Application Credentials
List application credentials
Create application credential
Get application credential
Update application credential
Delete application credential
ModelsExpand Collapse
BaseFields = object { id, application_id, created_at, 5 more } Common fields shared by all application credential types
Common fields shared by all application credential types
Unique identifier of the credential
ID of the application this credential belongs to
Entity creation timestamp
Organization that owns this credential
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this credential belongs to
An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).
An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).
Unique identifier of the application
Entity creation timestamp
Number of resource dependencies
User specified identifier, unique within the zone
Human-readable name
Organization that owns this application
owner_type: "platform" or "customer"Who owns this application. Platform-owned applications cannot be modified via API.
Who owns this application. Platform-owned applications cannot be modified via API.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this application belongs to
Human-readable description
Entity metadata
Entity metadata
Documentation URL
protocols: optional object { oauth2 } Protocol-specific configuration
Protocol-specific configuration
oauth2: optional object { post_logout_redirect_uris, redirect_uris } OAuth 2.0 protocol configuration
OAuth 2.0 protocol configuration
OAuth 2.0 post-logout redirect URIs for this application
OAuth 2.0 redirect URIs for this application
Token-based application credential
Token-based application credential
Identifier for this credential. For token type, this equals the subject value, or '*' when subject is not specified.
ID of the provider issuing tokens verified by this credential
A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.
A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.
Unique identifier of the provider
Entity creation timestamp
User specified identifier, unique within the zone
Human-readable name
Organization that owns this provider
owner_type: "platform" or "customer"Who owns this provider. Platform-owned providers cannot be modified via API.
Who owns this provider. Platform-owned providers cannot be modified via API.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this provider belongs to
OAuth 2.0 client identifier
Indicates whether a client secret is configured
Human-readable description
Provider metadata
protocols: optional object { oauth2, openid } Protocol-specific configuration
Protocol-specific configuration
oauth2: optional object { issuer, authorization_endpoint, authorization_parameters, 10 more } OAuth 2.0 protocol configuration
OAuth 2.0 protocol configuration
OIDC issuer URL used for discovery and token validation.
Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).
Whether to include the resource parameter in authorization requests.
The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.
The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".
The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".
Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".
openid: optional object { userinfo_endpoint } OpenID Connect protocol configuration
OpenID Connect protocol configuration
type: optional "external" or "keycard-vault" or "keycard-sts"
Subject identifier for the token. When null or omitted, any token from the provider is accepted without checking application-specific claims.
Password-based application credential
Password-based application credential
Username for password credential, also used as OAuth 2.0 client ID
Password for credential (only returned on creation, store securely), also used as OAuth 2.0 client secret
Public key-based application credential
Public key-based application credential
Client ID for public key credential, also used as OAuth 2.0 client ID
JWKS URI to retrieve public keys from
URL-based application credential
URL-based application credential
URL of the credential (must be a valid URL)
Public credential (no secret storage)
Public credential (no secret storage)
Identifier for public credential, also used as OAuth 2.0 client ID
Password-based application credential
Password-based application credential
Username for password credential, also used as OAuth 2.0 client ID
Password for credential (only returned on creation, store securely), also used as OAuth 2.0 client secret
Public credential (no secret storage)
Public credential (no secret storage)
Identifier for public credential, also used as OAuth 2.0 client ID
Public key-based application credential
Public key-based application credential
Client ID for public key credential, also used as OAuth 2.0 client ID
JWKS URI to retrieve public keys from
Token-based application credential
Token-based application credential
Identifier for this credential. For token type, this equals the subject value, or '*' when subject is not specified.
ID of the provider issuing tokens verified by this credential
A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.
A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.
Unique identifier of the provider
Entity creation timestamp
User specified identifier, unique within the zone
Human-readable name
Organization that owns this provider
owner_type: "platform" or "customer"Who owns this provider. Platform-owned providers cannot be modified via API.
Who owns this provider. Platform-owned providers cannot be modified via API.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this provider belongs to
OAuth 2.0 client identifier
Indicates whether a client secret is configured
Human-readable description
Provider metadata
protocols: optional object { oauth2, openid } Protocol-specific configuration
Protocol-specific configuration
oauth2: optional object { issuer, authorization_endpoint, authorization_parameters, 10 more } OAuth 2.0 protocol configuration
OAuth 2.0 protocol configuration
OIDC issuer URL used for discovery and token validation.
Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).
Whether to include the resource parameter in authorization requests.
The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.
The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".
The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".
Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".
openid: optional object { userinfo_endpoint } OpenID Connect protocol configuration
OpenID Connect protocol configuration
type: optional "external" or "keycard-vault" or "keycard-sts"
Subject identifier for the token. When null or omitted, any token from the provider is accepted without checking application-specific claims.
URL-based application credential
URL-based application credential
URL of the credential (must be a valid URL)