Credentials
🚧 Coming Soon — This API is under active design. Endpoints return
501 Not Implementeduntil released.
The Credentials API provides a secure vault for storing secrets used by integration connectors. Credentials are encrypted at rest (AES-256-GCM) and the secret value is never returned after creation — only metadata and a masked preview are accessible.
Supported Credential Types
| Type | Used for |
|---|---|
SSH_KEY | SFTP servers (private key + optional passphrase) |
PASSWORD | FTP/FTPS, database, and basic auth endpoints |
API_TOKEN | REST API bearer tokens |
AWS_ACCESS_KEY | AWS S3 and other AWS services |
AZURE_SAS | Azure Blob Storage shared-access signatures |
GCP_SERVICE_ACCOUNT | Google Cloud Storage and GCP APIs |
OAUTH2_CLIENT | OAuth2 client credentials flow |
Security Model
- Secrets are encrypted before being written to the database
- The plain-text value is never logged or returned after the
POST /api/v1/credentialscall - GET requests return only metadata + a masked hint (e.g.
****KEY) - Rotating a credential via
PUT /api/v1/credentials/{id}preserves the ID so existing integrations continue to work
Planned Workflow
- Store a credential:
POST /api/v1/credentialswith the secret - Note the returned
id— this is the only reference you need - Reference in integrations:
POST /api/v1/integrationsusingcredentialId - Rotate as needed:
PUT /api/v1/credentials/{id}with the new secret value
Operations
📄️ Store a credential
🚧 *Coming Soon* — Store a new credential securely.
📄️ Delete a credential
🚧 *Coming Soon* — Delete a credential. Integrations referencing it will fail until updated.
📄️ Rotate a credential
🚧 *Coming Soon* — Replace the stored credential value (rotation). Metadata is updated, references remain valid.
Schema References
CreateCredentialRequest— Store/rotate payloadCredentialResponse— Metadata response (value masked)CredentialType— Supported secret types