We use OAuth so we don't store any API keystroke passwords. Well more than the ease we are trying to make this collaborative so you can add data to your team mate services easily.
Not sure what you mean by "API keystroke passwords". Almost all major APIs these days that you'd be working with for your bot use either OAUTH, generated API token strings, or bot. So you're either storing an OAUTH token or a token that isn't OAUTH but that the user treats a lot like a simple OAUTH token (it is use-case-specific, can be revoked, is identified by its purpose, etc)
Ask a non-developer to just update the configuration file with the API keys received from whatever service and you'll get a confused look as an reply in most cases.
And giving my API keys to you is much more dangerous.