API Reference

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Zones

List zones

zones.list(ZoneListParams**kwargs) -> ZoneListResponse

GET/zones

Create zone

zones.create(ZoneCreateParams**kwargs) -> Zone

POST/zones

Get zone

zones.retrieve(strzone_id, ZoneRetrieveParams**kwargs) -> Zone

GET/zones/{zoneId}

Update zone

zones.update(strzone_id, ZoneUpdateParams**kwargs) -> Zone

PATCH/zones/{zoneId}

Delete zone

zones.delete(strzone_id)

DELETE/zones/{zoneId}

ModelsExpand Collapse

class EncryptionKeyAwsKmsConfig: …

AWS KMS configuration for zone encryption. When not specified, the default Keycard Cloud encryption key will be used.

arn: str

AWS KMS Key ARN for encrypting the zone's data

minLength1

type: Literal["aws"]

class PageInfoPagination: …

Pagination information

has_next_page: bool

Whether there are more items after the current page

has_previous_page: bool

Whether there are items before the current page

end_cursor: Optional[str]

Cursor pointing to the last item in the current page

start_cursor: Optional[str]

Cursor pointing to the first item in the current page

class Zone: …

A zone for organizing resources within an organization

id: str

Unique identifier of the zone

created_at: datetime

Entity creation timestamp

formatdate-time

name: str

Human-readable name

minLength1

maxLength255

organization_id: str

Organization that owns this zone

protocols: Protocols

Protocol configuration for a zone

oauth2: ProtocolsOauth2

OAuth 2.0 protocol configuration for a zone

authorization_endpoint: str

OAuth 2.0 authorization endpoint

formaturi

authorization_server_metadata: str

OAuth 2.0 Authorization Server Metadata endpoint (.well-known/oauth-authorization-server)

formaturi

dcr_enabled: bool

Whether Dynamic Client Registration is enabled

issuer: str

OAuth 2.0 issuer identifier

formaturi

jwks_uri: str

JSON Web Key Set endpoint

formaturi

pkce_required: bool

Whether PKCE is required for authorization code flows

redirect_uri: str

OAuth 2.0 redirect URI for this zone

formaturi

registration_endpoint: str

OAuth 2.0 Dynamic Client Registration endpoint

formaturi

token_endpoint: str

OAuth 2.0 token endpoint

formaturi

openid: ProtocolsOpenid

OpenID Connect protocol configuration for a zone

provider_configuration: str

OpenID Connect Provider Configuration endpoint (.well-known/openid-configuration)

formaturi

userinfo_endpoint: str

OpenID Connect UserInfo endpoint

formaturi

slug: str

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: datetime

Entity update timestamp

formatdate-time

default_mcp_gateway_application_id: Optional[str]

Application ID configured as the default MCP Gateway for the zone

default_resource_id: Optional[str]

Resource ID configured as the default resource for the zone

description: Optional[str]

Human-readable description

maxLength2048

encryption_key: Optional[EncryptionKeyAwsKmsConfig]

AWS KMS configuration for zone encryption. When not specified, the default Keycard Cloud encryption key will be used.

arn: str

AWS KMS Key ARN for encrypting the zone's data

minLength1

type: Literal["aws"]

login_flow: Optional[Literal["default", "identifier_first"]]

Login flow style for the zone. 'default' uses standard authentication, 'identifier_first' uses identifier-based provider routing.

Accepts one of the following:

"default"

"identifier_first"

permissions: Optional[Dict[str, Dict[str, bool]]]

Permissions granted to the authenticated principal. Only populated when expand[]=permissions query parameter is provided. Keys are resource types, values are objects mapping action names to boolean values.

requires_invitation: Optional[bool]

Whether the zone requires an invitation for email/password registration, only applies when user_identity_provider_id is not set

user_identity_provider_id: Optional[str]

Provider ID configured for user login

ZonesApplications

List applications

zones.applications.list(strzone_id, ApplicationListParams**kwargs) -> ApplicationListResponse

GET/zones/{zoneId}/applications

Create application

zones.applications.create(strzone_id, ApplicationCreateParams**kwargs) -> Application

POST/zones/{zoneId}/applications

Get application

zones.applications.retrieve(strid, ApplicationRetrieveParams**kwargs) -> Application

GET/zones/{zoneId}/applications/{id}

Update application

zones.applications.update(strid, ApplicationUpdateParams**kwargs) -> Application

PATCH/zones/{zoneId}/applications/{id}

Delete application

zones.applications.delete(strid, ApplicationDeleteParams**kwargs)

DELETE/zones/{zoneId}/applications/{id}

List application credentials

zones.applications.list_credentials(strid, ApplicationListCredentialsParams**kwargs) -> ApplicationListCredentialsResponse

GET/zones/{zoneId}/applications/{id}/application-credentials

List application resources

zones.applications.list_resources(strid, ApplicationListResourcesParams**kwargs) -> ApplicationListResourcesResponse

GET/zones/{zoneId}/applications/{id}/resources

ModelsExpand Collapse

class Application: …

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

id: str

Unique identifier of the application

created_at: datetime

Entity creation timestamp

formatdate-time

dependencies_count: int

Number of resource dependencies

identifier: str

User specified identifier, unique within the zone

minLength1

maxLength2048

name: str

Human-readable name

minLength1

maxLength255

organization_id: str

Organization that owns this application

owner_type: Literal["platform", "customer"]

Who owns this application. Platform-owned applications cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: str

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this application belongs to

description: Optional[str]

Human-readable description

maxLength2048

metadata: Optional[Metadata]

Entity metadata

docs_url: Optional[str]

Documentation URL

formaturi

maxLength2048

protocols: Optional[Protocols]

Protocol-specific configuration

oauth2: Optional[ProtocolsOauth2]

OAuth 2.0 protocol configuration

post_logout_redirect_uris: Optional[List[str]]

OAuth 2.0 post-logout redirect URIs for this application

redirect_uris: Optional[List[str]]

OAuth 2.0 redirect URIs for this application

Literal["gateway", "mcp-provider"]

Traits ascribe behaviors and characteristics to an application, which may activate trait-specific user experiences, workflows, or other system behaviors

Accepts one of the following:

"gateway"

"mcp-provider"

class Metadata: …

Entity metadata

docs_url: Optional[str]

Documentation URL

formaturi

maxLength2048

class MetadataUpdate: …

Entity metadata (set to null or {} to remove metadata)

docs_url: Optional[str]

Documentation URL (set to null to unset)

formaturi

maxLength2048

ZonesApplicationsDependencies

List application dependencies

zones.applications.dependencies.list(strid, DependencyListParams**kwargs) -> DependencyListResponse

GET/zones/{zoneId}/applications/{id}/dependencies

Add application dependency

zones.applications.dependencies.add(strdependency_id, DependencyAddParams**kwargs)

PUT/zones/{zoneId}/applications/{id}/dependencies/{dependencyId}

Remove application dependency

zones.applications.dependencies.remove(strdependency_id, DependencyRemoveParams**kwargs)

DELETE/zones/{zoneId}/applications/{id}/dependencies/{dependencyId}

Get application dependency

zones.applications.dependencies.retrieve(strdependency_id, DependencyRetrieveParams**kwargs) -> Resource

GET/zones/{zoneId}/applications/{id}/dependencies/{dependencyId}

ModelsExpand Collapse

class Resource: …

A Resource is a system that exposes protected information or functionality. It requires authentication of the requesting actor, which may be a user or application, before allowing access.

id: str

Unique identifier of the resource

application_type: Literal["native", "web"]

The expected type of client for this credential. Native clients must use localhost URLs for redirect_uris or URIs with custom schemes. Web clients must use https URLs and must not use localhost as the hostname.

Accepts one of the following:

"native"

"web"

created_at: datetime

Entity creation timestamp

formatdate-time

identifier: str

User specified identifier, unique within the zone

minLength1

maxLength2048

name: str

Human-readable name

minLength1

maxLength255

organization_id: str

Organization that owns this resource

owner_type: Literal["platform", "customer"]

Who owns this resource. Platform-owned resources cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: str

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this resource belongs to

Deprecatedapplication: Optional[Application]

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

id: str

Unique identifier of the application

created_at: datetime

Entity creation timestamp

formatdate-time

dependencies_count: int

Number of resource dependencies

identifier: str

User specified identifier, unique within the zone

minLength1

maxLength2048

name: str

Human-readable name

minLength1

maxLength255

organization_id: str

Organization that owns this application

owner_type: Literal["platform", "customer"]

Who owns this application. Platform-owned applications cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: str

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this application belongs to

description: Optional[str]

Human-readable description

maxLength2048

metadata: Optional[Metadata]

Entity metadata

docs_url: Optional[str]

Documentation URL

formaturi

maxLength2048

protocols: Optional[Protocols]

Protocol-specific configuration

oauth2: Optional[ProtocolsOauth2]

OAuth 2.0 protocol configuration

post_logout_redirect_uris: Optional[List[str]]

OAuth 2.0 post-logout redirect URIs for this application

redirect_uris: Optional[List[str]]

OAuth 2.0 redirect URIs for this application

application_id: Optional[str]

ID of the application that provides this resource

Deprecatedcredential_provider: Optional[Provider]

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

id: str

Unique identifier of the provider

created_at: datetime

Entity creation timestamp

formatdate-time

identifier: str

User specified identifier, unique within the zone

minLength1

maxLength2048

name: str

Human-readable name

minLength1

maxLength255

organization_id: str

Organization that owns this provider

owner_type: Literal["platform", "customer"]

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: str

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this provider belongs to

client_id: Optional[str]

OAuth 2.0 client identifier

client_secret_set: Optional[bool]

Indicates whether a client secret is configured

description: Optional[str]

Human-readable description

maxLength2048

metadata: Optional[object]

Provider metadata

protocols: Optional[Protocols]

Protocol-specific configuration

oauth2: Optional[ProtocolsOauth2]

OAuth 2.0 protocol configuration

issuer: str

OIDC issuer URL used for discovery and token validation.

formaturi

authorization_endpoint: Optional[str]

formaturi

authorization_parameters: Optional[Dict[str, str]]

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

authorization_resource_enabled: Optional[bool]

Whether to include the resource parameter in authorization requests.

authorization_resource_parameter: Optional[str]

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

code_challenge_methods_supported: Optional[List[str]]

jwks_uri: Optional[str]

formaturi

registration_endpoint: Optional[str]

formaturi

scope_parameter: Optional[str]

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

scope_separator: Optional[str]

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

scopes_supported: Optional[List[str]]

token_endpoint: Optional[str]

formaturi

token_response_access_token_pointer: Optional[str]

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

openid: Optional[ProtocolsOpenid]

OpenID Connect protocol configuration

userinfo_endpoint: Optional[str]

formaturi

type: Optional[Literal["external", "keycard-vault", "keycard-sts"]]

Accepts one of the following:

"external"

"keycard-vault"

"keycard-sts"

credential_provider_id: Optional[str]

ID of the credential provider for this resource

description: Optional[str]

Human-readable description

maxLength2048

metadata: Optional[Metadata]

Entity metadata

docs_url: Optional[str]

Documentation URL

formaturi

maxLength2048

scopes: Optional[List[str]]

Scopes supported by the resource

when_accessing: Optional[List[str]]

List of resource IDs that, when accessed, make this dependency available. Only present when this resource is returned as a dependency.

ZonesApplication Credentials

List application credentials

zones.application_credentials.list(strzone_id, ApplicationCredentialListParams**kwargs) -> ApplicationCredentialListResponse

GET/zones/{zoneId}/application-credentials

Create application credential

zones.application_credentials.create(strzone_id, ApplicationCredentialCreateParams**kwargs) -> ApplicationCredentialCreateResponse

POST/zones/{zoneId}/application-credentials

Get application credential

zones.application_credentials.retrieve(strid, ApplicationCredentialRetrieveParams**kwargs) -> Credential

GET/zones/{zoneId}/application-credentials/{id}

Update application credential

zones.application_credentials.update(strid, ApplicationCredentialUpdateParams**kwargs) -> Credential

PATCH/zones/{zoneId}/application-credentials/{id}

Delete application credential

zones.application_credentials.delete(strid, ApplicationCredentialDeleteParams**kwargs)

DELETE/zones/{zoneId}/application-credentials/{id}

ModelsExpand Collapse

class BaseFields: …

Common fields shared by all application credential types

id: str

Unique identifier of the credential

application_id: str

ID of the application this credential belongs to

created_at: datetime

Entity creation timestamp

formatdate-time

organization_id: str

Organization that owns this credential

slug: str

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this credential belongs to

Deprecatedapplication: Optional[Application]

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

id: str

Unique identifier of the application

created_at: datetime

Entity creation timestamp

formatdate-time

dependencies_count: int

Number of resource dependencies

identifier: str

User specified identifier, unique within the zone

minLength1

maxLength2048

name: str

Human-readable name

minLength1

maxLength255

organization_id: str

Organization that owns this application

owner_type: Literal["platform", "customer"]

Who owns this application. Platform-owned applications cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: str

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this application belongs to

description: Optional[str]

Human-readable description

maxLength2048

metadata: Optional[Metadata]

Entity metadata

docs_url: Optional[str]

Documentation URL

formaturi

maxLength2048

protocols: Optional[Protocols]

Protocol-specific configuration

oauth2: Optional[ProtocolsOauth2]

OAuth 2.0 protocol configuration

post_logout_redirect_uris: Optional[List[str]]

OAuth 2.0 post-logout redirect URIs for this application

redirect_uris: Optional[List[str]]

OAuth 2.0 redirect URIs for this application

Union[Token, Password, PublicKey, 2 more]

Credentials for accessing external services from applications

Accepts one of the following:

class Token: …

Token-based application credential

identifier: str

Identifier for this credential. For token type, this equals the subject value, or '*' when subject is not specified.

provider_id: str

ID of the provider issuing tokens verified by this credential

type: Literal["token"]

Deprecatedprovider: Optional[Provider]

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

id: str

Unique identifier of the provider

created_at: datetime

Entity creation timestamp

formatdate-time

identifier: str

User specified identifier, unique within the zone

minLength1

maxLength2048

name: str

Human-readable name

minLength1

maxLength255

organization_id: str

Organization that owns this provider

owner_type: Literal["platform", "customer"]

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: str

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this provider belongs to

client_id: Optional[str]

OAuth 2.0 client identifier

client_secret_set: Optional[bool]

Indicates whether a client secret is configured

description: Optional[str]

Human-readable description

maxLength2048

metadata: Optional[object]

Provider metadata

protocols: Optional[Protocols]

Protocol-specific configuration

oauth2: Optional[ProtocolsOauth2]

OAuth 2.0 protocol configuration

issuer: str

OIDC issuer URL used for discovery and token validation.

formaturi

authorization_endpoint: Optional[str]

formaturi

authorization_parameters: Optional[Dict[str, str]]

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

authorization_resource_enabled: Optional[bool]

Whether to include the resource parameter in authorization requests.

authorization_resource_parameter: Optional[str]

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

code_challenge_methods_supported: Optional[List[str]]

jwks_uri: Optional[str]

formaturi

registration_endpoint: Optional[str]

formaturi

scope_parameter: Optional[str]

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

scope_separator: Optional[str]

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

scopes_supported: Optional[List[str]]

token_endpoint: Optional[str]

formaturi

token_response_access_token_pointer: Optional[str]

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

openid: Optional[ProtocolsOpenid]

OpenID Connect protocol configuration

userinfo_endpoint: Optional[str]

formaturi

type: Optional[Literal["external", "keycard-vault", "keycard-sts"]]

Accepts one of the following:

"external"

"keycard-vault"

"keycard-sts"

subject: Optional[str]

Subject identifier for the token. When null or omitted, any token from the provider is accepted without checking application-specific claims.

class Password: …

Password-based application credential

identifier: str

Username for password credential, also used as OAuth 2.0 client ID

type: Literal["password"]

password: Optional[str]

Password for credential (only returned on creation, store securely), also used as OAuth 2.0 client secret

class PublicKey: …

Public key-based application credential

identifier: str

Client ID for public key credential, also used as OAuth 2.0 client ID

jwks_uri: str

JWKS URI to retrieve public keys from

formaturi

type: Literal["public-key"]

class URL: …

URL-based application credential

identifier: str

URL of the credential (must be a valid URL)

formaturi

type: Literal["url"]

class Public: …

Public credential (no secret storage)

identifier: str

Identifier for public credential, also used as OAuth 2.0 client ID

type: Literal["public"]

class Password: …

Password-based application credential

identifier: str

Username for password credential, also used as OAuth 2.0 client ID

type: Literal["password"]

password: Optional[str]

Password for credential (only returned on creation, store securely), also used as OAuth 2.0 client secret

class Public: …

Public credential (no secret storage)

identifier: str

Identifier for public credential, also used as OAuth 2.0 client ID

type: Literal["public"]

class PublicKey: …

Public key-based application credential

identifier: str

Client ID for public key credential, also used as OAuth 2.0 client ID

jwks_uri: str

JWKS URI to retrieve public keys from

formaturi

type: Literal["public-key"]

class Token: …

Token-based application credential

identifier: str

Identifier for this credential. For token type, this equals the subject value, or '*' when subject is not specified.

provider_id: str

ID of the provider issuing tokens verified by this credential

type: Literal["token"]

Deprecatedprovider: Optional[Provider]

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

id: str

Unique identifier of the provider

created_at: datetime

Entity creation timestamp

formatdate-time

identifier: str

User specified identifier, unique within the zone

minLength1

maxLength2048

name: str

Human-readable name

minLength1

maxLength255

organization_id: str

Organization that owns this provider

owner_type: Literal["platform", "customer"]

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: str

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this provider belongs to

client_id: Optional[str]

OAuth 2.0 client identifier

client_secret_set: Optional[bool]

Indicates whether a client secret is configured

description: Optional[str]

Human-readable description

maxLength2048

metadata: Optional[object]

Provider metadata

protocols: Optional[Protocols]

Protocol-specific configuration

oauth2: Optional[ProtocolsOauth2]

OAuth 2.0 protocol configuration

issuer: str

OIDC issuer URL used for discovery and token validation.

formaturi

authorization_endpoint: Optional[str]

formaturi

authorization_parameters: Optional[Dict[str, str]]

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

authorization_resource_enabled: Optional[bool]

Whether to include the resource parameter in authorization requests.

authorization_resource_parameter: Optional[str]

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

code_challenge_methods_supported: Optional[List[str]]

jwks_uri: Optional[str]

formaturi

registration_endpoint: Optional[str]

formaturi

scope_parameter: Optional[str]

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

scope_separator: Optional[str]

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

scopes_supported: Optional[List[str]]

token_endpoint: Optional[str]

formaturi

token_response_access_token_pointer: Optional[str]

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

openid: Optional[ProtocolsOpenid]

OpenID Connect protocol configuration

userinfo_endpoint: Optional[str]

formaturi

type: Optional[Literal["external", "keycard-vault", "keycard-sts"]]

Accepts one of the following:

"external"

"keycard-vault"

"keycard-sts"

subject: Optional[str]

Subject identifier for the token. When null or omitted, any token from the provider is accepted without checking application-specific claims.

class URL: …

URL-based application credential

identifier: str

URL of the credential (must be a valid URL)

formaturi

type: Literal["url"]

ZonesDelegated Grants

List delegated grants

zones.delegated_grants.list(strzone_id, DelegatedGrantListParams**kwargs) -> DelegatedGrantListResponse

GET/zones/{zoneId}/delegated-grants

Get delegated grant

zones.delegated_grants.retrieve(strid, DelegatedGrantRetrieveParams**kwargs) -> Grant

GET/zones/{zoneId}/delegated-grants/{id}

Update delegated grant

zones.delegated_grants.update(strid, DelegatedGrantUpdateParams**kwargs) -> Grant

PATCH/zones/{zoneId}/delegated-grants/{id}

Delete delegated grant

zones.delegated_grants.delete(strid, DelegatedGrantDeleteParams**kwargs)

DELETE/zones/{zoneId}/delegated-grants/{id}

ModelsExpand Collapse

class Grant: …

User authorization for a resource to be accessed on their behalf. The grant links the user, resource, and the provider that issued the grant.

id: str

Unique identifier of the delegated grant

created_at: datetime

Entity creation timestamp

formatdate-time

expires_at: datetime

Date when grant expires

formatdate-time

organization_id: str

Organization that owns this grant

provider_id: str

ID of the provider that issued this grant

refresh_token_set: bool

Indicates whether a refresh token is stored for this grant. Grants with refresh tokens can be refreshed even after access token expiration.

resource_id: str

ID of resource receiving grant

scopes: List[str]

Granted OAuth scopes

status: Literal["active", "expired", "revoked"]

Accepts one of the following:

"active"

"expired"

"revoked"

updated_at: datetime

Entity update timestamp

formatdate-time

user_id: str

Reference to the user granting permission

zone_id: str

Zone this grant belongs to

Deprecatedactive: Optional[bool]

Whether the grant is currently active (deprecated - use status instead)

Deprecatedprovider: Optional[Provider]

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

id: str

Unique identifier of the provider

created_at: datetime

Entity creation timestamp

formatdate-time

identifier: str

User specified identifier, unique within the zone

minLength1

maxLength2048

name: str

Human-readable name

minLength1

maxLength255

organization_id: str

Organization that owns this provider

owner_type: Literal["platform", "customer"]

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: str

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this provider belongs to

client_id: Optional[str]

OAuth 2.0 client identifier

client_secret_set: Optional[bool]

Indicates whether a client secret is configured

description: Optional[str]

Human-readable description

maxLength2048

metadata: Optional[object]

Provider metadata

protocols: Optional[Protocols]

Protocol-specific configuration

oauth2: Optional[ProtocolsOauth2]

OAuth 2.0 protocol configuration

issuer: str

OIDC issuer URL used for discovery and token validation.

formaturi

authorization_endpoint: Optional[str]

formaturi

authorization_parameters: Optional[Dict[str, str]]

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

authorization_resource_enabled: Optional[bool]

Whether to include the resource parameter in authorization requests.

authorization_resource_parameter: Optional[str]

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

code_challenge_methods_supported: Optional[List[str]]

jwks_uri: Optional[str]

formaturi

registration_endpoint: Optional[str]

formaturi

scope_parameter: Optional[str]

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

scope_separator: Optional[str]

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

scopes_supported: Optional[List[str]]

token_endpoint: Optional[str]

formaturi

token_response_access_token_pointer: Optional[str]

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

openid: Optional[ProtocolsOpenid]

OpenID Connect protocol configuration

userinfo_endpoint: Optional[str]

formaturi

type: Optional[Literal["external", "keycard-vault", "keycard-sts"]]

Accepts one of the following:

"external"

"keycard-vault"

"keycard-sts"

refreshed_at: Optional[datetime]

Timestamp when this grant's tokens were last refreshed. Omitted if grant was never refreshed.

formatdate-time

Deprecatedresource: Optional[Resource]

A Resource is a system that exposes protected information or functionality. It requires authentication of the requesting actor, which may be a user or application, before allowing access.

id: str

Unique identifier of the resource

application_type: Literal["native", "web"]

The expected type of client for this credential. Native clients must use localhost URLs for redirect_uris or URIs with custom schemes. Web clients must use https URLs and must not use localhost as the hostname.

Accepts one of the following:

"native"

"web"

created_at: datetime

Entity creation timestamp

formatdate-time

identifier: str

User specified identifier, unique within the zone

minLength1

maxLength2048

name: str

Human-readable name

minLength1

maxLength255

organization_id: str

Organization that owns this resource

owner_type: Literal["platform", "customer"]

Who owns this resource. Platform-owned resources cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: str

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this resource belongs to

Deprecatedapplication: Optional[Application]

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

id: str

Unique identifier of the application

created_at: datetime

Entity creation timestamp

formatdate-time

dependencies_count: int

Number of resource dependencies

identifier: str

User specified identifier, unique within the zone

minLength1

maxLength2048

name: str

Human-readable name

minLength1

maxLength255

organization_id: str

Organization that owns this application

owner_type: Literal["platform", "customer"]

Who owns this application. Platform-owned applications cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: str

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this application belongs to

description: Optional[str]

Human-readable description

maxLength2048

metadata: Optional[Metadata]

Entity metadata

docs_url: Optional[str]

Documentation URL

formaturi

maxLength2048

protocols: Optional[Protocols]

Protocol-specific configuration

oauth2: Optional[ProtocolsOauth2]

OAuth 2.0 protocol configuration

post_logout_redirect_uris: Optional[List[str]]

OAuth 2.0 post-logout redirect URIs for this application

redirect_uris: Optional[List[str]]

OAuth 2.0 redirect URIs for this application

application_id: Optional[str]

ID of the application that provides this resource

Deprecatedcredential_provider: Optional[Provider]

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

id: str

Unique identifier of the provider

created_at: datetime

Entity creation timestamp

formatdate-time

identifier: str

User specified identifier, unique within the zone

minLength1

maxLength2048

name: str

Human-readable name

minLength1

maxLength255

organization_id: str

Organization that owns this provider

owner_type: Literal["platform", "customer"]

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: str

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this provider belongs to

client_id: Optional[str]

OAuth 2.0 client identifier

client_secret_set: Optional[bool]

Indicates whether a client secret is configured

description: Optional[str]

Human-readable description

maxLength2048

metadata: Optional[object]

Provider metadata

protocols: Optional[Protocols]

Protocol-specific configuration

oauth2: Optional[ProtocolsOauth2]

OAuth 2.0 protocol configuration

issuer: str

OIDC issuer URL used for discovery and token validation.

formaturi

authorization_endpoint: Optional[str]

formaturi

authorization_parameters: Optional[Dict[str, str]]

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

authorization_resource_enabled: Optional[bool]

Whether to include the resource parameter in authorization requests.

authorization_resource_parameter: Optional[str]

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

code_challenge_methods_supported: Optional[List[str]]

jwks_uri: Optional[str]

formaturi

registration_endpoint: Optional[str]

formaturi

scope_parameter: Optional[str]

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

scope_separator: Optional[str]

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

scopes_supported: Optional[List[str]]

token_endpoint: Optional[str]

formaturi

token_response_access_token_pointer: Optional[str]

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

openid: Optional[ProtocolsOpenid]

OpenID Connect protocol configuration

userinfo_endpoint: Optional[str]

formaturi

type: Optional[Literal["external", "keycard-vault", "keycard-sts"]]

Accepts one of the following:

"external"

"keycard-vault"

"keycard-sts"

credential_provider_id: Optional[str]

ID of the credential provider for this resource

description: Optional[str]

Human-readable description

maxLength2048

metadata: Optional[Metadata]

Entity metadata

docs_url: Optional[str]

Documentation URL

formaturi

maxLength2048

scopes: Optional[List[str]]

Scopes supported by the resource

when_accessing: Optional[List[str]]

List of resource IDs that, when accessed, make this dependency available. Only present when this resource is returned as a dependency.

Deprecateduser: Optional[User]

An authenticated user entity

id: str

Unique identifier of the user

created_at: datetime

Entity creation timestamp

formatdate-time

email: str

Email address of the user

formatemail

email_verified: bool

Whether the email address has been verified

organization_id: str

Organization that owns this user

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this user belongs to

authenticated_at: Optional[str]

Date when the user was last authenticated

issuer: Optional[str]

Issuer identifier of the identity provider

provider_id: Optional[str]

Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted.

subject: Optional[str]

Subject identifier from the identity provider

ZonesProviders

List providers

zones.providers.list(strzone_id, ProviderListParams**kwargs) -> ProviderListResponse

GET/zones/{zoneId}/providers

Create provider

zones.providers.create(strzone_id, ProviderCreateParams**kwargs) -> Provider

POST/zones/{zoneId}/providers

Get provider

zones.providers.retrieve(strid, ProviderRetrieveParams**kwargs) -> Provider

GET/zones/{zoneId}/providers/{id}

Update provider

zones.providers.update(strid, ProviderUpdateParams**kwargs) -> Provider

PATCH/zones/{zoneId}/providers/{id}

Delete provider

zones.providers.delete(strid, ProviderDeleteParams**kwargs)

DELETE/zones/{zoneId}/providers/{id}

ModelsExpand Collapse

class Provider: …

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

id: str

Unique identifier of the provider

created_at: datetime

Entity creation timestamp

formatdate-time

identifier: str

User specified identifier, unique within the zone

minLength1

maxLength2048

name: str

Human-readable name

minLength1

maxLength255

organization_id: str

Organization that owns this provider

owner_type: Literal["platform", "customer"]

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: str

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this provider belongs to

client_id: Optional[str]

OAuth 2.0 client identifier

client_secret_set: Optional[bool]

Indicates whether a client secret is configured

description: Optional[str]

Human-readable description

maxLength2048

metadata: Optional[object]

Provider metadata

protocols: Optional[Protocols]

Protocol-specific configuration

oauth2: Optional[ProtocolsOauth2]

OAuth 2.0 protocol configuration

issuer: str

OIDC issuer URL used for discovery and token validation.

formaturi

authorization_endpoint: Optional[str]

formaturi

authorization_parameters: Optional[Dict[str, str]]

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

authorization_resource_enabled: Optional[bool]

Whether to include the resource parameter in authorization requests.

authorization_resource_parameter: Optional[str]

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

code_challenge_methods_supported: Optional[List[str]]

jwks_uri: Optional[str]

formaturi

registration_endpoint: Optional[str]

formaturi

scope_parameter: Optional[str]

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

scope_separator: Optional[str]

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

scopes_supported: Optional[List[str]]

token_endpoint: Optional[str]

formaturi

token_response_access_token_pointer: Optional[str]

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

openid: Optional[ProtocolsOpenid]

OpenID Connect protocol configuration

userinfo_endpoint: Optional[str]

formaturi

type: Optional[Literal["external", "keycard-vault", "keycard-sts"]]

Accepts one of the following:

"external"

"keycard-vault"

"keycard-sts"

ZonesResources

List resources

zones.resources.list(strzone_id, ResourceListParams**kwargs) -> ResourceListResponse

GET/zones/{zoneId}/resources

Create resource

zones.resources.create(strzone_id, ResourceCreateParams**kwargs) -> Resource

POST/zones/{zoneId}/resources

Get resource

zones.resources.retrieve(strid, ResourceRetrieveParams**kwargs) -> Resource

GET/zones/{zoneId}/resources/{id}

Update resource

zones.resources.update(strid, ResourceUpdateParams**kwargs) -> Resource

PATCH/zones/{zoneId}/resources/{id}

Delete resource

zones.resources.delete(strid, ResourceDeleteParams**kwargs)

DELETE/zones/{zoneId}/resources/{id}

ZonesSessions

List sessions

zones.sessions.list(strzone_id, SessionListParams**kwargs) -> SessionListResponse

GET/zones/{zoneId}/sessions

Get session

zones.sessions.retrieve(strid, SessionRetrieveParams**kwargs) -> Session

GET/zones/{zoneId}/sessions/{id}

Update session

zones.sessions.update(strid, SessionUpdateParams**kwargs) -> Session

PATCH/zones/{zoneId}/sessions/{id}

Delete session

zones.sessions.delete(strid, SessionDeleteParams**kwargs)

DELETE/zones/{zoneId}/sessions/{id}

ModelsExpand Collapse

Session

An authenticated identity session. Sessions can be user sessions (representing end-user authentication) or application sessions (representing service-to-service authentication). User sessions support hierarchical relationships via parent_id, while application sessions are always standalone.

Accepts one of the following:

class IamUserSessionType: …

User session type-specific fields

session_type: Literal["user"]

user_id: str

User ID

id: Optional[str]

Session ID

Deprecatedactive: Optional[bool]

Whether the session is currently active (deprecated - use status instead)

Deprecatedapplication: Optional[Application]

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

id: str

Unique identifier of the application

created_at: datetime

Entity creation timestamp

formatdate-time

dependencies_count: int

Number of resource dependencies

identifier: str

User specified identifier, unique within the zone

minLength1

maxLength2048

name: str

Human-readable name

minLength1

maxLength255

organization_id: str

Organization that owns this application

owner_type: Literal["platform", "customer"]

Who owns this application. Platform-owned applications cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: str

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this application belongs to

description: Optional[str]

Human-readable description

maxLength2048

metadata: Optional[Metadata]

Entity metadata

docs_url: Optional[str]

Documentation URL

formaturi

maxLength2048

protocols: Optional[Protocols]

Protocol-specific configuration

oauth2: Optional[ProtocolsOauth2]

OAuth 2.0 protocol configuration

post_logout_redirect_uris: Optional[List[str]]

OAuth 2.0 post-logout redirect URIs for this application

redirect_uris: Optional[List[str]]

OAuth 2.0 redirect URIs for this application

application_id: Optional[str]

Application ID that initiated this session

authenticated_at: Optional[datetime]

Date when the session was authenticated

formatdate-time

created_at: Optional[datetime]

Entity creation timestamp

formatdate-time

expires_at: Optional[datetime]

Date when session expires

formatdate-time

issuer: Optional[str]

Issuer URL from IdP

formaturi

metadata: Optional[IamUserSessionTypeMetadata]

Session metadata

name: str

Name of the initiating application or user agent

organization_id: Optional[str]

Organization that owns this session

parent_id: Optional[str]

Parent session ID for hierarchical sessions (user sessions only). When null, this is a web session - a top-level session initiated directly by a user. When set, this is a child session derived from the parent, used for token refresh or delegation. Application sessions cannot have parents.

provider_id: Optional[str]

Provider ID

session_data: Optional[Dict[str, object]]

Session claims data (ID token claims for users, application claims for applications)

status: Optional[Literal["active", "expired", "revoked"]]

Accepts one of the following:

"active"

"expired"

"revoked"

subject: Optional[str]

Subject claim from IdP

updated_at: Optional[datetime]

Entity update timestamp

formatdate-time

Deprecateduser: Optional[User]

An authenticated user entity

id: str

Unique identifier of the user

created_at: datetime

Entity creation timestamp

formatdate-time

email: str

Email address of the user

formatemail

email_verified: bool

Whether the email address has been verified

organization_id: str

Organization that owns this user

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this user belongs to

authenticated_at: Optional[str]

Date when the user was last authenticated

issuer: Optional[str]

Issuer identifier of the identity provider

provider_id: Optional[str]

Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted.

subject: Optional[str]

Subject identifier from the identity provider

Deprecateduser_agent: Optional[UserAgent]

A User Agent represents a user agent (browser, desktop app, CLI tool) that can initiate user sessions via OAuth 2.0 Dynamic Client Registration.

id: str

Unique identifier of the user agent

created_at: datetime

Entity creation timestamp

formatdate-time

identifier: str

User agent identifier (serves as OAuth client_id). Format: ua:{sha256_hash}

name: str

Human-readable name

minLength1

maxLength255

organization_id: str

Organization that owns this user agent

slug: str

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this user agent belongs to

user_agent_id: Optional[str]

User agent ID (browser/client) that initiated this session

zone_id: Optional[str]

Zone this session belongs to

class IamApplicationSessionType: …

Application session type-specific fields

application_id: str

Application ID that initiated this session

issuer: str

Issuer URL from IdP

formaturi

provider_id: str

Provider ID

session_type: Literal["application"]

subject: str

Subject claim from IdP

id: Optional[str]

Session ID

Deprecatedactive: Optional[bool]

Whether the session is currently active (deprecated - use status instead)

Deprecatedapplication: Optional[Application]

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

id: str

Unique identifier of the application

created_at: datetime

Entity creation timestamp

formatdate-time

dependencies_count: int

Number of resource dependencies

identifier: str

User specified identifier, unique within the zone

minLength1

maxLength2048

name: str

Human-readable name

minLength1

maxLength255

organization_id: str

Organization that owns this application

owner_type: Literal["platform", "customer"]

Who owns this application. Platform-owned applications cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: str

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this application belongs to

description: Optional[str]

Human-readable description

maxLength2048

metadata: Optional[Metadata]

Entity metadata

docs_url: Optional[str]

Documentation URL

formaturi

maxLength2048

protocols: Optional[Protocols]

Protocol-specific configuration

oauth2: Optional[ProtocolsOauth2]

OAuth 2.0 protocol configuration

post_logout_redirect_uris: Optional[List[str]]

OAuth 2.0 post-logout redirect URIs for this application

redirect_uris: Optional[List[str]]

OAuth 2.0 redirect URIs for this application

authenticated_at: Optional[datetime]

Date when the session was authenticated

formatdate-time

created_at: Optional[datetime]

Entity creation timestamp

formatdate-time

expires_at: Optional[datetime]

Date when session expires

formatdate-time

metadata: Optional[IamApplicationSessionTypeMetadata]

Session metadata

name: str

Name of the initiating application or user agent

organization_id: Optional[str]

Organization that owns this session

session_data: Optional[Dict[str, object]]

Session claims data (ID token claims for users, application claims for applications)

status: Optional[Literal["active", "expired", "revoked"]]

Accepts one of the following:

"active"

"expired"

"revoked"

updated_at: Optional[datetime]

Entity update timestamp

formatdate-time

zone_id: Optional[str]

Zone this session belongs to

ZonesUser Agents

List user agents

zones.user_agents.list(strzone_id, UserAgentListParams**kwargs) -> UserAgentListResponse

GET/zones/{zoneId}/user-agents

Get user agent

zones.user_agents.retrieve(strid, UserAgentRetrieveParams**kwargs) -> UserAgent

GET/zones/{zoneId}/user-agents/{id}

ModelsExpand Collapse

class UserAgent: …

A User Agent represents a user agent (browser, desktop app, CLI tool) that can initiate user sessions via OAuth 2.0 Dynamic Client Registration.

id: str

Unique identifier of the user agent

created_at: datetime

Entity creation timestamp

formatdate-time

identifier: str

User agent identifier (serves as OAuth client_id). Format: ua:{sha256_hash}

name: str

Human-readable name

minLength1

maxLength255

organization_id: str

Organization that owns this user agent

slug: str

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this user agent belongs to

ZonesUsers

List users

zones.users.list(strzone_id, UserListParams**kwargs) -> UserListResponse

GET/zones/{zoneId}/users

Get user

zones.users.retrieve(strid, UserRetrieveParams**kwargs) -> User

GET/zones/{zoneId}/users/{id}

ModelsExpand Collapse

class User: …

An authenticated user entity

id: str

Unique identifier of the user

created_at: datetime

Entity creation timestamp

formatdate-time

email: str

Email address of the user

formatemail

email_verified: bool

Whether the email address has been verified

organization_id: str

Organization that owns this user

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone this user belongs to

authenticated_at: Optional[str]

Date when the user was last authenticated

issuer: Optional[str]

Issuer identifier of the identity provider

provider_id: Optional[str]

Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted.

subject: Optional[str]

Subject identifier from the identity provider

ZonesMembers

Add organization user to zone

zones.members.add(strzone_id, MemberAddParams**kwargs) -> ZoneMember

POST/zones/{zoneId}/members

List organization users in a zone

zones.members.list(strzone_id, MemberListParams**kwargs) -> MemberListResponse

GET/zones/{zoneId}/members

Get organization user in a zone

zones.members.retrieve(strorganization_user_id, MemberRetrieveParams**kwargs) -> ZoneMember

GET/zones/{zoneId}/members/{organizationUserId}

Update organization user role in a zone

zones.members.update(strorganization_user_id, MemberUpdateParams**kwargs) -> ZoneMember

PATCH/zones/{zoneId}/members/{organizationUserId}

Remove member from zone

zones.members.delete(strorganization_user_id, MemberDeleteParams**kwargs)

DELETE/zones/{zoneId}/members/{organizationUserId}

ModelsExpand Collapse

class ZoneMember: …

Represents an organization user's membership in a zone with an assigned role

id: str

Unique identifier of the zone member

_links: _Links

HAL-format hypermedia links for zone member resources

organization_user: _LinksOrganizationUser

href: str

Link to the user resource

formaturi-reference

self: _LinksSelf

href: str

Link to this zone member resource

formaturi-reference

created_at: datetime

Entity creation timestamp

formatdate-time

organization_id: str

Organization ID that owns the zone

organization_user_id: str

Organization user ID of the zone member

role: ZoneRole

Zone role type. zone_manager has full management access, zone_viewer has read-only access.

Accepts one of the following:

"zone_manager"

"zone_viewer"

updated_at: datetime

Entity update timestamp

formatdate-time

zone_id: str

Zone ID the organization user is a member of

Literal["zone_manager", "zone_viewer"]

Zone role type. zone_manager has full management access, zone_viewer has read-only access.

Accepts one of the following:

"zone_manager"

"zone_viewer"

ZonesSecrets

Create

zones.secrets.create(strpath_zone_id, SecretCreateParams**kwargs) -> Secret

POST/zones/{zone_id}/secrets

List

zones.secrets.list(strzone_id, SecretListParams**kwargs) -> SecretListResponse

GET/zones/{zone_id}/secrets

Delete

zones.secrets.delete(strid, SecretDeleteParams**kwargs)

DELETE/zones/{zone_id}/secrets/{id}

Update

zones.secrets.update(strid, SecretUpdateParams**kwargs) -> Secret

PATCH/zones/{zone_id}/secrets/{id}

Retrieve

zones.secrets.retrieve(strid, SecretRetrieveParams**kwargs) -> SecretRetrieveResponse

GET/zones/{zone_id}/secrets/{id}

ModelsExpand Collapse

class Secret: …

id: str

A globally unique opaque identifier

minLength1

created_at: datetime

formatdate-time

entity_id: str

A globally unique opaque identifier

minLength1

name: str

A name for the entity to be displayed in UI

type: Literal["token", "password"]

Accepts one of the following:

"token"

"password"

updated_at: datetime

formatdate-time

version: int

minimum1

zone_id: str

A globally unique opaque identifier

minLength1

description: Optional[str]

A description of the entity

maxLength128

metadata: Optional[object]

A JSON object containing arbitrary metadata. Metadata will not be encrypted.

class SecretPasswordFields: …

password: str

type: Literal["password"]

username: str

class SecretTokenFields: …

token: str

type: Literal["token"]

ZonesPolicy Schemas

List policy schemas

zones.policy_schemas.list(strzone_id, PolicySchemaListParams**kwargs) -> PolicySchemaListResponse

GET/zones/{zone_id}/policy-schemas

Get a policy schema by version

zones.policy_schemas.retrieve(strversion, PolicySchemaRetrieveParams**kwargs) -> SchemaVersionWithZoneInfo

GET/zones/{zone_id}/policy-schemas/{version}

Set the default policy schema for a zone

zones.policy_schemas.set_default(strversion, PolicySchemaSetDefaultParams**kwargs) -> SchemaVersionWithZoneInfo

PATCH/zones/{zone_id}/policy-schemas/{version}

ModelsExpand Collapse

class SchemaVersion: …

A versioned Cedar schema that defines the entity model, actions, and context shape used for policy evaluation. The schema contains the valid entity types (User, Application, Resource), their attributes, and the allowed attribute values. See the Credentials API spec for a full reference of entity attributes and valid values.

created_at: datetime

formatdate-time

status: Literal["active", "deprecated", "archived"]

Controls what can be done with this schema version:

• "active" - new policy versions can be created and validated against it.
• "deprecated" - superseded by a newer version but still accepts new policy versions.
• "archived" - closed to new policy versions. Existing policy set versions pinned to this schema still evaluate normally.

Accepts one of the following:

"active"

"deprecated"

"archived"

updated_at: datetime

formatdate-time

version: str

archived_at: Optional[datetime]

formatdate-time

cedar_schema: Optional[str]

Cedar schema in human-readable syntax. Populated when format=cedar.

cedar_schema_json: Optional[object]

Cedar schema as JSON object. Populated when format=json (default).

deprecated_at: Optional[datetime]

formatdate-time

class SchemaVersionWithZoneInfo: …

A versioned Cedar schema that defines the entity model, actions, and context shape used for policy evaluation. The schema contains the valid entity types (User, Application, Resource), their attributes, and the allowed attribute values. See the Credentials API spec for a full reference of entity attributes and valid values.

is_default: bool

Whether this is the zone's default schema. Clients use this to pre-select which schema to write policies against. Has no effect on evaluation.

ZonesPolicies

List policies in a zone

zones.policies.list(strzone_id, PolicyListParams**kwargs) -> PolicyListResponse

GET/zones/{zone_id}/policies

Create a new policy

zones.policies.create(strzone_id, PolicyCreateParams**kwargs) -> Policy

POST/zones/{zone_id}/policies

Get a policy by ID

zones.policies.retrieve(strpolicy_id, PolicyRetrieveParams**kwargs) -> Policy

GET/zones/{zone_id}/policies/{policy_id}

Update a policy

zones.policies.update(strpolicy_id, PolicyUpdateParams**kwargs) -> Policy

PATCH/zones/{zone_id}/policies/{policy_id}

Archive a policy

zones.policies.archive(strpolicy_id, PolicyArchiveParams**kwargs) -> Policy

DELETE/zones/{zone_id}/policies/{policy_id}

ModelsExpand Collapse

class Policy: …

id: str

created_at: datetime

formatdate-time

created_by: str

name: str

owner_type: Literal["platform", "customer"]

Who manages this policy:

• "platform" — managed by the Keycard platform (system policies).
• "customer" — managed by the tenant (custom policies).

Accepts one of the following:

"platform"

"customer"

updated_at: datetime

formatdate-time

zone_id: str

archived_at: Optional[datetime]

formatdate-time

description: Optional[str]

latest_version: Optional[int]

Human-readable version number of the latest version (e.g., 1, 2, 3)

latest_version_id: Optional[str]

updated_by: Optional[str]

class PolicyDraft: …

cedar_json: object

Cedar policy in JSON representation

created_at: datetime

formatdate-time

policy_id: str

schema_version: str

updated_at: datetime

formatdate-time

updated_by: str

ZonesPoliciesVersions

List versions of a policy

zones.policies.versions.list(strpolicy_id, VersionListParams**kwargs) -> VersionListResponse

GET/zones/{zone_id}/policies/{policy_id}/versions

Create a new immutable policy version

zones.policies.versions.create(strpolicy_id, VersionCreateParams**kwargs) -> PolicyVersion

POST/zones/{zone_id}/policies/{policy_id}/versions

Get a specific policy version

zones.policies.versions.retrieve(strversion_id, VersionRetrieveParams**kwargs) -> PolicyVersion

GET/zones/{zone_id}/policies/{policy_id}/versions/{version_id}

Archive a policy version

zones.policies.versions.archive(strversion_id, VersionArchiveParams**kwargs) -> PolicyVersion

DELETE/zones/{zone_id}/policies/{policy_id}/versions/{version_id}

ModelsExpand Collapse

class PolicyVersion: …

id: str

created_at: datetime

formatdate-time

created_by: str

policy_id: str

schema_version: str

Schema version this policy was validated against when created.

sha: str

Hex-encoded content hash

version: int

zone_id: str

archived_at: Optional[datetime]

formatdate-time

archived_by: Optional[str]

cedar_json: Optional[object]

Cedar policy in JSON representation. Populated when format=json (default).

cedar_raw: Optional[str]

Cedar policy in human-readable syntax. Populated when format=cedar.

ZonesPolicy Sets

List policy sets in a zone

zones.policy_sets.list(strzone_id, PolicySetListParams**kwargs) -> PolicySetListResponse

GET/zones/{zone_id}/policy-sets

Create a new policy set

zones.policy_sets.create(strzone_id, PolicySetCreateParams**kwargs) -> PolicySetWithBinding

POST/zones/{zone_id}/policy-sets

Get a policy set by ID

zones.policy_sets.retrieve(strpolicy_set_id, PolicySetRetrieveParams**kwargs) -> PolicySetWithBinding

GET/zones/{zone_id}/policy-sets/{policy_set_id}

Update a policy set

zones.policy_sets.update(strpolicy_set_id, PolicySetUpdateParams**kwargs) -> PolicySetWithBinding

PATCH/zones/{zone_id}/policy-sets/{policy_set_id}

Archive a policy set

zones.policy_sets.archive(strpolicy_set_id, PolicySetArchiveParams**kwargs) -> PolicySetWithBinding

DELETE/zones/{zone_id}/policy-sets/{policy_set_id}

ModelsExpand Collapse

class Attestation: …

JWS Flattened JSON Serialization (RFC 7515 §7.2.2) of a policy set attestation. The protected header carries the signing algorithm and key identifier; the payload is a base64url-encoded AttestationStatement canonicalized per RFC 8785 (JCS). Verify using the zone JWKS endpoint (RFC 7517). Currently signed with RS256; future zone key types (e.g. EdDSA) will be indicated by the "alg" header — no envelope changes required.

payload: str

Base64url-encoded AttestationStatement (RFC 7515 §3). Decode to inspect attestation content. The RFC 8785 canonical form of the decoded JSON is the JWS Signing Input alongside the protected header.

protected: str

Base64url-encoded JWS protected header (RFC 7515 §4). Contains at minimum "alg" (signing algorithm — currently RS256, will migrate to EdDSA) and "kid" (signing key identifier resolvable via the zone JWKS endpoint).

signature: str

Base64url-encoded digital signature computed over the JWS Signing Input (ASCII(protected) || '.' || payload) per RFC 7515 §5.1.

class AttestationStatement: …

Decoded content of an Attestation JWS payload. Describes the exact policy set version composition at attestation time. This schema defines what consumers see after base64url-decoding the Attestation.payload field.

attested_at: datetime

formatdate-time

attested_by: str

manifest: List[PolicySetManifestEntry]

Snapshot of the policy set manifest at attestation time. Each entry pins a policy version by ID and content SHA.

policy_id: str

policy_version_id: str

sha: Optional[str]

SHA-256 of the policy version content, populated by the server

manifest_sha: str

SHA-256 of the policy set version manifest. Verifiers MUST check this matches the policy_set_version.manifest_sha to detect attestation/version mismatches.

policy_set_id: str

policy_set_version: int

status: Literal["committed", "re_signed"]

Event that produced this attestation. "committed" is the initial attestation at version creation; "re_signed" is a re-attestation after key rotation (same content, new signature).

Accepts one of the following:

"committed"

"re_signed"

type: Literal["policy_set_attestation"]

Statement type discriminator

v: Literal[1]

Statement schema version

zone_id: str

class PolicySet: …

id: str

created_at: datetime

formatdate-time

created_by: str

name: str

owner_type: Literal["platform", "customer"]

Who manages this policy set:

• "platform" — managed by the Keycard platform (system policies).
• "customer" — managed by the tenant (custom policies).

Accepts one of the following:

"platform"

"customer"

scope_type: Literal["zone", "resource", "user", "session"]

The scope at which this policy set applies:

• "zone" — applies to all requests in the zone.
• "resource" — scoped to a specific resource.
• "user" — scoped to a specific user.
• "session" — scoped to a specific session.

Accepts one of the following:

"zone"

"resource"

"user"

"session"

updated_at: datetime

formatdate-time

zone_id: str

archived_at: Optional[datetime]

formatdate-time

latest_version: Optional[int]

Human-readable version number of the latest version (e.g., 1, 2, 3)

latest_version_id: Optional[str]

updated_by: Optional[str]

class PolicySetDraft: …

created_at: datetime

formatdate-time

manifest: PolicySetManifest

entries: List[PolicySetManifestEntry]

policy_id: str

policy_version_id: str

sha: Optional[str]

SHA-256 of the policy version content, populated by the server

policy_set_id: str

schema_version: str

updated_at: datetime

formatdate-time

updated_by: str

class PolicySetManifest: …

entries: List[PolicySetManifestEntry]

policy_id: str

policy_version_id: str

sha: Optional[str]

SHA-256 of the policy version content, populated by the server

class PolicySetManifestEntry: …

policy_id: str

policy_version_id: str

sha: Optional[str]

SHA-256 of the policy version content, populated by the server

class PolicySetWithBinding: …

active: Optional[bool]

Whether this policy set is currently bound to a scope

active_version: Optional[int]

Human-readable version number of the active version (e.g., 1, 2, 3)

active_version_id: Optional[str]

Public ID of the currently active (bound) version

mode: Optional[Literal["active", "shadow"]]

Accepts one of the following:

"active"

"shadow"

scope_target_id: Optional[str]

ZonesPolicy SetsVersions

List versions of a policy set

zones.policy_sets.versions.list(strpolicy_set_id, VersionListParams**kwargs) -> VersionListResponse

GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions

Create a new immutable policy set version

zones.policy_sets.versions.create(strpolicy_set_id, VersionCreateParams**kwargs) -> PolicySetVersion

POST/zones/{zone_id}/policy-sets/{policy_set_id}/versions

Get a specific policy set version

zones.policy_sets.versions.retrieve(strversion_id, VersionRetrieveParams**kwargs) -> PolicySetVersion

GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}

Activate a policy set version

zones.policy_sets.versions.update(strversion_id, VersionUpdateParams**kwargs) -> PolicySetVersion

PATCH/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}

Archive a policy set version

zones.policy_sets.versions.archive(strversion_id, VersionArchiveParams**kwargs) -> PolicySetVersion

DELETE/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}

List policy versions in a policy set version

zones.policy_sets.versions.list_policies(strversion_id, VersionListPoliciesParams**kwargs) -> VersionListPoliciesResponse

GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}/policies

ModelsExpand Collapse

class PolicySetVersion: …

id: str

created_at: datetime

formatdate-time

created_by: str

manifest: PolicySetManifest

entries: List[PolicySetManifestEntry]

policy_id: str

policy_version_id: str

sha: Optional[str]

SHA-256 of the policy version content, populated by the server

manifest_sha: str

Hex-encoded SHA-256 of the canonicalized manifest

policy_set_id: str

schema_version: str

Schema version pinned to this policy set version. Determines the Cedar schema used for evaluation when activated.

version: int

active: Optional[bool]

Whether this policy set version is currently bound with mode='active'

archived_at: Optional[datetime]

formatdate-time

archived_by: Optional[str]

attestation: Optional[Attestation]

JWS Flattened JSON Serialization (RFC 7515 §7.2.2) of a policy set attestation. The protected header carries the signing algorithm and key identifier; the payload is a base64url-encoded AttestationStatement canonicalized per RFC 8785 (JCS). Verify using the zone JWKS endpoint (RFC 7517). Currently signed with RS256; future zone key types (e.g. EdDSA) will be indicated by the "alg" header — no envelope changes required.

payload: str

Base64url-encoded AttestationStatement (RFC 7515 §3). Decode to inspect attestation content. The RFC 8785 canonical form of the decoded JSON is the JWS Signing Input alongside the protected header.

protected: str

Base64url-encoded JWS protected header (RFC 7515 §4). Contains at minimum "alg" (signing algorithm — currently RS256, will migrate to EdDSA) and "kid" (signing key identifier resolvable via the zone JWKS endpoint).

signature: str

Base64url-encoded digital signature computed over the JWS Signing Input (ASCII(protected) || '.' || payload) per RFC 7515 §5.1.