HeadlessOps
API Reference

Credentials API

REST API reference for credential and OAuth2 management

Credentials API

All credential endpoints use API key authentication.

Endpoints

GET /api/credentials

List all credentials (metadata only — secret values are never returned).

Auth: API Key | Min Role: VIEWER | MCP: credentials:use

Query: search (string), name (exact match), type (api_key | oauth2)


POST /api/credentials

Create a new credential.

Auth: API Key | Min Role: DEVELOPER | MCP: credentials:use

Body:

{
  "type": "api_key",
  "name": "STRIPE_KEY",
  "description": "Stripe production API key. Bearer auth.",
  "value": "sk_live_...",
  "metadata": { "account_id": "acct_123", "mode": "live" }
}

For OAuth2:

{
  "type": "oauth2",
  "name": "SLACK_OAUTH",
  "clientId": "your-client-id",
  "clientSecret": "your-client-secret",
  "authUrl": "https://slack.com/oauth/v2/authorize",
  "tokenUrl": "https://slack.com/api/oauth.v2.access",
  "scopes": "channels:read chat:write"
}

All secret fields are optional — create an empty credential and use an invite link to let the user supply their secret later.


PATCH /api/credentials/:id

Update credential fields.

Auth: API Key | Min Role: DEVELOPER


DELETE /api/credentials/:id

Delete a credential.

Auth: API Key | Min Role: ADMIN

Response: { "success": true }


POST /api/credentials/:id/oauth/connect

Initiate an OAuth2 authorization flow.

Auth: API Key | Min Role: DEVELOPER

Response: { "authUrl": "https://..." } — redirect the user to this URL.


POST /api/credentials/:id/refresh

Refresh the OAuth2 access token.

Auth: API Key | Min Role: DEVELOPER

Response: Updated credential object with new token expiry.


Credential Apps

GET /api/credentials/apps

List all credential app templates.

Auth: API Key | Min Role: VIEWER | MCP: credentials:use


GET /api/credentials/apps/:name

Get a single credential app template.

Auth: API Key | Min Role: VIEWER | MCP: credentials:use


POST /api/credentials/apps/:name/create-credential

Create a credential from an app template. Pre-fills all non-secret OAuth2 fields.

Auth: API Key | Min Role: DEVELOPER | MCP: credentials:use

Body: { "name": "MY_CRED", "description": "Optional" }

Response: 201 credential object


POST /api/credentials/invites

Generate a public invite link for a credential.

Auth: API Key | Min Role: DEVELOPER | MCP: credentials:use

Body:

{
  "credentialId": "cred_abc123",
  "linkType": "api_key_fill",
  "ttl": "24h"
}

linkType options: api_key_fill | oauth2_fill | oauth2_authorize
ttl options: 1h | 24h | 48h (default: 24h)

Response: { id, token, linkType, expiresAt, url, credentialId, credentialName }


GET /api/credentials/invites

List all invite links. Filter by credentialId query param.

Auth: API Key | Min Role: DEVELOPER | MCP: credentials:use


DELETE /api/credentials/invites/:id

Revoke an invite link.

Auth: API Key | Min Role: DEVELOPER | MCP: credentials:use

Response: { "success": true }