API Reference

Zones

Application Credentials

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Get application credential

GET/zones/{zoneId}/application-credentials/{id}

Returns details of a specific application credential by ID

Path ParametersExpand Collapse

zoneId: string

id: string

ReturnsExpand Collapse

Credential = Token { identifier, provider_id, type, 2 more } or Password { identifier, type, password } or PublicKey { identifier, jwks_uri, type } or 2 more

Credentials for accessing external services from applications

Accepts one of the following:

Token = BaseFields { id, application_id, created_at, 5 more }

Token-based application credential

identifier: string

Identifier for this credential. For token type, this equals the subject value, or '*' when subject is not specified.

provider_id: string

ID of the provider issuing tokens verified by this credential

type: "token"

Deprecatedprovider: optional Provider { id, created_at, identifier, 12 more }

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

id: string

Unique identifier of the provider

created_at: string

Entity creation timestamp

formatdate-time

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this provider

owner_type: "platform" or "customer"

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this provider belongs to

client_id: optional string

OAuth 2.0 client identifier

client_secret_set: optional boolean

Indicates whether a client secret is configured

description: optional string

Human-readable description

maxLength2048

metadata: optional unknown

Provider metadata

protocols: optional object { oauth2, openid }

Protocol-specific configuration

oauth2: optional object { issuer, authorization_endpoint, authorization_parameters, 10 more }

OAuth 2.0 protocol configuration

issuer: string

OIDC issuer URL used for discovery and token validation.

formaturi

authorization_endpoint: optional string

formaturi

authorization_parameters: optional map[string]

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

authorization_resource_enabled: optional boolean

Whether to include the resource parameter in authorization requests.

authorization_resource_parameter: optional string

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

code_challenge_methods_supported: optional array of string

jwks_uri: optional string

formaturi

registration_endpoint: optional string

formaturi

scope_parameter: optional string

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

scope_separator: optional string

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

scopes_supported: optional array of string

token_endpoint: optional string

formaturi

token_response_access_token_pointer: optional string

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

openid: optional object { userinfo_endpoint }

OpenID Connect protocol configuration

userinfo_endpoint: optional string

formaturi

type: optional "external" or "keycard-vault" or "keycard-sts"

Accepts one of the following:

"external"

"keycard-vault"

"keycard-sts"

subject: optional string

Subject identifier for the token. When null or omitted, any token from the provider is accepted without checking application-specific claims.

Password = BaseFields { id, application_id, created_at, 5 more }

Password-based application credential

identifier: string

Username for password credential, also used as OAuth 2.0 client ID

type: "password"

password: optional string

Password for credential (only returned on creation, store securely), also used as OAuth 2.0 client secret

PublicKey = BaseFields { id, application_id, created_at, 5 more }

Public key-based application credential

identifier: string

Client ID for public key credential, also used as OAuth 2.0 client ID

jwks_uri: string

JWKS URI to retrieve public keys from

formaturi

type: "public-key"

URL = BaseFields { id, application_id, created_at, 5 more }

URL-based application credential

identifier: string

URL of the credential (must be a valid URL)

formaturi

type: "url"

Public = BaseFields { id, application_id, created_at, 5 more }

Public credential (no secret storage)

identifier: string

Identifier for public credential, also used as OAuth 2.0 client ID

type: "public"

Get application credential

HTTP

HTTP

TypeScript

Python

Go

curl https://api.keycard.ai/zones/$ZONE_ID/application-credentials/$ID

200 example

{
  "id": "id",
  "application_id": "application_id",
  "created_at": "2019-12-27T18:11:19.117Z",
  "organization_id": "organization_id",
  "slug": "slug",
  "updated_at": "2019-12-27T18:11:19.117Z",
  "zone_id": "zone_id",
  "application": {
    "id": "id",
    "created_at": "2019-12-27T18:11:19.117Z",
    "dependencies_count": 0,
    "identifier": "x",
    "name": "x",
    "organization_id": "organization_id",
    "owner_type": "platform",
    "slug": "slug",
    "updated_at": "2019-12-27T18:11:19.117Z",
    "zone_id": "zone_id",
    "description": "description",
    "metadata": {
      "docs_url": "https://example.com"
    },
    "protocols": {
      "oauth2": {
        "post_logout_redirect_uris": [
          "https://example.com"
        ],
        "redirect_uris": [
          "https://example.com"
        ]
      }
    }
  },
  "identifier": "identifier",
  "provider_id": "provider_id",
  "type": "token",
  "provider": {
    "id": "id",
    "created_at": "2019-12-27T18:11:19.117Z",
    "identifier": "x",
    "name": "x",
    "organization_id": "organization_id",
    "owner_type": "platform",
    "slug": "slug",
    "updated_at": "2019-12-27T18:11:19.117Z",
    "zone_id": "zone_id",
    "client_id": "client_id",
    "client_secret_set": true,
    "description": "description",
    "metadata": {},
    "protocols": {
      "oauth2": {
        "issuer": "https://example.com",
        "authorization_endpoint": "https://example.com",
        "authorization_parameters": {
          "foo": "string"
        },
        "authorization_resource_enabled": true,
        "authorization_resource_parameter": "authorization_resource_parameter",
        "code_challenge_methods_supported": [
          "string"
        ],
        "jwks_uri": "https://example.com",
        "registration_endpoint": "https://example.com",
        "scope_parameter": "scope_parameter",
        "scope_separator": "scope_separator",
        "scopes_supported": [
          "string"
        ],
        "token_endpoint": "https://example.com",
        "token_response_access_token_pointer": "token_response_access_token_pointer"
      },
      "openid": {
        "userinfo_endpoint": "https://example.com"
      }
    },
    "type": "external"
  },
  "subject": "subject"
}

Returns Examples

200 example

{
  "id": "id",
  "application_id": "application_id",
  "created_at": "2019-12-27T18:11:19.117Z",
  "organization_id": "organization_id",
  "slug": "slug",
  "updated_at": "2019-12-27T18:11:19.117Z",
  "zone_id": "zone_id",
  "application": {
    "id": "id",
    "created_at": "2019-12-27T18:11:19.117Z",
    "dependencies_count": 0,
    "identifier": "x",
    "name": "x",
    "organization_id": "organization_id",
    "owner_type": "platform",
    "slug": "slug",
    "updated_at": "2019-12-27T18:11:19.117Z",
    "zone_id": "zone_id",
    "description": "description",
    "metadata": {
      "docs_url": "https://example.com"
    },
    "protocols": {
      "oauth2": {
        "post_logout_redirect_uris": [
          "https://example.com"
        ],
        "redirect_uris": [
          "https://example.com"
        ]
      }
    }
  },
  "identifier": "identifier",
  "provider_id": "provider_id",
  "type": "token",
  "provider": {
    "id": "id",
    "created_at": "2019-12-27T18:11:19.117Z",
    "identifier": "x",
    "name": "x",
    "organization_id": "organization_id",
    "owner_type": "platform",
    "slug": "slug",
    "updated_at": "2019-12-27T18:11:19.117Z",
    "zone_id": "zone_id",
    "client_id": "client_id",
    "client_secret_set": true,
    "description": "description",
    "metadata": {},
    "protocols": {
      "oauth2": {
        "issuer": "https://example.com",
        "authorization_endpoint": "https://example.com",
        "authorization_parameters": {
          "foo": "string"
        },
        "authorization_resource_enabled": true,
        "authorization_resource_parameter": "authorization_resource_parameter",
        "code_challenge_methods_supported": [
          "string"
        ],
        "jwks_uri": "https://example.com",
        "registration_endpoint": "https://example.com",
        "scope_parameter": "scope_parameter",
        "scope_separator": "scope_separator",
        "scopes_supported": [
          "string"
        ],
        "token_endpoint": "https://example.com",
        "token_response_access_token_pointer": "token_response_access_token_pointer"
      },
      "openid": {
        "userinfo_endpoint": "https://example.com"
      }
    },
    "type": "external"
  },
  "subject": "subject"
}