Credentials API
REST API reference for credential and OAuth2 management
Credentials API
All credential endpoints use API key authentication.
Endpoints
GET /api/credentials
List all credentials (metadata only — secret values are never returned).
Auth: API Key | Min Role: VIEWER | MCP: credentials:use
Query: search (string), name (exact match), type (api_key | oauth2)
POST /api/credentials
Create a new credential.
Auth: API Key | Min Role: DEVELOPER | MCP: credentials:use
Body:
{
"type": "api_key",
"name": "STRIPE_KEY",
"description": "Stripe production API key. Bearer auth.",
"value": "sk_live_...",
"metadata": { "account_id": "acct_123", "mode": "live" }
}For OAuth2:
{
"type": "oauth2",
"name": "SLACK_OAUTH",
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
"authUrl": "https://slack.com/oauth/v2/authorize",
"tokenUrl": "https://slack.com/api/oauth.v2.access",
"scopes": "channels:read chat:write"
}All secret fields are optional — create an empty credential and use an invite link to let the user supply their secret later.
PATCH /api/credentials/:id
Update credential fields.
Auth: API Key | Min Role: DEVELOPER
DELETE /api/credentials/:id
Delete a credential.
Auth: API Key | Min Role: ADMIN
Response: { "success": true }
POST /api/credentials/:id/oauth/connect
Initiate an OAuth2 authorization flow.
Auth: API Key | Min Role: DEVELOPER
Response: { "authUrl": "https://..." } — redirect the user to this URL.
POST /api/credentials/:id/refresh
Refresh the OAuth2 access token.
Auth: API Key | Min Role: DEVELOPER
Response: Updated credential object with new token expiry.
Credential Apps
GET /api/credentials/apps
List all credential app templates.
Auth: API Key | Min Role: VIEWER | MCP: credentials:use
GET /api/credentials/apps/:name
Get a single credential app template.
Auth: API Key | Min Role: VIEWER | MCP: credentials:use
POST /api/credentials/apps/:name/create-credential
Create a credential from an app template. Pre-fills all non-secret OAuth2 fields.
Auth: API Key | Min Role: DEVELOPER | MCP: credentials:use
Body: { "name": "MY_CRED", "description": "Optional" }
Response: 201 credential object
Invite Links
POST /api/credentials/invites
Generate a public invite link for a credential.
Auth: API Key | Min Role: DEVELOPER | MCP: credentials:use
Body:
{
"credentialId": "cred_abc123",
"linkType": "api_key_fill",
"ttl": "24h"
}linkType options: api_key_fill | oauth2_fill | oauth2_authorize
ttl options: 1h | 24h | 48h (default: 24h)
Response: { id, token, linkType, expiresAt, url, credentialId, credentialName }
GET /api/credentials/invites
List all invite links. Filter by credentialId query param.
Auth: API Key | Min Role: DEVELOPER | MCP: credentials:use
DELETE /api/credentials/invites/:id
Revoke an invite link.
Auth: API Key | Min Role: DEVELOPER | MCP: credentials:use
Response: { "success": true }