} Impact: {What we can't do without it} HOW YOU CAN HELP {Specific action - e.g.} - Forward this to your IT team with approval request - Let me know the admin contact and I can reach out directly - Schedule a quick 10-min call with the person who has access TIMELINE We need this by {Date} to stay on schedule for your {Workflow Name} delivery. Need help unblocking this? Happy to jump on a quick call. Cheers, {Your Name} AI Solutions Engineer The Entourage AI ``` *** ### Verify #### Pre-Call * [ ] **1Password vault created:** `{CODE} - {Client Name}` * [ ] Prep email sent 24-48h before call * [ ] Credential list generated from proposal #### Call (60 min) * [ ] Call completed * [ ] All credentials collected (OAuth authorized or API keys received) * [ ] Client understands how each platform works #### Post-Call * [ ] Thanks email sent within 5 minutes of call ending * [ ] All credentials stored in 1Password vault * [ ] All credentials tested in n8n * [ ] n8n credential naming follows convention: `{CODE}-{Platform}-{Type}` * [ ] settings.json updated with credential details (including `onePassword` section) * [ ] Call notes created * [ ] Email sent within 2 hours: * [ ] **If all passed:** `credential-confirmation` email * [ ] **If any failed:** `credential-correction` email with fix instructions * [ ] Any pending credentials have owners + deadlines * [ ] (Optional) Client invited to 1Password vault with View access if requested **Next:** [Workshop](https://internal-docs.theentourageai.com/ai-automator/workshop)