API Reference

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Zones

List zones

client.Zones.List(ctx, query) (*ZoneListResponse, error)

GET/zones

Create zone

client.Zones.New(ctx, body) (*Zone, error)

POST/zones

Get zone

client.Zones.Get(ctx, zoneID, query) (*Zone, error)

GET/zones/{zoneId}

Update zone

client.Zones.Update(ctx, zoneID, body) (*Zone, error)

PATCH/zones/{zoneId}

Delete zone

client.Zones.Delete(ctx, zoneID) error

DELETE/zones/{zoneId}

ModelsExpand Collapse

type EncryptionKeyAwsKmsConfig struct{…}

AWS KMS configuration for zone encryption. When not specified, the default Keycard Cloud encryption key will be used.

Arn string

AWS KMS Key ARN for encrypting the zone's data

minLength1

Type EncryptionKeyAwsKmsConfigType

type PageInfoPagination struct{…}

Pagination information

HasNextPage bool

Whether there are more items after the current page

HasPreviousPage bool

Whether there are items before the current page

EndCursor stringoptional

Cursor pointing to the last item in the current page

StartCursor stringoptional

Cursor pointing to the first item in the current page

type Zone struct{…}

A zone for organizing resources within an organization

ID string

Unique identifier of the zone

CreatedAt Time

Entity creation timestamp

formatdate-time

Name string

Human-readable name

minLength1

maxLength255

OrganizationID string

Organization that owns this zone

Protocols ZoneProtocols

Protocol configuration for a zone

Oauth2 ZoneProtocolsOauth2

OAuth 2.0 protocol configuration for a zone

AuthorizationEndpoint string

OAuth 2.0 authorization endpoint

formaturi

AuthorizationServerMetadata string

OAuth 2.0 Authorization Server Metadata endpoint (.well-known/oauth-authorization-server)

formaturi

DcrEnabled bool

Whether Dynamic Client Registration is enabled

Issuer string

OAuth 2.0 issuer identifier

formaturi

JwksUri string

JSON Web Key Set endpoint

formaturi

PkceRequired bool

Whether PKCE is required for authorization code flows

RedirectUri string

OAuth 2.0 redirect URI for this zone

formaturi

RegistrationEndpoint string

OAuth 2.0 Dynamic Client Registration endpoint

formaturi

TokenEndpoint string

OAuth 2.0 token endpoint

formaturi

Openid ZoneProtocolsOpenid

OpenID Connect protocol configuration for a zone

ProviderConfiguration string

OpenID Connect Provider Configuration endpoint (.well-known/openid-configuration)

formaturi

UserinfoEndpoint string

OpenID Connect UserInfo endpoint

formaturi

Slug string

URL-safe identifier, unique within the zone

minLength1

maxLength63

UpdatedAt Time

Entity update timestamp

formatdate-time

DefaultMcpGatewayApplicationID stringoptional

Application ID configured as the default MCP Gateway for the zone

DefaultResourceID stringoptional

Resource ID configured as the default resource for the zone

Description stringoptional

Human-readable description

maxLength2048

EncryptionKey EncryptionKeyAwsKmsConfigoptional

AWS KMS configuration for zone encryption. When not specified, the default Keycard Cloud encryption key will be used.

Arn string

AWS KMS Key ARN for encrypting the zone's data

minLength1

Type EncryptionKeyAwsKmsConfigType

LoginFlow ZoneLoginFlowoptional

Login flow style for the zone. 'default' uses standard authentication, 'identifier_first' uses identifier-based provider routing.

Accepts one of the following:

const ZoneLoginFlowDefault ZoneLoginFlow = "default"

const ZoneLoginFlowIdentifierFirst ZoneLoginFlow = "identifier_first"

Permissions map[string, map[string, bool]]optional

Permissions granted to the authenticated principal. Only populated when expand[]=permissions query parameter is provided. Keys are resource types, values are objects mapping action names to boolean values.

RequiresInvitation booloptional

Whether the zone requires an invitation for email/password registration, only applies when user_identity_provider_id is not set

UserIdentityProviderID stringoptional

Provider ID configured for user login

ZonesApplications

List applications

client.Zones.Applications.List(ctx, zoneID, query) (*ZoneApplicationListResponse, error)

GET/zones/{zoneId}/applications

Create application

client.Zones.Applications.New(ctx, zoneID, body) (*Application, error)

POST/zones/{zoneId}/applications

Get application

client.Zones.Applications.Get(ctx, id, query) (*Application, error)

GET/zones/{zoneId}/applications/{id}

Update application

client.Zones.Applications.Update(ctx, id, params) (*Application, error)

PATCH/zones/{zoneId}/applications/{id}

Delete application

client.Zones.Applications.Delete(ctx, id, body) error

DELETE/zones/{zoneId}/applications/{id}

List application credentials

client.Zones.Applications.ListCredentials(ctx, id, params) (*ZoneApplicationListCredentialsResponse, error)

GET/zones/{zoneId}/applications/{id}/application-credentials

List application resources

client.Zones.Applications.ListResources(ctx, id, params) (*ZoneApplicationListResourcesResponse, error)

GET/zones/{zoneId}/applications/{id}/resources

ModelsExpand Collapse

type Application struct{…}

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

ID string

Unique identifier of the application

CreatedAt Time

Entity creation timestamp

formatdate-time

DependenciesCount int64

Number of resource dependencies

Identifier string

User specified identifier, unique within the zone

minLength1

maxLength2048

Name string

Human-readable name

minLength1

maxLength255

OrganizationID string

Organization that owns this application

OwnerType ApplicationOwnerType

Who owns this application. Platform-owned applications cannot be modified via API.

Accepts one of the following:

const ApplicationOwnerTypePlatform ApplicationOwnerType = "platform"

const ApplicationOwnerTypeCustomer ApplicationOwnerType = "customer"

Slug string

URL-safe identifier, unique within the zone

minLength1

maxLength63

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone this application belongs to

Description stringoptional

Human-readable description

maxLength2048

Metadata Metadataoptional

Entity metadata

DocsURL stringoptional

Documentation URL

formaturi

maxLength2048

Protocols ApplicationProtocolsoptional

Protocol-specific configuration

Oauth2 ApplicationProtocolsOauth2optional

OAuth 2.0 protocol configuration

PostLogoutRedirectUris []stringoptional

OAuth 2.0 post-logout redirect URIs for this application

RedirectUris []stringoptional

OAuth 2.0 redirect URIs for this application

type ApplicationTrait string

Traits ascribe behaviors and characteristics to an application, which may activate trait-specific user experiences, workflows, or other system behaviors

Accepts one of the following:

const ApplicationTraitGateway ApplicationTrait = "gateway"

const ApplicationTraitMcpProvider ApplicationTrait = "mcp-provider"

type Metadata struct{…}

Entity metadata

DocsURL stringoptional

Documentation URL

formaturi

maxLength2048

type MetadataUpdate struct{…}

Entity metadata (set to null or {} to remove metadata)

DocsURL stringoptional

Documentation URL (set to null to unset)

formaturi

maxLength2048

ZonesApplicationsDependencies

List application dependencies

client.Zones.Applications.Dependencies.List(ctx, id, params) (*ZoneApplicationDependencyListResponse, error)

GET/zones/{zoneId}/applications/{id}/dependencies

Add application dependency

client.Zones.Applications.Dependencies.Add(ctx, dependencyID, params) error

PUT/zones/{zoneId}/applications/{id}/dependencies/{dependencyId}

Remove application dependency

client.Zones.Applications.Dependencies.Remove(ctx, dependencyID, body) error

DELETE/zones/{zoneId}/applications/{id}/dependencies/{dependencyId}

Get application dependency

client.Zones.Applications.Dependencies.Get(ctx, dependencyID, query) (*Resource, error)

GET/zones/{zoneId}/applications/{id}/dependencies/{dependencyId}

ModelsExpand Collapse

type Resource struct{…}

A Resource is a system that exposes protected information or functionality. It requires authentication of the requesting actor, which may be a user or application, before allowing access.

ID string

Unique identifier of the resource

ApplicationType ResourceApplicationType

The expected type of client for this credential. Native clients must use localhost URLs for redirect_uris or URIs with custom schemes. Web clients must use https URLs and must not use localhost as the hostname.

Accepts one of the following:

const ResourceApplicationTypeNative ResourceApplicationType = "native"

const ResourceApplicationTypeWeb ResourceApplicationType = "web"

CreatedAt Time

Entity creation timestamp

formatdate-time

Identifier string

User specified identifier, unique within the zone

minLength1

maxLength2048

Name string

Human-readable name

minLength1

maxLength255

OrganizationID string

Organization that owns this resource

OwnerType ResourceOwnerType

Who owns this resource. Platform-owned resources cannot be modified via API.

Accepts one of the following:

const ResourceOwnerTypePlatform ResourceOwnerType = "platform"

const ResourceOwnerTypeCustomer ResourceOwnerType = "customer"

Slug string

URL-safe identifier, unique within the zone

minLength1

maxLength63

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone this resource belongs to

DeprecatedApplication Applicationoptional

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

ID string

Unique identifier of the application

CreatedAt Time

Entity creation timestamp

formatdate-time

DependenciesCount int64

Number of resource dependencies

Identifier string

User specified identifier, unique within the zone

minLength1

maxLength2048

Name string

Human-readable name

minLength1

maxLength255

OrganizationID string

Organization that owns this application

OwnerType ApplicationOwnerType

Who owns this application. Platform-owned applications cannot be modified via API.

Accepts one of the following:

const ApplicationOwnerTypePlatform ApplicationOwnerType = "platform"

const ApplicationOwnerTypeCustomer ApplicationOwnerType = "customer"

Slug string

URL-safe identifier, unique within the zone

minLength1

maxLength63

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone this application belongs to

Description stringoptional

Human-readable description

maxLength2048

Metadata Metadataoptional

Entity metadata

DocsURL stringoptional

Documentation URL

formaturi

maxLength2048

Protocols ApplicationProtocolsoptional

Protocol-specific configuration

Oauth2 ApplicationProtocolsOauth2optional

OAuth 2.0 protocol configuration

PostLogoutRedirectUris []stringoptional

OAuth 2.0 post-logout redirect URIs for this application

RedirectUris []stringoptional

OAuth 2.0 redirect URIs for this application

ApplicationID stringoptional

ID of the application that provides this resource

DeprecatedCredentialProvider Provideroptional

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

ID string

Unique identifier of the provider

CreatedAt Time

Entity creation timestamp

formatdate-time

Identifier string

User specified identifier, unique within the zone

minLength1

maxLength2048

Name string

Human-readable name

minLength1

maxLength255

OrganizationID string

Organization that owns this provider

OwnerType ProviderOwnerType

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

const ProviderOwnerTypePlatform ProviderOwnerType = "platform"

const ProviderOwnerTypeCustomer ProviderOwnerType = "customer"

Slug string

URL-safe identifier, unique within the zone

minLength1

maxLength63

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone this provider belongs to

ClientID stringoptional

OAuth 2.0 client identifier

ClientSecretSet booloptional

Indicates whether a client secret is configured

Description stringoptional

Human-readable description

maxLength2048

Metadata anyoptional

Provider metadata

Protocols ProviderProtocolsoptional

Protocol-specific configuration

Oauth2 ProviderProtocolsOauth2optional

OAuth 2.0 protocol configuration

Issuer string

OIDC issuer URL used for discovery and token validation.

formaturi

AuthorizationEndpoint stringoptional

formaturi

AuthorizationParameters map[string, string]optional

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

AuthorizationResourceEnabled booloptional

Whether to include the resource parameter in authorization requests.

AuthorizationResourceParameter stringoptional

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

CodeChallengeMethodsSupported []stringoptional

JwksUri stringoptional

formaturi

RegistrationEndpoint stringoptional

formaturi

ScopeParameter stringoptional

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

ScopeSeparator stringoptional

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

ScopesSupported []stringoptional

TokenEndpoint stringoptional

formaturi

TokenResponseAccessTokenPointer stringoptional

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

Openid ProviderProtocolsOpenidoptional

OpenID Connect protocol configuration

UserinfoEndpoint stringoptional

formaturi

Type ProviderTypeoptional

Accepts one of the following:

const ProviderTypeExternal ProviderType = "external"

const ProviderTypeKeycardVault ProviderType = "keycard-vault"

const ProviderTypeKeycardSts ProviderType = "keycard-sts"

CredentialProviderID stringoptional

ID of the credential provider for this resource

Description stringoptional

Human-readable description

maxLength2048

Metadata Metadataoptional

Entity metadata

DocsURL stringoptional

Documentation URL

formaturi

maxLength2048

Scopes []stringoptional

Scopes supported by the resource

WhenAccessing []stringoptional

List of resource IDs that, when accessed, make this dependency available. Only present when this resource is returned as a dependency.

ZonesApplication Credentials

List application credentials

client.Zones.ApplicationCredentials.List(ctx, zoneID, query) (*ZoneApplicationCredentialListResponse, error)

GET/zones/{zoneId}/application-credentials

Create application credential

client.Zones.ApplicationCredentials.New(ctx, zoneID, body) (*ZoneApplicationCredentialNewResponseUnion, error)

POST/zones/{zoneId}/application-credentials

Get application credential

client.Zones.ApplicationCredentials.Get(ctx, id, query) (*CredentialUnion, error)

GET/zones/{zoneId}/application-credentials/{id}

Update application credential

client.Zones.ApplicationCredentials.Update(ctx, id, params) (*CredentialUnion, error)

PATCH/zones/{zoneId}/application-credentials/{id}

Delete application credential

client.Zones.ApplicationCredentials.Delete(ctx, id, body) error

DELETE/zones/{zoneId}/application-credentials/{id}

ModelsExpand Collapse

type BaseFields struct{…}

Common fields shared by all application credential types

ID string

Unique identifier of the credential

ApplicationID string

ID of the application this credential belongs to

CreatedAt Time

Entity creation timestamp

formatdate-time

OrganizationID string

Organization that owns this credential

Slug string

URL-safe identifier, unique within the zone

minLength1

maxLength63

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone this credential belongs to

DeprecatedApplication Applicationoptional

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

ID string

Unique identifier of the application

CreatedAt Time

Entity creation timestamp

formatdate-time

DependenciesCount int64

Number of resource dependencies

Identifier string

User specified identifier, unique within the zone

minLength1

maxLength2048

Name string

Human-readable name

minLength1

maxLength255

OrganizationID string

Organization that owns this application

OwnerType ApplicationOwnerType

Who owns this application. Platform-owned applications cannot be modified via API.

Accepts one of the following:

const ApplicationOwnerTypePlatform ApplicationOwnerType = "platform"

const ApplicationOwnerTypeCustomer ApplicationOwnerType = "customer"

Slug string

URL-safe identifier, unique within the zone

minLength1

maxLength63

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone this application belongs to

Description stringoptional

Human-readable description

maxLength2048

Metadata Metadataoptional

Entity metadata

DocsURL stringoptional

Documentation URL

formaturi

maxLength2048

Protocols ApplicationProtocolsoptional

Protocol-specific configuration

Oauth2 ApplicationProtocolsOauth2optional

OAuth 2.0 protocol configuration

PostLogoutRedirectUris []stringoptional

OAuth 2.0 post-logout redirect URIs for this application

RedirectUris []stringoptional

OAuth 2.0 redirect URIs for this application

type CredentialUnion interface{…}

Credentials for accessing external services from applications

Accepts one of the following:

type Token struct{…}

Token-based application credential

Identifier string

Identifier for this credential. For token type, this equals the subject value, or '*' when subject is not specified.

ProviderID string

ID of the provider issuing tokens verified by this credential

Type string

DeprecatedProvider Provideroptional

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

ID string

Unique identifier of the provider

CreatedAt Time

Entity creation timestamp

formatdate-time

Identifier string

User specified identifier, unique within the zone

minLength1

maxLength2048

Name string

Human-readable name

minLength1

maxLength255

OrganizationID string

Organization that owns this provider

OwnerType ProviderOwnerType

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

const ProviderOwnerTypePlatform ProviderOwnerType = "platform"

const ProviderOwnerTypeCustomer ProviderOwnerType = "customer"

Slug string

URL-safe identifier, unique within the zone

minLength1

maxLength63

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone this provider belongs to

ClientID stringoptional

OAuth 2.0 client identifier

ClientSecretSet booloptional

Indicates whether a client secret is configured

Description stringoptional

Human-readable description

maxLength2048

Metadata anyoptional

Provider metadata

Protocols ProviderProtocolsoptional

Protocol-specific configuration

Oauth2 ProviderProtocolsOauth2optional

OAuth 2.0 protocol configuration

Issuer string

OIDC issuer URL used for discovery and token validation.

formaturi

AuthorizationEndpoint stringoptional

formaturi

AuthorizationParameters map[string, string]optional

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

AuthorizationResourceEnabled booloptional

Whether to include the resource parameter in authorization requests.

AuthorizationResourceParameter stringoptional

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

CodeChallengeMethodsSupported []stringoptional

JwksUri stringoptional

formaturi

RegistrationEndpoint stringoptional

formaturi

ScopeParameter stringoptional

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

ScopeSeparator stringoptional

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

ScopesSupported []stringoptional

TokenEndpoint stringoptional

formaturi

TokenResponseAccessTokenPointer stringoptional

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

Openid ProviderProtocolsOpenidoptional

OpenID Connect protocol configuration

UserinfoEndpoint stringoptional

formaturi

Type ProviderTypeoptional

Accepts one of the following:

const ProviderTypeExternal ProviderType = "external"

const ProviderTypeKeycardVault ProviderType = "keycard-vault"

const ProviderTypeKeycardSts ProviderType = "keycard-sts"

Subject stringoptional

Subject identifier for the token. When null or omitted, any token from the provider is accepted without checking application-specific claims.

type Password struct{…}

Password-based application credential

Identifier string

Username for password credential, also used as OAuth 2.0 client ID

Type string

Password stringoptional

Password for credential (only returned on creation, store securely), also used as OAuth 2.0 client secret

type PublicKey struct{…}

Public key-based application credential

Identifier string

Client ID for public key credential, also used as OAuth 2.0 client ID

JwksUri string

JWKS URI to retrieve public keys from

formaturi

Type string

type URL struct{…}

URL-based application credential

Identifier string

URL of the credential (must be a valid URL)

formaturi

Type string

type Public struct{…}

Public credential (no secret storage)

Identifier string

Identifier for public credential, also used as OAuth 2.0 client ID

Type string

type Password struct{…}

Password-based application credential

Identifier string

Username for password credential, also used as OAuth 2.0 client ID

Type string

Password stringoptional

Password for credential (only returned on creation, store securely), also used as OAuth 2.0 client secret

type Public struct{…}

Public credential (no secret storage)

Identifier string

Identifier for public credential, also used as OAuth 2.0 client ID

Type string

type PublicKey struct{…}

Public key-based application credential

Identifier string

Client ID for public key credential, also used as OAuth 2.0 client ID

JwksUri string

JWKS URI to retrieve public keys from

formaturi

Type string

type Token struct{…}

Token-based application credential

Identifier string

Identifier for this credential. For token type, this equals the subject value, or '*' when subject is not specified.

ProviderID string

ID of the provider issuing tokens verified by this credential

Type string

DeprecatedProvider Provideroptional

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

ID string

Unique identifier of the provider

CreatedAt Time

Entity creation timestamp

formatdate-time

Identifier string

User specified identifier, unique within the zone

minLength1

maxLength2048

Name string

Human-readable name

minLength1

maxLength255

OrganizationID string

Organization that owns this provider

OwnerType ProviderOwnerType

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

const ProviderOwnerTypePlatform ProviderOwnerType = "platform"

const ProviderOwnerTypeCustomer ProviderOwnerType = "customer"

Slug string

URL-safe identifier, unique within the zone

minLength1

maxLength63

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone this provider belongs to

ClientID stringoptional

OAuth 2.0 client identifier

ClientSecretSet booloptional

Indicates whether a client secret is configured

Description stringoptional

Human-readable description

maxLength2048

Metadata anyoptional

Provider metadata

Protocols ProviderProtocolsoptional

Protocol-specific configuration

Oauth2 ProviderProtocolsOauth2optional

OAuth 2.0 protocol configuration

Issuer string

OIDC issuer URL used for discovery and token validation.

formaturi

AuthorizationEndpoint stringoptional

formaturi

AuthorizationParameters map[string, string]optional

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

AuthorizationResourceEnabled booloptional

Whether to include the resource parameter in authorization requests.

AuthorizationResourceParameter stringoptional

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

CodeChallengeMethodsSupported []stringoptional

JwksUri stringoptional

formaturi

RegistrationEndpoint stringoptional

formaturi

ScopeParameter stringoptional

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

ScopeSeparator stringoptional

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

ScopesSupported []stringoptional

TokenEndpoint stringoptional

formaturi

TokenResponseAccessTokenPointer stringoptional

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

Openid ProviderProtocolsOpenidoptional

OpenID Connect protocol configuration

UserinfoEndpoint stringoptional

formaturi

Type ProviderTypeoptional

Accepts one of the following:

const ProviderTypeExternal ProviderType = "external"

const ProviderTypeKeycardVault ProviderType = "keycard-vault"

const ProviderTypeKeycardSts ProviderType = "keycard-sts"

Subject stringoptional

Subject identifier for the token. When null or omitted, any token from the provider is accepted without checking application-specific claims.

type URL struct{…}

URL-based application credential

Identifier string

URL of the credential (must be a valid URL)

formaturi

Type string

ZonesDelegated Grants

List delegated grants

client.Zones.DelegatedGrants.List(ctx, zoneID, query) (*ZoneDelegatedGrantListResponse, error)

GET/zones/{zoneId}/delegated-grants

Get delegated grant

client.Zones.DelegatedGrants.Get(ctx, id, query) (*Grant, error)

GET/zones/{zoneId}/delegated-grants/{id}

Update delegated grant

client.Zones.DelegatedGrants.Update(ctx, id, params) (*Grant, error)

PATCH/zones/{zoneId}/delegated-grants/{id}

Delete delegated grant

client.Zones.DelegatedGrants.Delete(ctx, id, body) error

DELETE/zones/{zoneId}/delegated-grants/{id}

ModelsExpand Collapse

type Grant struct{…}

User authorization for a resource to be accessed on their behalf. The grant links the user, resource, and the provider that issued the grant.

ID string

Unique identifier of the delegated grant

CreatedAt Time

Entity creation timestamp

formatdate-time

ExpiresAt Time

Date when grant expires

formatdate-time

OrganizationID string

Organization that owns this grant

ProviderID string

ID of the provider that issued this grant

RefreshTokenSet bool

Indicates whether a refresh token is stored for this grant. Grants with refresh tokens can be refreshed even after access token expiration.

ResourceID string

ID of resource receiving grant

Scopes []string

Granted OAuth scopes

Status GrantStatus

Accepts one of the following:

const GrantStatusActive GrantStatus = "active"

const GrantStatusExpired GrantStatus = "expired"

const GrantStatusRevoked GrantStatus = "revoked"

UpdatedAt Time

Entity update timestamp

formatdate-time

UserID string

Reference to the user granting permission

ZoneID string

Zone this grant belongs to

DeprecatedActive booloptional

Whether the grant is currently active (deprecated - use status instead)

DeprecatedProvider Provideroptional

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

ID string

Unique identifier of the provider

CreatedAt Time

Entity creation timestamp

formatdate-time

Identifier string

User specified identifier, unique within the zone

minLength1

maxLength2048

Name string

Human-readable name

minLength1

maxLength255

OrganizationID string

Organization that owns this provider

OwnerType ProviderOwnerType

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

const ProviderOwnerTypePlatform ProviderOwnerType = "platform"

const ProviderOwnerTypeCustomer ProviderOwnerType = "customer"

Slug string

URL-safe identifier, unique within the zone

minLength1

maxLength63

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone this provider belongs to

ClientID stringoptional

OAuth 2.0 client identifier

ClientSecretSet booloptional

Indicates whether a client secret is configured

Description stringoptional

Human-readable description

maxLength2048

Metadata anyoptional

Provider metadata

Protocols ProviderProtocolsoptional

Protocol-specific configuration

Oauth2 ProviderProtocolsOauth2optional

OAuth 2.0 protocol configuration

Issuer string

OIDC issuer URL used for discovery and token validation.

formaturi

AuthorizationEndpoint stringoptional

formaturi

AuthorizationParameters map[string, string]optional

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

AuthorizationResourceEnabled booloptional

Whether to include the resource parameter in authorization requests.

AuthorizationResourceParameter stringoptional

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

CodeChallengeMethodsSupported []stringoptional

JwksUri stringoptional

formaturi

RegistrationEndpoint stringoptional

formaturi

ScopeParameter stringoptional

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

ScopeSeparator stringoptional

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

ScopesSupported []stringoptional

TokenEndpoint stringoptional

formaturi

TokenResponseAccessTokenPointer stringoptional

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

Openid ProviderProtocolsOpenidoptional

OpenID Connect protocol configuration

UserinfoEndpoint stringoptional

formaturi

Type ProviderTypeoptional

Accepts one of the following:

const ProviderTypeExternal ProviderType = "external"

const ProviderTypeKeycardVault ProviderType = "keycard-vault"

const ProviderTypeKeycardSts ProviderType = "keycard-sts"

RefreshedAt Timeoptional

Timestamp when this grant's tokens were last refreshed. Omitted if grant was never refreshed.

formatdate-time

DeprecatedResource Resourceoptional

A Resource is a system that exposes protected information or functionality. It requires authentication of the requesting actor, which may be a user or application, before allowing access.

ID string

Unique identifier of the resource

ApplicationType ResourceApplicationType

The expected type of client for this credential. Native clients must use localhost URLs for redirect_uris or URIs with custom schemes. Web clients must use https URLs and must not use localhost as the hostname.

Accepts one of the following:

const ResourceApplicationTypeNative ResourceApplicationType = "native"

const ResourceApplicationTypeWeb ResourceApplicationType = "web"

CreatedAt Time

Entity creation timestamp

formatdate-time

Identifier string

User specified identifier, unique within the zone

minLength1

maxLength2048

Name string

Human-readable name

minLength1

maxLength255

OrganizationID string

Organization that owns this resource

OwnerType ResourceOwnerType

Who owns this resource. Platform-owned resources cannot be modified via API.

Accepts one of the following:

const ResourceOwnerTypePlatform ResourceOwnerType = "platform"

const ResourceOwnerTypeCustomer ResourceOwnerType = "customer"

Slug string

URL-safe identifier, unique within the zone

minLength1

maxLength63

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone this resource belongs to

DeprecatedApplication Applicationoptional

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

ID string

Unique identifier of the application

CreatedAt Time

Entity creation timestamp

formatdate-time

DependenciesCount int64

Number of resource dependencies

Identifier string

User specified identifier, unique within the zone

minLength1

maxLength2048

Name string

Human-readable name

minLength1

maxLength255

OrganizationID string

Organization that owns this application

OwnerType ApplicationOwnerType

Who owns this application. Platform-owned applications cannot be modified via API.

Accepts one of the following:

const ApplicationOwnerTypePlatform ApplicationOwnerType = "platform"

const ApplicationOwnerTypeCustomer ApplicationOwnerType = "customer"

Slug string

URL-safe identifier, unique within the zone

minLength1

maxLength63

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone this application belongs to

Description stringoptional

Human-readable description

maxLength2048

Metadata Metadataoptional

Entity metadata

DocsURL stringoptional

Documentation URL

formaturi

maxLength2048

Protocols ApplicationProtocolsoptional

Protocol-specific configuration

Oauth2 ApplicationProtocolsOauth2optional

OAuth 2.0 protocol configuration

PostLogoutRedirectUris []stringoptional

OAuth 2.0 post-logout redirect URIs for this application

RedirectUris []stringoptional

OAuth 2.0 redirect URIs for this application

ApplicationID stringoptional

ID of the application that provides this resource

DeprecatedCredentialProvider Provideroptional

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

ID string

Unique identifier of the provider

CreatedAt Time

Entity creation timestamp

formatdate-time

Identifier string

User specified identifier, unique within the zone

minLength1

maxLength2048

Name string

Human-readable name

minLength1

maxLength255

OrganizationID string

Organization that owns this provider

OwnerType ProviderOwnerType

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

const ProviderOwnerTypePlatform ProviderOwnerType = "platform"

const ProviderOwnerTypeCustomer ProviderOwnerType = "customer"

Slug string

URL-safe identifier, unique within the zone

minLength1

maxLength63

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone this provider belongs to

ClientID stringoptional

OAuth 2.0 client identifier

ClientSecretSet booloptional

Indicates whether a client secret is configured

Description stringoptional

Human-readable description

maxLength2048

Metadata anyoptional

Provider metadata

Protocols ProviderProtocolsoptional

Protocol-specific configuration

Oauth2 ProviderProtocolsOauth2optional

OAuth 2.0 protocol configuration

Issuer string

OIDC issuer URL used for discovery and token validation.

formaturi

AuthorizationEndpoint stringoptional

formaturi

AuthorizationParameters map[string, string]optional

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

AuthorizationResourceEnabled booloptional

Whether to include the resource parameter in authorization requests.

AuthorizationResourceParameter stringoptional

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

CodeChallengeMethodsSupported []stringoptional

JwksUri stringoptional

formaturi

RegistrationEndpoint stringoptional

formaturi

ScopeParameter stringoptional

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

ScopeSeparator stringoptional

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

ScopesSupported []stringoptional

TokenEndpoint stringoptional

formaturi

TokenResponseAccessTokenPointer stringoptional

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

Openid ProviderProtocolsOpenidoptional

OpenID Connect protocol configuration

UserinfoEndpoint stringoptional

formaturi

Type ProviderTypeoptional

Accepts one of the following:

const ProviderTypeExternal ProviderType = "external"

const ProviderTypeKeycardVault ProviderType = "keycard-vault"

const ProviderTypeKeycardSts ProviderType = "keycard-sts"

CredentialProviderID stringoptional

ID of the credential provider for this resource

Description stringoptional

Human-readable description

maxLength2048

Metadata Metadataoptional

Entity metadata

DocsURL stringoptional

Documentation URL

formaturi

maxLength2048

Scopes []stringoptional

Scopes supported by the resource

WhenAccessing []stringoptional

List of resource IDs that, when accessed, make this dependency available. Only present when this resource is returned as a dependency.

DeprecatedUser Useroptional

An authenticated user entity

ID string

Unique identifier of the user

CreatedAt Time

Entity creation timestamp

formatdate-time

Email string

Email address of the user

formatemail

EmailVerified bool

Whether the email address has been verified

OrganizationID string

Organization that owns this user

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone this user belongs to

AuthenticatedAt stringoptional

Date when the user was last authenticated

Issuer stringoptional

Issuer identifier of the identity provider

ProviderID stringoptional

Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted.

Subject stringoptional

Subject identifier from the identity provider

ZonesProviders

List providers

client.Zones.Providers.List(ctx, zoneID, query) (*ZoneProviderListResponse, error)

GET/zones/{zoneId}/providers

Create provider

client.Zones.Providers.New(ctx, zoneID, body) (*Provider, error)

POST/zones/{zoneId}/providers

Get provider

client.Zones.Providers.Get(ctx, id, query) (*Provider, error)

GET/zones/{zoneId}/providers/{id}

Update provider

client.Zones.Providers.Update(ctx, id, params) (*Provider, error)

PATCH/zones/{zoneId}/providers/{id}

Delete provider

client.Zones.Providers.Delete(ctx, id, body) error

DELETE/zones/{zoneId}/providers/{id}

ModelsExpand Collapse

type Provider struct{…}

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

ID string

Unique identifier of the provider

CreatedAt Time

Entity creation timestamp

formatdate-time

Identifier string

User specified identifier, unique within the zone

minLength1

maxLength2048

Name string

Human-readable name

minLength1

maxLength255

OrganizationID string

Organization that owns this provider

OwnerType ProviderOwnerType

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

const ProviderOwnerTypePlatform ProviderOwnerType = "platform"

const ProviderOwnerTypeCustomer ProviderOwnerType = "customer"

Slug string

URL-safe identifier, unique within the zone

minLength1

maxLength63

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone this provider belongs to

ClientID stringoptional

OAuth 2.0 client identifier

ClientSecretSet booloptional

Indicates whether a client secret is configured

Description stringoptional

Human-readable description

maxLength2048

Metadata anyoptional

Provider metadata

Protocols ProviderProtocolsoptional

Protocol-specific configuration

Oauth2 ProviderProtocolsOauth2optional

OAuth 2.0 protocol configuration

Issuer string

OIDC issuer URL used for discovery and token validation.

formaturi

AuthorizationEndpoint stringoptional

formaturi

AuthorizationParameters map[string, string]optional

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

AuthorizationResourceEnabled booloptional

Whether to include the resource parameter in authorization requests.

AuthorizationResourceParameter stringoptional

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

CodeChallengeMethodsSupported []stringoptional

JwksUri stringoptional

formaturi

RegistrationEndpoint stringoptional

formaturi

ScopeParameter stringoptional

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

ScopeSeparator stringoptional

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

ScopesSupported []stringoptional

TokenEndpoint stringoptional

formaturi

TokenResponseAccessTokenPointer stringoptional

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

Openid ProviderProtocolsOpenidoptional

OpenID Connect protocol configuration

UserinfoEndpoint stringoptional

formaturi

Type ProviderTypeoptional

Accepts one of the following:

const ProviderTypeExternal ProviderType = "external"

const ProviderTypeKeycardVault ProviderType = "keycard-vault"

const ProviderTypeKeycardSts ProviderType = "keycard-sts"

ZonesResources

List resources

client.Zones.Resources.List(ctx, zoneID, query) (*ZoneResourceListResponse, error)

GET/zones/{zoneId}/resources

Create resource

client.Zones.Resources.New(ctx, zoneID, body) (*Resource, error)

POST/zones/{zoneId}/resources

Get resource

client.Zones.Resources.Get(ctx, id, query) (*Resource, error)

GET/zones/{zoneId}/resources/{id}

Update resource

client.Zones.Resources.Update(ctx, id, params) (*Resource, error)

PATCH/zones/{zoneId}/resources/{id}

Delete resource

client.Zones.Resources.Delete(ctx, id, body) error

DELETE/zones/{zoneId}/resources/{id}

ZonesSessions

List sessions

client.Zones.Sessions.List(ctx, zoneID, query) (*ZoneSessionListResponse, error)

GET/zones/{zoneId}/sessions

Get session

client.Zones.Sessions.Get(ctx, id, query) (*SessionUnion, error)

GET/zones/{zoneId}/sessions/{id}

Update session

client.Zones.Sessions.Update(ctx, id, params) (*SessionUnion, error)

PATCH/zones/{zoneId}/sessions/{id}

Delete session

client.Zones.Sessions.Delete(ctx, id, body) error

DELETE/zones/{zoneId}/sessions/{id}

ModelsExpand Collapse

type SessionUnion interface{…}

An authenticated identity session. Sessions can be user sessions (representing end-user authentication) or application sessions (representing service-to-service authentication). User sessions support hierarchical relationships via parent_id, while application sessions are always standalone.

Accepts one of the following:

type SessionUserSessionType struct{…}

User session type-specific fields

SessionType string

UserID string

User ID

ID stringoptional

Session ID

DeprecatedActive booloptional

Whether the session is currently active (deprecated - use status instead)

DeprecatedApplication Applicationoptional

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

ID string

Unique identifier of the application

CreatedAt Time

Entity creation timestamp

formatdate-time

DependenciesCount int64

Number of resource dependencies

Identifier string

User specified identifier, unique within the zone

minLength1

maxLength2048

Name string

Human-readable name

minLength1

maxLength255

OrganizationID string

Organization that owns this application

OwnerType ApplicationOwnerType

Who owns this application. Platform-owned applications cannot be modified via API.

Accepts one of the following:

const ApplicationOwnerTypePlatform ApplicationOwnerType = "platform"

const ApplicationOwnerTypeCustomer ApplicationOwnerType = "customer"

Slug string

URL-safe identifier, unique within the zone

minLength1

maxLength63

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone this application belongs to

Description stringoptional

Human-readable description

maxLength2048

Metadata Metadataoptional

Entity metadata

DocsURL stringoptional

Documentation URL

formaturi

maxLength2048

Protocols ApplicationProtocolsoptional

Protocol-specific configuration

Oauth2 ApplicationProtocolsOauth2optional

OAuth 2.0 protocol configuration

PostLogoutRedirectUris []stringoptional

OAuth 2.0 post-logout redirect URIs for this application

RedirectUris []stringoptional

OAuth 2.0 redirect URIs for this application

ApplicationID stringoptional

Application ID that initiated this session

AuthenticatedAt Timeoptional

Date when the session was authenticated

formatdate-time

CreatedAt Timeoptional

Entity creation timestamp

formatdate-time

ExpiresAt Timeoptional

Date when session expires

formatdate-time

Issuer stringoptional

Issuer URL from IdP

formaturi

Metadata SessionUserSessionTypeMetadataoptional

Session metadata

Name string

Name of the initiating application or user agent

OrganizationID stringoptional

Organization that owns this session

ParentID stringoptional

Parent session ID for hierarchical sessions (user sessions only). When null, this is a web session - a top-level session initiated directly by a user. When set, this is a child session derived from the parent, used for token refresh or delegation. Application sessions cannot have parents.

ProviderID stringoptional

Provider ID

SessionData map[string, any]optional

Session claims data (ID token claims for users, application claims for applications)

Status stringoptional

Accepts one of the following:

const SessionUserSessionTypeStatusActive SessionUserSessionTypeStatus = "active"

const SessionUserSessionTypeStatusExpired SessionUserSessionTypeStatus = "expired"

const SessionUserSessionTypeStatusRevoked SessionUserSessionTypeStatus = "revoked"

Subject stringoptional

Subject claim from IdP

UpdatedAt Timeoptional

Entity update timestamp

formatdate-time

DeprecatedUser Useroptional

An authenticated user entity

ID string

Unique identifier of the user

CreatedAt Time

Entity creation timestamp

formatdate-time

Email string

Email address of the user

formatemail

EmailVerified bool

Whether the email address has been verified

OrganizationID string

Organization that owns this user

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone this user belongs to

AuthenticatedAt stringoptional

Date when the user was last authenticated

Issuer stringoptional

Issuer identifier of the identity provider

ProviderID stringoptional

Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted.

Subject stringoptional

Subject identifier from the identity provider

DeprecatedUserAgent UserAgentoptional

A User Agent represents a user agent (browser, desktop app, CLI tool) that can initiate user sessions via OAuth 2.0 Dynamic Client Registration.

ID string

Unique identifier of the user agent

CreatedAt Time

Entity creation timestamp

formatdate-time

Identifier string

User agent identifier (serves as OAuth client_id). Format: ua:{sha256_hash}

Name string

Human-readable name

minLength1

maxLength255

OrganizationID string

Organization that owns this user agent

Slug string

URL-safe identifier, unique within the zone

minLength1

maxLength63

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone this user agent belongs to

UserAgentID stringoptional

User agent ID (browser/client) that initiated this session

ZoneID stringoptional

Zone this session belongs to

type SessionApplicationSessionType struct{…}

Application session type-specific fields

ApplicationID string

Application ID that initiated this session

Issuer string

Issuer URL from IdP

formaturi

ProviderID string

Provider ID

SessionType string

Subject string

Subject claim from IdP

ID stringoptional

Session ID

DeprecatedActive booloptional

Whether the session is currently active (deprecated - use status instead)

DeprecatedApplication Applicationoptional

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

ID string

Unique identifier of the application

CreatedAt Time

Entity creation timestamp

formatdate-time

DependenciesCount int64

Number of resource dependencies

Identifier string

User specified identifier, unique within the zone

minLength1

maxLength2048

Name string

Human-readable name

minLength1

maxLength255

OrganizationID string

Organization that owns this application

OwnerType ApplicationOwnerType

Who owns this application. Platform-owned applications cannot be modified via API.

Accepts one of the following:

const ApplicationOwnerTypePlatform ApplicationOwnerType = "platform"

const ApplicationOwnerTypeCustomer ApplicationOwnerType = "customer"

Slug string

URL-safe identifier, unique within the zone

minLength1

maxLength63

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone this application belongs to

Description stringoptional

Human-readable description

maxLength2048

Metadata Metadataoptional

Entity metadata

DocsURL stringoptional

Documentation URL

formaturi

maxLength2048

Protocols ApplicationProtocolsoptional

Protocol-specific configuration

Oauth2 ApplicationProtocolsOauth2optional

OAuth 2.0 protocol configuration

PostLogoutRedirectUris []stringoptional

OAuth 2.0 post-logout redirect URIs for this application

RedirectUris []stringoptional

OAuth 2.0 redirect URIs for this application

AuthenticatedAt Timeoptional

Date when the session was authenticated

formatdate-time

CreatedAt Timeoptional

Entity creation timestamp

formatdate-time

ExpiresAt Timeoptional

Date when session expires

formatdate-time

Metadata SessionApplicationSessionTypeMetadataoptional

Session metadata

Name string

Name of the initiating application or user agent

OrganizationID stringoptional

Organization that owns this session

SessionData map[string, any]optional

Session claims data (ID token claims for users, application claims for applications)

Status stringoptional

Accepts one of the following:

const SessionApplicationSessionTypeStatusActive SessionApplicationSessionTypeStatus = "active"

const SessionApplicationSessionTypeStatusExpired SessionApplicationSessionTypeStatus = "expired"

const SessionApplicationSessionTypeStatusRevoked SessionApplicationSessionTypeStatus = "revoked"

UpdatedAt Timeoptional

Entity update timestamp

formatdate-time

ZoneID stringoptional

Zone this session belongs to

ZonesUser Agents

List user agents

client.Zones.UserAgents.List(ctx, zoneID, query) (*ZoneUserAgentListResponse, error)

GET/zones/{zoneId}/user-agents

Get user agent

client.Zones.UserAgents.Get(ctx, id, query) (*UserAgent, error)

GET/zones/{zoneId}/user-agents/{id}

ModelsExpand Collapse

type UserAgent struct{…}

A User Agent represents a user agent (browser, desktop app, CLI tool) that can initiate user sessions via OAuth 2.0 Dynamic Client Registration.

ID string

Unique identifier of the user agent

CreatedAt Time

Entity creation timestamp

formatdate-time

Identifier string

User agent identifier (serves as OAuth client_id). Format: ua:{sha256_hash}

Name string

Human-readable name

minLength1

maxLength255

OrganizationID string

Organization that owns this user agent

Slug string

URL-safe identifier, unique within the zone

minLength1

maxLength63

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone this user agent belongs to

ZonesUsers

List users

client.Zones.Users.List(ctx, zoneID, query) (*ZoneUserListResponse, error)

GET/zones/{zoneId}/users

Get user

client.Zones.Users.Get(ctx, id, query) (*User, error)

GET/zones/{zoneId}/users/{id}

ModelsExpand Collapse

type User struct{…}

An authenticated user entity

ID string

Unique identifier of the user

CreatedAt Time

Entity creation timestamp

formatdate-time

Email string

Email address of the user

formatemail

EmailVerified bool

Whether the email address has been verified

OrganizationID string

Organization that owns this user

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone this user belongs to

AuthenticatedAt stringoptional

Date when the user was last authenticated

Issuer stringoptional

Issuer identifier of the identity provider

ProviderID stringoptional

Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted.

Subject stringoptional

Subject identifier from the identity provider

ZonesMembers

Add organization user to zone

client.Zones.Members.Add(ctx, zoneID, body) (*ZoneMember, error)

POST/zones/{zoneId}/members

List organization users in a zone

client.Zones.Members.List(ctx, zoneID, query) (*ZoneMemberListResponse, error)

GET/zones/{zoneId}/members

Get organization user in a zone

client.Zones.Members.Get(ctx, organizationUserID, query) (*ZoneMember, error)

GET/zones/{zoneId}/members/{organizationUserId}

Update organization user role in a zone

client.Zones.Members.Update(ctx, organizationUserID, params) (*ZoneMember, error)

PATCH/zones/{zoneId}/members/{organizationUserId}

Remove member from zone

client.Zones.Members.Delete(ctx, organizationUserID, body) error

DELETE/zones/{zoneId}/members/{organizationUserId}

ModelsExpand Collapse

type ZoneMember struct{…}

Represents an organization user's membership in a zone with an assigned role

ID string

Unique identifier of the zone member

Links ZoneMember_Links

HAL-format hypermedia links for zone member resources

OrganizationUser ZoneMember_LinksOrganizationUser

Href string

Link to the user resource

formaturi-reference

Self ZoneMember_LinksSelf

Href string

Link to this zone member resource

formaturi-reference

CreatedAt Time

Entity creation timestamp

formatdate-time

OrganizationID string

Organization ID that owns the zone

OrganizationUserID string

Organization user ID of the zone member

Role ZoneRole

Zone role type. zone_manager has full management access, zone_viewer has read-only access.

Accepts one of the following:

const ZoneRoleZoneManager ZoneRole = "zone_manager"

const ZoneRoleZoneViewer ZoneRole = "zone_viewer"

UpdatedAt Time

Entity update timestamp

formatdate-time

ZoneID string

Zone ID the organization user is a member of

type ZoneRole string

Zone role type. zone_manager has full management access, zone_viewer has read-only access.

Accepts one of the following:

const ZoneRoleZoneManager ZoneRole = "zone_manager"

const ZoneRoleZoneViewer ZoneRole = "zone_viewer"

ZonesSecrets

Create

client.Zones.Secrets.New(ctx, zoneID, params) (*Secret, error)

POST/zones/{zone_id}/secrets

List

client.Zones.Secrets.List(ctx, zoneID, params) (*[]Secret, error)

GET/zones/{zone_id}/secrets

Delete

client.Zones.Secrets.Delete(ctx, id, params) error

DELETE/zones/{zone_id}/secrets/{id}

Update

client.Zones.Secrets.Update(ctx, id, params) (*Secret, error)

PATCH/zones/{zone_id}/secrets/{id}

Retrieve

client.Zones.Secrets.Get(ctx, id, params) (*ZoneSecretGetResponse, error)

GET/zones/{zone_id}/secrets/{id}

ModelsExpand Collapse

type Secret struct{…}

ID string

A globally unique opaque identifier

minLength1

CreatedAt Time

formatdate-time

EntityID string

A globally unique opaque identifier

minLength1

Name string

A name for the entity to be displayed in UI

Type SecretType

Accepts one of the following:

const SecretTypeToken SecretType = "token"

const SecretTypePassword SecretType = "password"

UpdatedAt Time

formatdate-time

Version int64

minimum1

ZoneID string

A globally unique opaque identifier

minLength1

Description stringoptional

A description of the entity

maxLength128

Metadata anyoptional

A JSON object containing arbitrary metadata. Metadata will not be encrypted.

type SecretPasswordFields struct{…}

Password string

Type SecretPasswordFieldsType

Username string

type SecretTokenFields struct{…}

Token string

Type SecretTokenFieldsType

ZonesPolicy Schemas

List policy schemas

client.Zones.PolicySchemas.List(ctx, zoneID, params) (*ZonePolicySchemaListResponse, error)

GET/zones/{zone_id}/policy-schemas

Get a policy schema by version

client.Zones.PolicySchemas.Get(ctx, version, params) (*SchemaVersionWithZoneInfo, error)

GET/zones/{zone_id}/policy-schemas/{version}

Set the default policy schema for a zone

client.Zones.PolicySchemas.SetDefault(ctx, version, params) (*SchemaVersionWithZoneInfo, error)

PATCH/zones/{zone_id}/policy-schemas/{version}

ModelsExpand Collapse

type SchemaVersion struct{…}

A versioned Cedar schema that defines the entity model, actions, and context shape used for policy evaluation. The schema contains the valid entity types (User, Application, Resource), their attributes, and the allowed attribute values. See the Credentials API spec for a full reference of entity attributes and valid values.

CreatedAt Time

formatdate-time

Status SchemaVersionStatus

Controls what can be done with this schema version:

• "active" - new policy versions can be created and validated against it.
• "deprecated" - superseded by a newer version but still accepts new policy versions.
• "archived" - closed to new policy versions. Existing policy set versions pinned to this schema still evaluate normally.

Accepts one of the following:

const SchemaVersionStatusActive SchemaVersionStatus = "active"

const SchemaVersionStatusDeprecated SchemaVersionStatus = "deprecated"

const SchemaVersionStatusArchived SchemaVersionStatus = "archived"

UpdatedAt Time

formatdate-time

Version string

ArchivedAt Timeoptional

formatdate-time

CedarSchema stringoptional

Cedar schema in human-readable syntax. Populated when format=cedar.

CedarSchemaJson anyoptional

Cedar schema as JSON object. Populated when format=json (default).

DeprecatedAt Timeoptional

formatdate-time

type SchemaVersionWithZoneInfo struct{…}

A versioned Cedar schema that defines the entity model, actions, and context shape used for policy evaluation. The schema contains the valid entity types (User, Application, Resource), their attributes, and the allowed attribute values. See the Credentials API spec for a full reference of entity attributes and valid values.

IsDefault bool

Whether this is the zone's default schema. Clients use this to pre-select which schema to write policies against. Has no effect on evaluation.

ZonesPolicies

List policies in a zone

client.Zones.Policies.List(ctx, zoneID, params) (*ZonePolicyListResponse, error)

GET/zones/{zone_id}/policies

Create a new policy

client.Zones.Policies.New(ctx, zoneID, params) (*Policy, error)

POST/zones/{zone_id}/policies

Get a policy by ID

client.Zones.Policies.Get(ctx, policyID, params) (*Policy, error)

GET/zones/{zone_id}/policies/{policy_id}

Update a policy

client.Zones.Policies.Update(ctx, policyID, params) (*Policy, error)

PATCH/zones/{zone_id}/policies/{policy_id}

Archive a policy

client.Zones.Policies.Archive(ctx, policyID, params) (*Policy, error)

DELETE/zones/{zone_id}/policies/{policy_id}

ModelsExpand Collapse

type Policy struct{…}

ID string

CreatedAt Time

formatdate-time

CreatedBy string

Name string

OwnerType PolicyOwnerType

Who manages this policy:

• "platform" — managed by the Keycard platform (system policies).
• "customer" — managed by the tenant (custom policies).

Accepts one of the following:

const PolicyOwnerTypePlatform PolicyOwnerType = "platform"

const PolicyOwnerTypeCustomer PolicyOwnerType = "customer"

UpdatedAt Time

formatdate-time

ZoneID string

ArchivedAt Timeoptional

formatdate-time

Description stringoptional

LatestVersion int64optional

Human-readable version number of the latest version (e.g., 1, 2, 3)

LatestVersionID stringoptional

UpdatedBy stringoptional

type PolicyDraft struct{…}

CedarJson any

Cedar policy in JSON representation

CreatedAt Time

formatdate-time

PolicyID string

SchemaVersion string

UpdatedAt Time

formatdate-time

UpdatedBy string

ZonesPoliciesVersions

List versions of a policy

client.Zones.Policies.Versions.List(ctx, policyID, params) (*ZonePolicyVersionListResponse, error)

GET/zones/{zone_id}/policies/{policy_id}/versions

Create a new immutable policy version

client.Zones.Policies.Versions.New(ctx, policyID, params) (*PolicyVersion, error)

POST/zones/{zone_id}/policies/{policy_id}/versions

Get a specific policy version

client.Zones.Policies.Versions.Get(ctx, versionID, params) (*PolicyVersion, error)

GET/zones/{zone_id}/policies/{policy_id}/versions/{version_id}

Archive a policy version

client.Zones.Policies.Versions.Archive(ctx, versionID, params) (*PolicyVersion, error)

DELETE/zones/{zone_id}/policies/{policy_id}/versions/{version_id}

ModelsExpand Collapse

type PolicyVersion struct{…}

ID string

CreatedAt Time

formatdate-time

CreatedBy string

PolicyID string

SchemaVersion string

Schema version this policy was validated against when created.

Sha string

Hex-encoded content hash

Version int64

ZoneID string

ArchivedAt Timeoptional

formatdate-time

ArchivedBy stringoptional

CedarJson anyoptional

Cedar policy in JSON representation. Populated when format=json (default).

CedarRaw stringoptional

Cedar policy in human-readable syntax. Populated when format=cedar.

ZonesPolicy Sets

List policy sets in a zone

client.Zones.PolicySets.List(ctx, zoneID, params) (*ZonePolicySetListResponse, error)

GET/zones/{zone_id}/policy-sets

Create a new policy set

client.Zones.PolicySets.New(ctx, zoneID, params) (*PolicySetWithBinding, error)

POST/zones/{zone_id}/policy-sets

Get a policy set by ID

client.Zones.PolicySets.Get(ctx, policySetID, params) (*PolicySetWithBinding, error)

GET/zones/{zone_id}/policy-sets/{policy_set_id}

Update a policy set

client.Zones.PolicySets.Update(ctx, policySetID, params) (*PolicySetWithBinding, error)

PATCH/zones/{zone_id}/policy-sets/{policy_set_id}

Archive a policy set

client.Zones.PolicySets.Archive(ctx, policySetID, params) (*PolicySetWithBinding, error)

DELETE/zones/{zone_id}/policy-sets/{policy_set_id}

ModelsExpand Collapse

type Attestation struct{…}

JWS Flattened JSON Serialization (RFC 7515 §7.2.2) of a policy set attestation. The protected header carries the signing algorithm and key identifier; the payload is a base64url-encoded AttestationStatement canonicalized per RFC 8785 (JCS). Verify using the zone JWKS endpoint (RFC 7517). Currently signed with RS256; future zone key types (e.g. EdDSA) will be indicated by the "alg" header — no envelope changes required.

Payload string

Base64url-encoded AttestationStatement (RFC 7515 §3). Decode to inspect attestation content. The RFC 8785 canonical form of the decoded JSON is the JWS Signing Input alongside the protected header.

Protected string

Base64url-encoded JWS protected header (RFC 7515 §4). Contains at minimum "alg" (signing algorithm — currently RS256, will migrate to EdDSA) and "kid" (signing key identifier resolvable via the zone JWKS endpoint).

Signature string

Base64url-encoded digital signature computed over the JWS Signing Input (ASCII(protected) || '.' || payload) per RFC 7515 §5.1.

type AttestationStatement struct{…}

Decoded content of an Attestation JWS payload. Describes the exact policy set version composition at attestation time. This schema defines what consumers see after base64url-decoding the Attestation.payload field.

AttestedAt Time

formatdate-time

AttestedBy string

Manifest []PolicySetManifestEntry

Snapshot of the policy set manifest at attestation time. Each entry pins a policy version by ID and content SHA.

PolicyID string

PolicyVersionID string

Sha stringoptional

SHA-256 of the policy version content, populated by the server

ManifestSha string

SHA-256 of the policy set version manifest. Verifiers MUST check this matches the policy_set_version.manifest_sha to detect attestation/version mismatches.

PolicySetID string

PolicySetVersion int64

Status AttestationStatementStatus

Event that produced this attestation. "committed" is the initial attestation at version creation; "re_signed" is a re-attestation after key rotation (same content, new signature).

Accepts one of the following:

const AttestationStatementStatusCommitted AttestationStatementStatus = "committed"

const AttestationStatementStatusReSigned AttestationStatementStatus = "re_signed"

Type AttestationStatementType

Statement type discriminator

V int64

Statement schema version

ZoneID string

type PolicySet struct{…}

ID string

CreatedAt Time

formatdate-time

CreatedBy string

Name string

OwnerType PolicySetOwnerType

Who manages this policy set:

• "platform" — managed by the Keycard platform (system policies).
• "customer" — managed by the tenant (custom policies).

Accepts one of the following:

const PolicySetOwnerTypePlatform PolicySetOwnerType = "platform"

const PolicySetOwnerTypeCustomer PolicySetOwnerType = "customer"

ScopeType PolicySetScopeType

The scope at which this policy set applies:

• "zone" — applies to all requests in the zone.
• "resource" — scoped to a specific resource.
• "user" — scoped to a specific user.
• "session" — scoped to a specific session.

Accepts one of the following:

const PolicySetScopeTypeZone PolicySetScopeType = "zone"

const PolicySetScopeTypeResource PolicySetScopeType = "resource"

const PolicySetScopeTypeUser PolicySetScopeType = "user"

const PolicySetScopeTypeSession PolicySetScopeType = "session"

UpdatedAt Time

formatdate-time

ZoneID string

ArchivedAt Timeoptional

formatdate-time

LatestVersion int64optional

Human-readable version number of the latest version (e.g., 1, 2, 3)

LatestVersionID stringoptional

UpdatedBy stringoptional

type PolicySetDraft struct{…}

CreatedAt Time

formatdate-time

Manifest PolicySetManifest

Entries []PolicySetManifestEntry

PolicyID string

PolicyVersionID string

Sha stringoptional

SHA-256 of the policy version content, populated by the server

PolicySetID string

SchemaVersion string

UpdatedAt Time

formatdate-time

UpdatedBy string

type PolicySetManifest struct{…}

Entries []PolicySetManifestEntry

PolicyID string

PolicyVersionID string

Sha stringoptional

SHA-256 of the policy version content, populated by the server

type PolicySetManifestEntry struct{…}

PolicyID string

PolicyVersionID string

Sha stringoptional

SHA-256 of the policy version content, populated by the server

type PolicySetWithBinding struct{…}

Active booloptional

Whether this policy set is currently bound to a scope

ActiveVersion int64optional

Human-readable version number of the active version (e.g., 1, 2, 3)

ActiveVersionID stringoptional

Public ID of the currently active (bound) version

Mode stringoptional

Accepts one of the following:

const PolicySetWithBindingModeActive PolicySetWithBindingMode = "active"

const PolicySetWithBindingModeShadow PolicySetWithBindingMode = "shadow"

ScopeTargetID stringoptional

ZonesPolicy SetsVersions

List versions of a policy set

client.Zones.PolicySets.Versions.List(ctx, policySetID, params) (*ZonePolicySetVersionListResponse, error)

GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions

Create a new immutable policy set version

client.Zones.PolicySets.Versions.New(ctx, policySetID, params) (*PolicySetVersion, error)

POST/zones/{zone_id}/policy-sets/{policy_set_id}/versions

Get a specific policy set version

client.Zones.PolicySets.Versions.Get(ctx, versionID, params) (*PolicySetVersion, error)

GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}

Activate a policy set version

client.Zones.PolicySets.Versions.Update(ctx, versionID, params) (*PolicySetVersion, error)

PATCH/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}

Archive a policy set version

client.Zones.PolicySets.Versions.Archive(ctx, versionID, params) (*PolicySetVersion, error)

DELETE/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}

List policy versions in a policy set version

client.Zones.PolicySets.Versions.ListPolicies(ctx, versionID, params) (*ZonePolicySetVersionListPoliciesResponse, error)

GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}/policies

ModelsExpand Collapse

type PolicySetVersion struct{…}

ID string

CreatedAt Time

formatdate-time

CreatedBy string

Manifest PolicySetManifest

Entries []PolicySetManifestEntry

PolicyID string

PolicyVersionID string

Sha stringoptional

SHA-256 of the policy version content, populated by the server

ManifestSha string

Hex-encoded SHA-256 of the canonicalized manifest

PolicySetID string

SchemaVersion string

Schema version pinned to this policy set version. Determines the Cedar schema used for evaluation when activated.

Version int64

Active booloptional

Whether this policy set version is currently bound with mode='active'

ArchivedAt Timeoptional

formatdate-time

ArchivedBy stringoptional

Attestation Attestationoptional

JWS Flattened JSON Serialization (RFC 7515 §7.2.2) of a policy set attestation. The protected header carries the signing algorithm and key identifier; the payload is a base64url-encoded AttestationStatement canonicalized per RFC 8785 (JCS). Verify using the zone JWKS endpoint (RFC 7517). Currently signed with RS256; future zone key types (e.g. EdDSA) will be indicated by the "alg" header — no envelope changes required.

Payload string

Base64url-encoded AttestationStatement (RFC 7515 §3). Decode to inspect attestation content. The RFC 8785 canonical form of the decoded JSON is the JWS Signing Input alongside the protected header.

Protected string

Base64url-encoded JWS protected header (RFC 7515 §4). Contains at minimum "alg" (signing algorithm — currently RS256, will migrate to EdDSA) and "kid" (signing key identifier resolvable via the zone JWKS endpoint).

Signature string

Base64url-encoded digital signature computed over the JWS Signing Input (ASCII(protected) || '.' || payload) per RFC 7515 §5.1.